[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] - remote client unable to ping clients on server's LAN (route problem)


  • Subject: Re: [Openvpn-users] - remote client unable to ping clients on server's LAN (route problem)
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 11:36:19 +0100

Jeff,

This one threw me for a while too.

Your VPN client knows how to find machines on your LAN; your 'push 
"route 192.168.1.0 255.255.255.0"' statement tells them to update their 
routing tables so that they know the way. The problem is that machines 
on your LAN don't know the way to the VPN, so they can't respond to a 
ping. Your LAN has TWO gateways; one for the LAN which is 192.168.1.1; 
your D-Link router, and one for the VPN which is on the VPN server; a 
dual homed machine with IPs 192.168.1.99 AND 10.255.255.1. Your D-Link 
router knows where all your LAN machines are but it has no clue where 
your VPN gateway is, and hence cannot route packets to other machines on 
your VPN. I'm not sure of the configuration windows for the D-Link 
router; on my Linksys router you go to setup/advanced routing, and there 
you add a route that tells the router how to send packets to the VPN. 
Destination LAN IP 10.255.255.0, subnet mask 255.255.255.0 and gateway 
10.255.255.1. Once that is entered in your router knows to send any 
packet intended for any machine on your VPN to your VPN server, which, 
in turn, knows where the particular VPN machine is.

When this is done your client knows where your LAN machines are, and 
your LAN machines know how to reach your client so you have communication.

Note that you can also make all your LAN machines have openvpn running 
and they can get VPN addresses AS WELL as their LAN addresses. Then, if 
you have 'client-to-client' directive in your VPN server config file, 
the clients will see each other over the VPN WITHOUT a route being set 
in your D-Link router. It's a bit more complex, but it means that if you 
move one of your LAN machines (say a laptop) to a different internet 
access point it will still be able to see all your VPN network 
(providing the port you've used for VPN is not blocked by the local ISP)

Good luck,

Peter
>
> I want the remote client to be able to communicate with other
> computers/printers/etc on the VPN server's LAN (192.168.1.0).
>
> OpenVPN Server…
> LAN IP: 192.168.1.99
> SM: 255.255.255.0
> GW: 192.168.1.1 (D-Link router)
> DNS: 192.168.1.1
> VPN IP: 10.255.255.1
>
> Remote Client…
> LAN IP:192.168.0.10
> SM: 255.255.255.0
> GW: 192.168.0.1 (Linksys router)
> DNS: 192.168.0.1
> VPN IP: 10.255.255.45
>
> I have added "push "route 192.168.1.0 255.255.255.0"" to the OpenVPN
> server's config. I understand that I must add a route on the remote
> client in order to find other clients on the OpenVPN Server's LAN.
> This is where I'm confused…

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users