[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] site to site vpn - routing issues

  • Subject: [Openvpn-users] site to site vpn - routing issues
  • From: "Iad Scoot" <iad.scoot@xxxxxxxxx>
  • Date: Thu, 9 Aug 2007 15:30:17 -0400

Hi, sorry for the long post but I need advice - also sorry if this got double-posted, I'm having some address book issues...
Trying to set up a site-to-site vpn between 2 openvpn (CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn system configured as "server". Fortinet firewall sitting in front of the corp office lan; vpn server in DMZ and static route set for incoming vpn traffic to go to the vpn box. Site 2 (remote office) has vpn box configured as "client" for routing traffic from several laptops at the remote office to the corp office. Second Fortinet firewall sitting in front of the remote office lan; laptops connected to the internal interface (GREEN segment) and vpn box connected to the DMZ. Static routes have been set on the firewall to pass any traffic destined for the pushed remote subnets to the vpn box.
Using routing, TLS w/ certs, etc. I can establish a tunnel but cannot access resources on the pushed subnets. On the remote office side, I can ping from the vpn box to the subnet at the corp office that the vpn server is on but not any of the other subnets that are "pushed" to the client vpn box. Here's the server config (corp office):
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
ifconfig-pool-persist ipp.txt
push "route"
push "route"
client-config-dir ccd
keepalive 10 120
tls-auth hmac.key 0
cipher AES-256-CBC   # AES
max-clients 4
user nobody
group nobody
status openvpn-status.log
log         openvpn.log
verb 5
mute 20
The server config includes a file within the "ccd" directory with the appropriate "iroute" command. Here is the client config:

dev tun
proto tcp
remote my_external_ip 443
resolv-retry infinite
user nobody
group nobody
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-256-CBC
log client.log
verb 6
Any thoughts? Could really use some help on this - need to do a couple of remote offices in this manner.