[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] can ping one way but not the other?


  • Subject: Re: [Openvpn-users] can ping one way but not the other?
  • From: "Andrew Hall" <andyjohnhall@xxxxxxxxx>
  • Date: Fri, 25 May 2007 12:46:04 +0100

OK - after some testing it seems that packets from the server side LAN
to the client side LAN do not get re-addresses with the OpenVPN subnet
but keep their original addresses.

This then means that there is something wrong with the routes I have
on the firewall at the client side LAN.

I have included a route which directs all traffic for the server side
LAN to the OpenVPN server, which works one way as I can ping traffic
from the client side to the server side.

But I still cannot work out why pings from the server side to the
client side are not being returned.

They are getting through to the client side machine, and are then
being directed to the firewall (which is the gateway) but for some
reason the route to the OpenVPN server is not functioning.

The device is a ZyXEL ZyWALL 5 - does anyone have any experience with
these? I would have thought that pings in either direction would be
classed under the same rule (LAN to LAN) but perhaps the firewall
thinks differently?

I know under shorewall that these type of routes require "routeback
enabled" (from the LAN back into the LAN) but have no idea what the
ZyXEL device might be doing.

Any suggestions would be greatly appreciated.

Thanks.

---------- Forwarded message ----------
From: "Andrew Hall" <andyjohnhall@xxxxxxxxx>
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Date: Thu, 24 May 2007 21:16:54 +0100
Subject: Re: [Openvpn-users] can ping one way but not the other?
With regards to setting up a client-to-server connection where the
LANs at both sites can see each other, would one of the subnets
referred to here need to be the OpenVPN subnet itself?

"Similarly, if the client machine running OpenVPN is not also the
gateway for the client LAN, then the gateway for the client LAN must
have a route which directs all subnets which should be reachable
through the VPN to the OpenVPN client machine."

That is, on the client side gateway aswell as adding a route which
directs the server side's LAN to the client side OpenVPN server, would
I also need to add a a route which directs the OpenVPN subnet
(10.8.0.0/24) to the client side OpenVPN server too?

I assumed that machines connecting from the server side LAN to the
client side LAN would do so with their own IP addresses, as opposed to
using an OpenVPN address.

Is this not the case? Do they actually get "NAT'd" (so to speak) as an
OpenVPN address?

At the moment I can only get this working by setting the client side
gateway to be the OpenVPN server itself, but don't really wish to do
this.
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users