[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] - remote client unable to ping clients on server's LAN (route problem)


  • Subject: Re: [Openvpn-users] - remote client unable to ping clients on server's LAN (route problem)
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 13:56:47 +0100

Sorry, error in route that needs to be added to your D-Link router.

Peter Barwich wrote:
Jeff,

This one threw me for a while too.

Your VPN client knows how to find machines on your LAN; your 'push "route 192.168.1.0 255.255.255.0"' statement tells them to update their routing tables so that they know the way. The problem is that machines on your LAN don't know the way to the VPN, so they can't respond to a ping. Your LAN has TWO gateways; one for the LAN which is 192.168.1.1; your D-Link router, and one for the VPN which is on the VPN server; a dual homed machine with IPs 192.168.1.99 AND 10.255.255.1. Your D-Link router knows where all your LAN machines are but it has no clue where your VPN gateway is, and hence cannot route packets to other machines on your VPN. I'm not sure of the configuration windows for the D-Link router; on my Linksys router you go to setup/advanced routing, and there you add a route that tells the router how to send packets to the VPN. Destination LAN IP 10.255.255.0, subnet mask 255.255.255.0 and gateway [was 10.255.255.1 corrected to 192.168.1.99]. Once that is entered in your router knows to send any packet intended for any machine on your VPN to your VPN server, which, in turn, knows where the particular VPN machine is.

When this is done your client knows where your LAN machines are, and your LAN machines know how to reach your client so you have communication.

Note that you can also make all your LAN machines have openvpn running and they can get VPN addresses AS WELL as their LAN addresses. Then, if you have 'client-to-client' directive in your VPN server config file, the clients will see each other over the VPN WITHOUT a route being set in your D-Link router. It's a bit more complex, but it means that if you move one of your LAN machines (say a laptop) to a different internet access point it will still be able to see all your VPN network (providing the port you've used for VPN is not blocked by the local ISP)

Good luck,

Peter

I want the remote client to be able to communicate with other
computers/printers/etc on the VPN server's LAN (192.168.1.0).

OpenVPN Server…
LAN IP: 192.168.1.99
SM: 255.255.255.0
GW: 192.168.1.1 (D-Link router)
DNS: 192.168.1.1
VPN IP: 10.255.255.1

Remote Client…
LAN IP:192.168.0.10
SM: 255.255.255.0
GW: 192.168.0.1 (Linksys router)
DNS: 192.168.0.1
VPN IP: 10.255.255.45

I have added "push "route 192.168.1.0 255.255.255.0"" to the OpenVPN
server's config. I understand that I must add a route on the remote
client in order to find other clients on the OpenVPN Server's LAN.
This is where I'm confused…