[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Can't ping clients behind VPN Client

  • Subject: [Openvpn-users] Can't ping clients behind VPN Client
  • From: "Marco Lovadina" <marco.lovadina@xxxxxx>
  • Date: Fri, 5 Oct 2007 16:09:36 +0200


            I’m trying to connect through Openvpn (2.0.9) our offices.

The configuration that I set up is as follow:


Server side


VPN server: Linux box , also acting as firewall, gateway (iptables) and PDC (samba), with two NICs, Ip forward enabled

VPN address

LAN Clients: all WIN XP Pro machines


##Server.conf  file##


port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/keys/dh1024.pem


ifconfig-pool-persist ipp.txt

push "route"

client-config-dir /etc/openvpn/ccd



push "route"

keepalive 10 120

log /etc/openvpn/opv.log



status openvpn-status.log

verb 3

fragment 1500


management localhost 7075

## end of server.conf file ##


In /etc/openvpn/ccd there is a file which contains the following statement






Client side


VPN Client: Windows XP PRO SP2, Firewall disabled, IP Forward enabled, one NIC, which has IP address

LAN Clients: all WIN XP Pro machines

Bintec router firewall which connects the LAN to Internet


client.opvn file



dev tun

dev-node TAP

proto udp

remote m.m.m.m 1194

resolv-retry infinite




ca C:\\Programmi\\OpenVPN\\config\\ca.crt

cert C:\\Programmi\\OpenVPN\\config\\utiliteam-srv.crt

key C:\\Programmi\\OpenVPN\\config\\utiliteam-srv.key

verb 3


mssfix 1200

fragment 1500



The TUN interface in the server gateway is not firewalled

On the bintec router ( I have set up two routes: gw gw


Now my problem is that I can ping all clients behind the VPN server from LAN clients behind the VPN Client , but I can’t ping any LAN client behind VPN Client from then VPN Server LAN.


So only the host is reachable from LAN, whereas the whole subnet is reachable from subnet.


Using windump on the VPN Client ( shows that icmp packets to host (for example) first reach the tap interface of VPN client, then the Ethernet interface of VPN client and then I loose them.

Here is the output of tracert executed from my host.


  1     5 ms     2 ms     2 ms

  2   105 ms   101 ms   101 ms

  3     *        *        *     Richiesta scaduta.

  4     *        *        *     Richiesta scaduta.

Note that is the linux box.


Anyone can help me?

Thanks in advance