[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] site to site vpn - routing issues


  • Subject: Re: [Openvpn-users] site to site vpn - routing issues
  • From: "James Miller" <jimm@xxxxxxxxxxxxxxx>
  • Date: Fri, 10 Aug 2007 10:24:59 -0500

Sorry for the top post, I'm using Outlook -- but at least I'm sending as
text.
 
I have a few sites who connect back to us with a similar configuration.
Here's two tenant I've learned:
1. If the VPN is setup right, then it's either a routing or firewall issue
2. tcpdump IS YOUR FRIEND! =)
 
I have a few questions and thoughts:
1. Is the VPN server also your firewall?  If not you'll need to manually
setup routes on the firewall/gw to point traffic for 192.168.1.100 back to
the VPN server (same for the client side?
 
2.  What does 'route -n' show on the server side when the VPN is up and not
up?  You should see a route for 192.168.100.0/24 through a 10.9.0.X IP addr
(tap adapter).  How about the client side?  It should have routes for
192.168.2.0/24 and 192.168.6.0/24 pointing to the 10.9,.0.X IP addr of it's
tap adapter.
 
3. Check that you're forwarding IP traffic and check your firewall rules.
I've been burned by not setting my rules correctly more than once.
 
 
4. As a side note, over time there will be a need to revoke/retire client
side (and server side for that matter) certificates.  When you get more
comfortable with OpenVPN administration you WILL want to setup a process for
certificate revocation and updating your crl.pem and other assundry ssl
issues.
 

Config file questions and suggestions: 
Since you're setting up several remote offices, I would suggest the
following to help in the troubleshooting process:
1.  I don't see where you're specifying which IP address to listen on.  It
IS an optional parameter, but it's good practice to include it in your
configuration
        local ip.addr.of.outisde.iface
 
2.  I'm not using the 'ifconfig-pool-persist ipp.txt' option in my server
config files.  And to be honest I'm sure what it buys you.
 
3. Have separate log for each office:
        log-append /var/log/openvpn-office1.log
 
4. It seems odd to be using TCP https:443 as your port, you'll get better
performance out of UDP and I'd suggest using something in the 5000 range.
But I'm sure you have your reasons.
 
5. Define a unique management port for each office VPN as well.
        management localhost 7510
 
6. What is the contents of the file in the client-config-dir and what is it
named?
        a.  I name mine for the CN= entry of /etc/ssl/index.txt for that
client.  For example, if my CN is 'CN=Office1 Gateway, in my ccd directory I
have a file named Office1Gateway
        b.  in each file I define two things, the ifconfig-push variable and
the iroute variable.  In your case it should look something like this:
                ifconfig-push 10.9.0.5 10.9.0.6    #This assigns a set IP
based on the CN to your client side.
                iroute 192.168.100.0 255.255.255.0    #You're saying this is
the IP space of the remote office
  
 
Anyway I hope this help.
 
 
--Jim
 
 
 



________________________________

	From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Iad Scoot
	Sent: Thursday, August 09, 2007 6:30 PM
	To: Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
	Subject: Re: [Openvpn-users] site to site vpn - routing issues
	
	
	Forgot to mention that I already have ip forwarding enabled on the
boxes....
	 
	Thanks...
	
	 
	On 8/9/07, Iad Scoot <iad.scoot@xxxxxxxxx> wrote: 

		Hi, sorry for the long post but I need advice - also sorry
if this got double-posted, I'm having some address book issues...
		 
		Trying to set up a site-to-site vpn between 2 openvpn
(CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn
system configured as "server". Fortinet firewall sitting in front of the
corp office lan; vpn server in DMZ and static route set for incoming vpn
traffic to go to the vpn box. Site 2 (remote office) has vpn box configured
as "client" for routing traffic from several laptops at the remote office to
the corp office. Second Fortinet firewall sitting in front of the remote
office lan; laptops connected to the internal interface (GREEN segment) and
vpn box connected to the DMZ. Static routes have been set on the firewall to
pass any traffic destined for the pushed remote subnets to the vpn box. 
		 
		Using routing, TLS w/ certs, etc. I can establish a tunnel
but cannot access resources on the pushed subnets. On the remote office
side, I can ping from the vpn box to the subnet at the corp office that the
vpn server is on but not any of the other subnets that are "pushed" to the
client vpn box. Here's the server config (corp office): 
		 
		port 443
		proto tcp
		dev tun
		ca ca.crt
		cert server.crt
		key server.key
		dh dh.pem
		server 10.9.0.0 <http://10.9.0.0/>  255.255.255.0
<http://255.255.255.0/> 
		ifconfig-pool-persist ipp.txt
		push "route 192.168.2.0 <http://192.168.2.0/>  255.255.255.0
<http://255.255.255.0/> "
		push "route 192.168.6.0 <http://192.168.6.0/>  255.255.255.0
<http://255.255.255.0/> "
		client-config-dir ccd
		route 192.168.100.0 <http://192.168.100.0/>  255.255.255.0
<http://255.255.255.0/> 
		keepalive 10 120
		tls-auth hmac.key 0
		cipher AES-256-CBC   # AES 
		comp-lzo 
		max-clients 4
		user nobody
		group nobody
		persist-key
		persist-tun
		status openvpn-status.log
		log         openvpn.log
		verb 5
		mute 20
		 
		The server config includes a file within the "ccd" directory
with the appropriate "iroute" command. Here is the client config:

		client
		dev tun
		proto tcp
		remote my_external_ip 443
		resolv-retry infinite
		nobind
		user nobody
		group nobody
		persist-key
		persist-tun
		mute-replay-warnings
		ca ca.crt
		cert client.crt 
		key client.key
		ns-cert-type server
		tls-auth hmac.key 1
		cipher AES-256-CBC
		comp-lzo
		log client.log
		verb 6
		 
		Any thoughts? Could really use some help on this - need to
do a couple of remote offices in this manner.
		 
		 
		Thanks...

	
	  


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users