[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Question about using the server-mode to expose both the client and server's subnets (2 way)

  • Subject: Re: [Openvpn-users] Question about using the server-mode to expose both the client and server's subnets (2 way)
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Mon, 03 Dec 2007 15:19:21 +0100

you can enable routing on a linux machine on the fly by typing
  echo 1 > /proc/sys/net/ipv4/ip_forward
this is effective immediately, no need to restart network adapters. To 
make it survive a reboot, also modify
and set
  net.ipv4.ip_forward = 1

after that, make sure the firewall on the linux box is not too 
restrictive; during testing I'd simply turn *off* iptables but you could 
also do something like
  iptables -I FORWARD -i tun+ -j ACCEPT
  iptables -I FORWARD -o tun+ -j ACCEPT
(this allows *ANY* traffic coming to and going from the tun+ adapters - 
again, you might want something more restrictive).

Finally, does the client know where to send packets back to ? 
does it already know that packets with source address 
should go back to the OpenVPN client ( ? alternatively, an 
iptables hack might help you again
  iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

all this does not have much to do with openvpn but much more with 
routing subnets (which seems to be the topic for 80+% of all questions 
on this mailing list)



Francis Joanis wrote:
> Hi,
> Thanks for your reply.
> Here are more details about how far I got it working.
> My server.conf essentially looks like:
> -----
> port 1194
> proto udp
> dev tun
> server
> ifconfig-pool-persist ipp.txt
> push "route"
> client-config-dir ccd
> route
> client-to-client
> keepalive 10 120
> -----
> Here's the ccd file matching my client:
> -----
> iroute
> -----
> Once my client, having an ip of (for example), connects I
> can ping it from the server (i.e. ping works). Also, I can
> ping the server's ip address from the client (i.e. ping
> However, when I try to ping (from the server) another PC on the
> client's subnet (for example,, it doesn't work.
> I used wireshark to listen on the tun0 adaptor of the client and I was
> able to see the ICMP ping requests coming in for, but they
> didn't seem to be "forwarded/sent" through eth0 and onto the client's
> LAN.
> I'm starting to think that it is not an openvpn issue per-say, but
> that it could be a configuration issue on the client's box.
> I tried to setup ip forwarding on the client (it's running linux), but
> I haven't gotten it to work yet (I was doing it over ssh and I don't
> know if the setting required the network interfaces to be restarted).
> Please let me know if it makes sense.

Openvpn-users mailing list