[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] site to site vpn - routing issues

  • Subject: Re: [Openvpn-users] site to site vpn - routing issues
  • From: "James Miller" <jimm@xxxxxxxxxxxxxxx>
  • Date: Fri, 10 Aug 2007 10:24:59 -0500

Sorry for the top post, I'm using Outlook -- but at least I'm sending as
I have a few sites who connect back to us with a similar configuration.
Here's two tenant I've learned:
1. If the VPN is setup right, then it's either a routing or firewall issue
2. tcpdump IS YOUR FRIEND! =)
I have a few questions and thoughts:
1. Is the VPN server also your firewall?  If not you'll need to manually
setup routes on the firewall/gw to point traffic for back to
the VPN server (same for the client side?
2.  What does 'route -n' show on the server side when the VPN is up and not
up?  You should see a route for through a 10.9.0.X IP addr
(tap adapter).  How about the client side?  It should have routes for and pointing to the 10.9,.0.X IP addr of it's
tap adapter.
3. Check that you're forwarding IP traffic and check your firewall rules.
I've been burned by not setting my rules correctly more than once.
4. As a side note, over time there will be a need to revoke/retire client
side (and server side for that matter) certificates.  When you get more
comfortable with OpenVPN administration you WILL want to setup a process for
certificate revocation and updating your crl.pem and other assundry ssl

Config file questions and suggestions: 
Since you're setting up several remote offices, I would suggest the
following to help in the troubleshooting process:
1.  I don't see where you're specifying which IP address to listen on.  It
IS an optional parameter, but it's good practice to include it in your
        local ip.addr.of.outisde.iface
2.  I'm not using the 'ifconfig-pool-persist ipp.txt' option in my server
config files.  And to be honest I'm sure what it buys you.
3. Have separate log for each office:
        log-append /var/log/openvpn-office1.log
4. It seems odd to be using TCP https:443 as your port, you'll get better
performance out of UDP and I'd suggest using something in the 5000 range.
But I'm sure you have your reasons.
5. Define a unique management port for each office VPN as well.
        management localhost 7510
6. What is the contents of the file in the client-config-dir and what is it
        a.  I name mine for the CN= entry of /etc/ssl/index.txt for that
client.  For example, if my CN is 'CN=Office1 Gateway, in my ccd directory I
have a file named Office1Gateway
        b.  in each file I define two things, the ifconfig-push variable and
the iroute variable.  In your case it should look something like this:
                ifconfig-push    #This assigns a set IP
based on the CN to your client side.
                iroute    #You're saying this is
the IP space of the remote office
Anyway I hope this help.


	From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Iad Scoot
	Sent: Thursday, August 09, 2007 6:30 PM
	To: Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
	Subject: Re: [Openvpn-users] site to site vpn - routing issues
	Forgot to mention that I already have ip forwarding enabled on the
	On 8/9/07, Iad Scoot <iad.scoot@xxxxxxxxx> wrote: 

		Hi, sorry for the long post but I need advice - also sorry
if this got double-posted, I'm having some address book issues...
		Trying to set up a site-to-site vpn between 2 openvpn
(CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn
system configured as "server". Fortinet firewall sitting in front of the
corp office lan; vpn server in DMZ and static route set for incoming vpn
traffic to go to the vpn box. Site 2 (remote office) has vpn box configured
as "client" for routing traffic from several laptops at the remote office to
the corp office. Second Fortinet firewall sitting in front of the remote
office lan; laptops connected to the internal interface (GREEN segment) and
vpn box connected to the DMZ. Static routes have been set on the firewall to
pass any traffic destined for the pushed remote subnets to the vpn box. 
		Using routing, TLS w/ certs, etc. I can establish a tunnel
but cannot access resources on the pushed subnets. On the remote office
side, I can ping from the vpn box to the subnet at the corp office that the
vpn server is on but not any of the other subnets that are "pushed" to the
client vpn box. Here's the server config (corp office): 
		port 443
		proto tcp
		dev tun
		ca ca.crt
		cert server.crt
		key server.key
		dh dh.pem
		server <>
		ifconfig-pool-persist ipp.txt
		push "route <>
<> "
		push "route <>
<> "
		client-config-dir ccd
		route <>
		keepalive 10 120
		tls-auth hmac.key 0
		cipher AES-256-CBC   # AES 
		max-clients 4
		user nobody
		group nobody
		status openvpn-status.log
		log         openvpn.log
		verb 5
		mute 20
		The server config includes a file within the "ccd" directory
with the appropriate "iroute" command. Here is the client config:

		dev tun
		proto tcp
		remote my_external_ip 443
		resolv-retry infinite
		user nobody
		group nobody
		ca ca.crt
		cert client.crt 
		key client.key
		ns-cert-type server
		tls-auth hmac.key 1
		cipher AES-256-CBC
		log client.log
		verb 6
		Any thoughts? Could really use some help on this - need to
do a couple of remote offices in this manner.


Openvpn-users mailing list