[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Question about using the server-mode to expose both the client and server's subnets (2 way)


  • Subject: Re: [Openvpn-users] Question about using the server-mode to expose both the client and server's subnets (2 way)
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Mon, 03 Dec 2007 15:19:21 +0100

you can enable routing on a linux machine on the fly by typing
  echo 1 > /proc/sys/net/ipv4/ip_forward
this is effective immediately, no need to restart network adapters. To 
make it survive a reboot, also modify
  /etc/sysctl.conf
and set
  net.ipv4.ip_forward = 1

after that, make sure the firewall on the linux box is not too 
restrictive; during testing I'd simply turn *off* iptables but you could 
also do something like
  iptables -I FORWARD -i tun+ -j ACCEPT
  iptables -I FORWARD -o tun+ -j ACCEPT
(this allows *ANY* traffic coming to and going from the tun+ adapters - 
again, you might want something more restrictive).

Finally, does the client 172.22.0.3 know where to send packets back to ? 
does it already know that packets with source address 192.168.100.0/24 
should go back to the OpenVPN client (172.22.0.2) ? alternatively, an 
iptables hack might help you again
  iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

all this does not have much to do with openvpn but much more with 
routing subnets (which seems to be the topic for 80+% of all questions 
on this mailing list)

HTH,

JJK

Francis Joanis wrote:
> Hi,
>
> Thanks for your reply.
>
> Here are more details about how far I got it working.
>
> My server.conf essentially looks like:
>
> -----
> port 1194
> proto udp
> dev tun
>
> server 11.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
>
> push "route 192.168.100.0 255.255.255.0"
>
> client-config-dir ccd
> route 172.22.0.0 255.255.255.0
>
> client-to-client
> keepalive 10 120
> -----
>
> Here's the ccd file matching my client:
> -----
> iroute 172.22.0.0 255.255.255.0
> -----
>
> Once my client, having an ip of 172.22.0.2 (for example), connects I
> can ping it from the server (i.e. ping 172.22.0.2 works). Also, I can
> ping the server's ip address from the client (i.e. ping
> 192.168.100.2).
>
> However, when I try to ping (from the server) another PC on the
> client's subnet (for example, 172.22.0.3), it doesn't work.
>
> I used wireshark to listen on the tun0 adaptor of the client and I was
> able to see the ICMP ping requests coming in for 172.22.0.3, but they
> didn't seem to be "forwarded/sent" through eth0 and onto the client's
> LAN.
>
> I'm starting to think that it is not an openvpn issue per-say, but
> that it could be a configuration issue on the client's box.
>
> I tried to setup ip forwarding on the client (it's running linux), but
> I haven't gotten it to work yet (I was doing it over ssh and I don't
> know if the setting required the network interfaces to be restarted).
>
> Please let me know if it makes sense.
>
>   
>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users