[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Can't ping clients behind VPN Client


  • Subject: [Openvpn-users] Can't ping clients behind VPN Client
  • From: "Marco Lovadina" <marco.lovadina@xxxxxx>
  • Date: Fri, 5 Oct 2007 16:09:36 +0200

Hi,

            I’m trying to connect through Openvpn (2.0.9) our offices.

The configuration that I set up is as follow:

 

Server side

LAN: 192.168.0.0/24

VPN server: Linux box , also acting as firewall, gateway (iptables) and PDC (samba), with two NICs, Ip forward enabled

VPN address 10.8.0.0

LAN Clients: all WIN XP Pro machines

 

##Server.conf  file##

 

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-config-dir /etc/openvpn/ccd

route 10.10.8.0 255.255.255.0

client-to-client

push "route 10.10.8.0 255.255.255.0"

keepalive 10 120

log /etc/openvpn/opv.log

persist-key

persist-tun

status openvpn-status.log

verb 3

fragment 1500

daemon

management localhost 7075

## end of server.conf file ##

 

In /etc/openvpn/ccd there is a file which contains the following statement

 

iroute 10.10.8.0 255.255.255.0

 

 

############

Client side

LAN: 10.10.8.0/24

VPN Client: Windows XP PRO SP2, Firewall disabled, IP Forward enabled, one NIC, which has IP address 10.10.8.10

LAN Clients: all WIN XP Pro machines

Bintec router firewall which connects the LAN to Internet

 

client.opvn file

 

client

dev tun

dev-node TAP

proto udp

remote m.m.m.m 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca C:\\Programmi\\OpenVPN\\config\\ca.crt

cert C:\\Programmi\\OpenVPN\\config\\utiliteam-srv.crt

key C:\\Programmi\\OpenVPN\\config\\utiliteam-srv.key

verb 3

show-net-up

mssfix 1200

fragment 1500

 

 

The TUN interface in the server gateway is not firewalled

On the bintec router (10.10.8.254) I have set up two routes:

10.8.0.0 255.255.255.0 gw 10.10.8.0

192.168.0.0 255.255.255.0 gw 10.10.8.0

 

Now my problem is that I can ping all clients behind the VPN server from LAN clients behind the VPN Client , but I can’t ping any LAN client behind VPN Client from then VPN Server LAN.

 

So only the host 10.10.8.10 is reachable from 192.168.0.0/24 LAN, whereas the whole 192.168.0.0/24 subnet is reachable from 10.10.8.0/24 subnet.

 

Using windump on the VPN Client (10.10.8.10) shows that icmp packets to 10.10.8.5 host (for example) first reach the tap interface of VPN client, then the Ethernet interface of VPN client and then I loose them.

Here is the output of tracert 10.10.8.5 executed from my host.

 

  1     5 ms     2 ms     2 ms  192.168.0.202

  2   105 ms   101 ms   101 ms  10.8.0.10

  3     *        *        *     Richiesta scaduta.

  4     *        *        *     Richiesta scaduta.

Note that 192.168.0.202 is the linux box.

 

Anyone can help me?

Thanks in advance

Marco