[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Possible routing problem


  • Subject: Re: [Openvpn-users] Possible routing problem
  • From: "Daniel L. Miller" <dmiller@xxxxxxxxx>
  • Date: Sun, 09 Sep 2007 18:35:20 -0700

john@xxxxxxxxx wrote:
> I recently set up openvpn between two lans and wanted clients on both sides
> to have full access to either side. I used the tun setup, server - client
> with persistent key and tun settings and topology subnet. Both the client
> and server are linux boxes, each have windows XP boxes behind them as well
> as two internal servers on the server side. I had to add routes to the
> openvpn server on the two internal servers and add a couple of iptable
> directives to get it all to work smoothly, including the samba servers on
> either side.
>
> Additionally I also add proxy_arp directives
> (/proc/sys/net/conf/tun0/proxy_arp and /proc/sys/net/conf/eth1/proxy_arp
> were changed to ones - the eth1 interface is the internal eth that openvpn
> listens on) The proxy_arp directive cleared some issues both with samba and
> asterisk voip on both networks. Now internal clients on both side can
> successfully arping clients on the other side.
>
> The server side also needed an additional route - the client side internal
> is 192.168.xxx.0/24 and the route added on the server is -net
> 192.168.xxx.0/24 gw client side tun0 address. The client side needed no
> additional routing to the 4 internal lans on the server side since they were
> pushed from the server.
>
> for iptables on both sides I opened the outside eth to port 1194, both
> inputs and outputs, to the outside address of the other end, and also I
> added input, output, and forward for tun+.
>
> It took a few days to figure this all out, but it all seems to work as
> smooth as pie now. The first critical steps for me were switching to subnet
> topology and adding the route from the server to the client side tunnel.
> After that things just sorta fell into place.
>
> I hope the above isn't too confusing :-)
>
>   
Thanks for the reply.

My openvpn server config follows - I think it's fairly straightforward:
server 172.27.0.0 255.255.0.0
tls-server
local 192.168.0.222
port 1195
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
keepalive 10 120
persist-key
ifconfig-pool-persist /etc/openvpn/customers-ip.txt
client-config-dir /etc/openvpn/ccd
status customers.log
log-append /var/log/openvpn-customers.log
verb 3
replay-window 72 30
comp-lzo
# route to a remote lan on a client
route 10.4.1.0 255.255.255.0

Then the server's routing table:
172.27.0.2 dev tun0  proto kernel  scope link  src 172.27.0.1
192.168.20.0/24 dev vmnet8  proto kernel  scope link  src 192.168.20.1
10.4.1.0/24 via 172.27.0.2 dev tun0
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.71
192.168.0.0/24 dev br1  proto kernel  scope link  src 192.168.0.72
192.168.30.0/24 dev vmnet1  proto kernel  scope link  src 192.168.30.1
172.27.0.0/16 via 172.27.0.2 dev tun0
default via 192.168.0.1 dev eth0

VPN clients and the VPN server communicate without any problem.  I can 
see the routes for the tun interface on the server - everything looks 
right to me.

On a server-side LAN client, I add a route to the VPN.  For a Windows 
client, I would execute:
route add 172.27.0.0 mask 255.255.0.0 192.168.0.71

And then test the connection.  I can ping the VPN server at 172.27.0.1 
without problem.  But I can't ping the VPN clients.  Is an iptables rule 
required for this step?
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users