Akuma Daimao wrote:
> I've got a nice configuration working, can connect to the VPN and pipe
> all of my traffic through the TUN adapter, but for some reason I'm not
> able to talk to other machines on the server-side LAN.
> I can ping the server and the router, and I can ping the other
> machines by SSHing into the server, but I can't ping or reach them
> from client-side. I've done everything that the HOWTO suggested to
> add server-side machines but I'm still not having any luck.
> Anyone have any thoughts? Need any config files or logs?
With a routed setup (using the tun adapter), networks behind the VPN
server, such as the LAN or other remote subnets, will need to be
advertised to VPN clients with the "route ..." or "push "route ...""
options in the client or server configuration respectively. You can
verify this completed successfully on the client by checking the routing
tables after the VPN has connected.
In addition to the client being made aware of remote networks, you also
need to insure that the remote network is aware of how to route back to
VPN clients. As an example, if your VPN network uses 10.8.0.0/24 and
your remote LAN is 192.168.1.0/24, the default gateway at 192.168.1.0/24
needs to know that traffic destined for the 10.8.0.0/24 VPN network
should be sent to the VPN server operating at the remote network.
Optionally, you can choose to NAT packets as they come from VPN clients
to the remote network, but this means that all communication to the
remote network must be initiated by the VPN client and not the other way
Finally, any firewalls will need to allow this traffic, and most
commonly this needs to be checked on the VPN server and the routers at
the remote site(s) involved; if NAT is not used, traffic from the
10.8.0.0/24 network will be arriving on hosts at the remote network.
If you still have additional unanswered questions some additional
details on the networks involved, your setup, and possibly seeing your
config files will allow more specific information to be provided.
Description: OpenPGP digital signature