[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] site to site vpn - routing issues

  • Subject: Re: [Openvpn-users] site to site vpn - routing issues
  • From: James Barros <james@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 9 Aug 2007 16:53:53 -0700

I've got a shiny nickle that says if you fired up tcpdump on the boxes on those subnets you were trying to ping you'd see the pings getting there, just not getting back. 

You said the router had routes set. If you're on one of the boxes on the pushed subnets (presuming you have access to these via some other means), and you traceroute to one of the laptops, does it actually make it to the vpn? if not, there's one more set of routes you're going to need to give your router so traffic can find it's way BACK to the client. 

Hope that made any sense at all. 

-- James

On Aug 9, 2007, at 4:30 PM, Iad Scoot wrote:

Forgot to mention that I already have ip forwarding enabled on the boxes....

On 8/9/07, Iad Scoot <iad.scoot@xxxxxxxxx> wrote:
Hi, sorry for the long post but I need advice - also sorry if this got double-posted, I'm having some address book issues...
Trying to set up a site-to-site vpn between 2 openvpn (CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn system configured as "server". Fortinet firewall sitting in front of the corp office lan; vpn server in DMZ and static route set for incoming vpn traffic to go to the vpn box. Site 2 (remote office) has vpn box configured as "client" for routing traffic from several laptops at the remote office to the corp office. Second Fortinet firewall sitting in front of the remote office lan; laptops connected to the internal interface (GREEN segment) and vpn box connected to the DMZ. Static routes have been set on the firewall to pass any traffic destined for the pushed remote subnets to the vpn box.
Using routing, TLS w/ certs, etc. I can establish a tunnel but cannot access resources on the pushed subnets. On the remote office side, I can ping from the vpn box to the subnet at the corp office that the vpn server is on but not any of the other subnets that are "pushed" to the client vpn box. Here's the server config (corp office):
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
ifconfig-pool-persist ipp.txt
push "route"
push "route"
client-config-dir ccd
keepalive 10 120
tls-auth hmac.key 0
cipher AES-256-CBC   # AES
max-clients 4
user nobody
group nobody
status openvpn-status.log
log         openvpn.log
verb 5
mute 20
The server config includes a file within the "ccd" directory with the appropriate "iroute" command. Here is the client config:

dev tun
proto tcp
remote my_external_ip 443
resolv-retry infinite
user nobody
group nobody
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-256-CBC
log client.log
verb 6
Any thoughts? Could really use some help on this - need to do a couple of remote offices in this manner.

This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Openvpn-users mailing list

James Barros
PHP Geek, Apple Admin, Fixer of Mini's, Breaker of other things and defender of justice.