Okay well I feel kind of silly now, because I've answered my own
question, but I
might as well put it out there for anybody else who might be having the same
As I said below, tcpdump was reporting that it was getting icmp requests from
each servers public IP addresses, which is why things were not routing
properly. What I had was this:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -j SNAT --to $extip
And that was changing the source address of any outgoing packets to $extip.
Including the ones that were going to 192.168.5.0/24. So, before that rule, I
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.5.0/24 -j
And then on the other side of the OpenVPN connection, I did the same
flopped. So now both subnets can communicate with eachother perfectly.
Hope this helps someone out there!
And thanks for the excellent software, OpenVPN is great. :]
After researching it some more, I think that I may have been a little bit
unclear, and also have started wondering if I should be doing NAT.
As it stands with the configuration that I posted below (push routes,
iroute in dev tun), both the OpenVPN server and client can ping any host on
either side of the network. However, any hosts on either side of the network
cannot ping hosts on the other side of the OpenVPN.
Looking at tcpdump -n -i tun0, I get some interesting information.
When I ping
from either the OpenVPN server or client, it comes from the proper
VPN subnet, 10.x). When I ping from a client on either side of the network
however, it comes from the PUBLIC address of either the client or the server,
which is why the packet gets dropped I think.
So my question is, should it be necessary to do NAT with iptables to get this
working properly? Nowhere in any documentation that I've seen has it
NAT is necessary to bridge two networks, but this information makes
if it is necessary.
Thanks for any and all help.
I'm attempting to create an OpenVPN connection between two networks,
the clients on either side can access each other. I found a post similar to
Which also linked to this site:
I've read through that documentation and followed it, but it's still
the way I need it to.
The network is essentially like this:
Femy LAN (192.168.1.0/24)
Firewall (OpenVPN client)
-- Internet --
Firewall (OpenVPN server)
Terminator LAN (192.168.5.0/24)
The relevant server config declarations in server.conf are:
server 10.5.5.0 255.255.255.0
route 192.168.1.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"
And then on the server, there is a /etc/openvpn/clients/Femy file with this:
iroute 192.168.1.0 255.255.255.0
With this setup, I can ping any clients on the server's network from
itself, but when clients on the client's network attempt to do the
same, I get
this error message in the server's logs:
Mon Oct 3 16:28:53 2005 us=728238 Femy/64.10x.xxx.xxx:32830 MULTI:
address from client [64.10x.xxx.xxx], packet dropped
And also, none of the clients on the server's network can ping hosts on the
If you have any ideas of things I might be able to try, or see
anything that I
might be missing, please let me know. Any help is very very much
Openvpn-users mailing list