Again thanks for the feedback. Yes,you are correct with the interpretation of the network. The software I'm installing (LDAP client) that needs no NAT requires that the destination IP be 192.168.1.2. This is because the openVPN is running the LDAP server listening on eth0,192.168.1.2. So in this scenarios should I
1. use the destination IP as the VPN IP, i.e 10.8.0.1 as it seems using 192.168.1.2 doesn't works as the communication back from the LDAP server is going through NAT.
2. Is the 10.8.0.1 address bound to the eth0 IP thus use it as the destination IP??
3. I tried ethernet bridging but it didn't work
Please note that the remote IP the VPN client is referencing is configured on a switch behind the firewall which maps the internal nic to external access. Is this a problem?
I did a traceroute from the remote client (10.30.7.100) to the openVPN internal nic (192.168.1.2) and it shows only one hop to the destination (the hop is the destination address 192.168.1.2) whereas a traceroute from 192.168.1.2 to 10.30.7.9 shows three hops (hops through firewall,remote router then remote destination). When I ping 192.168.1.2 from 10.30.7.100, I can see tcpdump activity on tun0 on the openVPNserver but if I ping 10.30.7.9 from 192.168.1.2 I DO NOT see tcpdump activity on tun0 on the client, it's received on eth1 on the client interface. Why is happening???Have a great day!
>>> Erich Titl <erich.titl@xxxxxxxx> 05/07/2007 23:38 >>>
Peter Njiiri schrieb:
> Thanks for the feedback. I need to bypass the firewall as it's blocking
> the traffic (I think) (as no packets are received on the tun interface
> of the remote server when I ping the 10.30.7.100 from 192.168.1.2).
You will not see packets on the tun interface with this kind of traffic,
this is _not_ tunneled traffic.
> try to force the internal traffic by adding a route for the internal
> network, i.e 192.168.1.0 through the tunnel, ping doesn't work. Yes the
> tunnel is up with no errors,Initialization Sequence is done. Yes from
> 192.168.1.2, I can ping successfully to 10.8.0.6 (tun interface of the
> remote server) from 192.168.1.2 and vice versa (when I ping 10.8.0.1
> from 10.30.7.100).
Let's see, 10.8.0.1 is the tunnel endpoint on your server, right?
As said, I want to communicate from the
> 192.168.1.2 to the remote server (10.30.7.100) without passing through
> NAT (firewall) because the software I'm installing on the remote server
> requires no NAT communication.
In reality you want to communicate with 10.8.0.x , else you won't be
going through the tunnel.
Is there a way that this can be done???
> Which IP should I assign the software so that it communicates through
> the tunnel, the physical nic or the virtual tun one???Maybe it's the
> concept I'm missing??
Let's see, the software you want to access lives on the client. You want
to access it through the tunnel, hence you will have to access it
through a tunnel address, which, in your case, appears to be on the
If I interprete your situation correctly it is something like
ip 192.168.1.2 ..... tunnel address 10.8.0.1
the big bad cisco protected net we don't care abaout as long as the
tunnel comes up
ip 10.30.7.100 ..... tunnel address (probably) 10.8.0.5
So in this case your traffic fron the server to the client will go to
10.8.0.5, you just don't care what network you are tunneling through as
long as there is no address conflict. If the tunnel traffic is nated
once or twenty five times it does not affect the tunneled traffic