[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Possible routing problem

  • Subject: Re: [Openvpn-users] Possible routing problem
  • From: "Daniel L. Miller" <dmiller@xxxxxxxxx>
  • Date: Sun, 09 Sep 2007 18:35:20 -0700

john@xxxxxxxxx wrote:
> I recently set up openvpn between two lans and wanted clients on both sides
> to have full access to either side. I used the tun setup, server - client
> with persistent key and tun settings and topology subnet. Both the client
> and server are linux boxes, each have windows XP boxes behind them as well
> as two internal servers on the server side. I had to add routes to the
> openvpn server on the two internal servers and add a couple of iptable
> directives to get it all to work smoothly, including the samba servers on
> either side.
> Additionally I also add proxy_arp directives
> (/proc/sys/net/conf/tun0/proxy_arp and /proc/sys/net/conf/eth1/proxy_arp
> were changed to ones - the eth1 interface is the internal eth that openvpn
> listens on) The proxy_arp directive cleared some issues both with samba and
> asterisk voip on both networks. Now internal clients on both side can
> successfully arping clients on the other side.
> The server side also needed an additional route - the client side internal
> is 192.168.xxx.0/24 and the route added on the server is -net
> 192.168.xxx.0/24 gw client side tun0 address. The client side needed no
> additional routing to the 4 internal lans on the server side since they were
> pushed from the server.
> for iptables on both sides I opened the outside eth to port 1194, both
> inputs and outputs, to the outside address of the other end, and also I
> added input, output, and forward for tun+.
> It took a few days to figure this all out, but it all seems to work as
> smooth as pie now. The first critical steps for me were switching to subnet
> topology and adding the route from the server to the client side tunnel.
> After that things just sorta fell into place.
> I hope the above isn't too confusing :-)
Thanks for the reply.

My openvpn server config follows - I think it's fairly straightforward:
port 1195
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
keepalive 10 120
ifconfig-pool-persist /etc/openvpn/customers-ip.txt
client-config-dir /etc/openvpn/ccd
status customers.log
log-append /var/log/openvpn-customers.log
verb 3
replay-window 72 30
# route to a remote lan on a client

Then the server's routing table: dev tun0  proto kernel  scope link  src dev vmnet8  proto kernel  scope link  src via dev tun0 dev eth0  proto kernel  scope link  src dev br1  proto kernel  scope link  src dev vmnet1  proto kernel  scope link  src via dev tun0
default via dev eth0

VPN clients and the VPN server communicate without any problem.  I can 
see the routes for the tun interface on the server - everything looks 
right to me.

On a server-side LAN client, I add a route to the VPN.  For a Windows 
client, I would execute:
route add mask

And then test the connection.  I can ping the VPN server at 
without problem.  But I can't ping the VPN clients.  Is an iptables rule 
required for this step?
OpenVPN mailing lists