[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routing problems with bridged VPN



Title: Re: [Openvpn-users] Routing problems with bridged VPN
Remove the Push "route 10.0.0.0 255.255.255.0"
you dont need a route to the LAN, because you are already bridged to it.
 
What is in the br0 bridge ? (brctl br0 or similar command)
 
Regards,
David
 


From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Avi Shevin
Sent: Mon 19-Nov-07 15:07
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Routing problems with bridged VPN

I've switched to a WinXP client for this test, as changing network
settings is a pain under Vista with UAC.  Anyway, I tried your suggestion,
but there's no change in behavior.  Also, please note that the server
can't ping the client either, and a route on the client won't change that.

Here's the routing table from the client.
The x's are the real IP address components.
-------------------------------------------
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       xx.xx.xx.1    xx.xx.xx.xx1       10
         10.0.0.0    255.255.255.0       10.0.0.202      10.0.0.202       30
         10.0.0.0    255.255.255.0         10.0.0.1      10.0.0.202       1
       10.0.0.202  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255       10.0.0.202      10.0.0.202       30
       xx.xx.xx.0    255.255.254.0     xx.xx.xx.xx1    xx.xx.xx.xx1       10
     xx.xx.xx.xx1  255.255.255.255        127.0.0.1       127.0.0.1       10
   xx.255.255.255  255.255.255.255     xx.xx.xx.xx1    xx.xx.xx.xx1       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0       10.0.0.202      10.0.0.202       30
        224.0.0.0        240.0.0.0     xx.xx.xx.xx1    xx.xx.xx.xx1       10
  255.255.255.255  255.255.255.255       10.0.0.202      10.0.0.202       1
  255.255.255.255  255.255.255.255     xx.xx.xx.xx1    xx.xx.xx.xx1       1
Default Gateway:        xx.xx.xx.1
===========================================================================
Persistent Routes:
  None

ipconfig from the client
------------------------
Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.0.0.202
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :


On Sun, November 18, 2007 4:26 pm, Jon Spriggs wrote:
> Hi Avi,
> It's a fairly comon mistake (and one I've made too)
>
> On your server config, you need to include the following line
>
> Push "route 10.0.0.0 255.255.255.0"
>
> This assumes your subnet is a /24.
>
> Alternatively, you can include it in your client configs, but each time
> you grow your network, you'll have to change your client config.
> Ultimately it's cleaner to do it in the server.
>
> Jon
>
> -----Original Message-----
> From: Avi Shevin <avi@xxxxxxxxxxx>
> Sent: 18 November 2007 21:18
> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Openvpn-users] Routing problems with bridged VPN
>
>
> Hello all!
>
> I have the following problem:
>
> I have a Linux server that I use as a gateway from my home LAN to the
> 'net.  The internal NIC is eth1, serving a 10.0.0.0 network.  I have an
> ADSL connection that sits over eth0, and I use iptables for NAT.  I have
> installed openvpn on this box, and I would like to bridge the internal
> network (eth1) with the VPN clients.  The bridge appears to be setup
> correctly (br0 has an ip address of 10.0.0.1, and everything except the
> vpn still works correctly.)  I have a Vista laptop that I'm using as a
> test client.  It's connected to a public wireless network, so it's not
> sitting on my home LAN at the moment.  I want to bridge it with my home
> network (10.0.0.0), but it doesn't work correctly.  It connects just fine
> without any warnings or errors, but routing is completely broken.
>
>
> openvpn config (server)
> -----------------------
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> client-to-client
> comp-lzo
> dev tap
> dh /etc/openvpn/keys/dh1024.pem
> group nogroup
> ifconfig-pool-persist ipp.txt
> keepalive 10 120
> local 75.42.96.214
> persist-key
> persist-tun
> port 1196
> proto udp
> server-bridge 10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.224
> status openvpn-status.log
> user nobody
> verb 3
>
> routing table (server)
> ----------------------
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface adsl-75-42-97-2 *               255.255.255.255 UH    0      0
>  0 ppp0 10.0.0.0        *               255.255.255.0   U     0      0
>    0 br0 default         *               0.0.0.0         U     0      0
>     0 ppp0
>
>
> openvpn config (client)
> -----------------------
> client
> dev tap
> proto udp
> remote <my server> 1196
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca "c:\\program files\\openvpn\\keys\\ca.crt"
> cert "c:\\program files\\openvpn\\keys\\vista.crt"
> key "c:\\program files\\openvpn\\keys\\vista.key"
> comp-lzo
> verb 3
>
> routing table (client)
> ----------------------
> IPv4 Route Table
> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
> Metric
>           0.0.0.0          0.0.0.0     64.250.128.1   64.250.157.167
> 25
>          10.0.0.0    255.255.255.0         On-link        10.0.0.201
> 286
>        10.0.0.201  255.255.255.255         On-link        10.0.0.201
> 286 10.0.0.255  255.255.255.255         On-link        10.0.0.201
>  286
>      64.250.128.0    255.255.224.0         On-link    64.250.157.167
> 281
>    64.250.157.167  255.255.255.255         On-link    64.250.157.167
> 281 64.250.159.255  255.255.255.255         On-link    64.250.157.167
>  281
>         127.0.0.0        255.0.0.0         On-link         127.0.0.1
> 306 127.0.0.1  255.255.255.255         On-link         127.0.0.1
>  306
>   127.255.255.255  255.255.255.255         On-link         127.0.0.1
> 306
>         224.0.0.0        240.0.0.0         On-link         127.0.0.1
> 306 224.0.0.0        240.0.0.0         On-link    64.250.157.167
>  281 224.0.0.0        240.0.0.0         On-link        10.0.0.201
>   286
>   255.255.255.255  255.255.255.255         On-link         127.0.0.1
> 306 255.255.255.255  255.255.255.255         On-link    64.250.157.167
>  281 255.255.255.255  255.255.255.255         On-link        10.0.0.201
>   286
> ===========================================================================
> Persistent Routes:
>   None
>
>
> ping results (client to server)
> -------------------------------
> C:\Users\Avi>ping 10.0.0.1
>
> Pinging 10.0.0.1 with 32 bytes of data:
>
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> Ping statistics for 10.0.0.1:
>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>
>
> ping results (server to client)
> -------------------------------
> home:/etc/openvpn# ping -c 4 10.0.0.201
> PING 10.0.0.201 (10.0.0.201) 56(84) bytes of data.
>>From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
>>From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
>>From 10.0.0.1 icmp_seq=3 Destination Host Unreachable
>>From 10.0.0.1 icmp_seq=4 Destination Host Unreachable
>
> --- 10.0.0.201 ping statistics ---
> 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
> 3008ms , pipe 3
>
>
> --
> - Avi Shevin
> - avi@xxxxxxxxxxx
>
>
>
> --
> - Avi Shevin
> - avi@xxxxxxxxxxx
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>


--
- Avi Shevin
- avi@xxxxxxxxxxx


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users