[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Basic questions / unique gateway for clients


  • Subject: Re: [Openvpn-users] Basic questions / unique gateway for clients
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Thu, 06 Dec 2007 16:36:06 +0100

first things first:

let's make sure you can connect to the server at all... this part

       IP-adres. . . . . . . . . . . . . : 192.168.100.6
       Subnetmasker. . . . . . . . . . . : 255.255.255.252
       Standaardgateway. . . . . . . . . : 192.168.100.5
       DHCP-server . . . . . . . . . . . : 192.168.100.5

is correct... the .5 address is necessary but not pingeable.
Do NOT put a .4 in the persist-ip.txt file, it will not work. Each VPN 
client will have a miniature subnet with netmask 255.255.255.252; that 
means the server claims 192.168.100.0 - 192.168.100.3 ; the first client 
will get 192.168.100.4 - 192.168.100.7 etc However, the first *usable* 
address inside the .252 subnet is .1, .5, .9 etc; the first *client* 
address will be .6, .10, etc etc. That's just how it works on Windows.

As for the routing/default-gateway question: that's a routing/NATting 
issue that you need to solve on your server. On linux you'd use iptables 
and SNAT/MASQUERADE to get what you want. On W2K3 I have no clue how to 
achieve this...

HTH / groetjes,

JJK

Joris Kempen wrote:
>
> dear openvpn users!
>
> I'm rather new at using OpenVPN or VPN at all. Did some testing with 
> "Routing and Remote access" in windows2003 and the inbuilt vpn client 
> of Windows. So no network expert at all!I think that my problem/setup 
> contains of several problems and I tried to break it up in several parts.
>
> What I want to accomplish in the end:
> Windows2003 server with 1 NIC that has 2 ip addresses:
> 85.x.x.78
> 85.x.x.79
>
> There is nothing like NAT going on at the server. These Ip's are all 
> directly reachable from the internet.
> the ipconfig for this machine:
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit 
> Ethernet
>    Physical Address. . . . . . . . . : 00-12-3F-2A-82-A0
>    DHCP Enabled. . . . . . . . . . . : No
>    IP Address. . . . . . . . . . . . : 85.x.x.79
>    Subnet Mask . . . . . . . . . . . : 255.255.255.192
>    IP Address. . . . . . . . . . . . : 85.x.x.78
>    Subnet Mask . . . . . . . . . . . : 255.255.255.192
>    Default Gateway . . . . . . . . . : 85.x.x.126
>    DNS Servers . . . . . . . . . . . : 85.x.x.69
>                                        83.x.x.123
>    NetBIOS over Tcpip. . . . . . . . : Disabled
>
> I have 2 clients that are behind a NAT ADSL modem and have a Ip 
> address like this:
> client1 : 10.0.0.1
> client2 10.0.0.2
> and default gateway is 10.0.0.138 (speedtouch adsl modem)
>
> the thing I want to accomplish that client1 makes a VPN connection 
> with the server and uses 85.x.x.78 for all it's gateway network 
> connection. (So if I browse to website _www.watismijnip.nl_ 
> <file://www.watismijnip.nl> it displays 85.x.x.78 for this client)
>
> and client2 will make a vpn connection with the server and uses 
> 85.x.x.79 for all it's gateway network connections (So if I browse to 
> website _www.watismijnip.nl_ <file://www.watismijnip.nl> it displays 
> 85.x.x.79 for this client)
>
> My first start was to just to setup a basic VPN connection with the 
> server, without the need to make sure the clients clients each get an 
> unique gateway for the internet.
>
> So said, so done:
>
> server config:
> local 85.x.x.79
> port 1194
> proto udp
> dev tun
> ca ca.crt
> cert server.crt
> key server.key  # This file should be kept secret
> dh dh1024.pem
> server 192.168.100.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> push "redirect-gateway"
> keepalive 10 120
> comp-lzo
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
>
> client config:
> client
> dev tun
> proto udp
> remote 85.x.x.79 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca ca.crt
> cert client1.crt
> key client1.key
> comp-lzo
> verb 3
>
> I had this working at some point that I could ping the server from my 
> client! And I could reach the shares of the server using explorer! All 
> trouble I had left,  is that the client couldn’t do anything more on 
> the internet, all pings / tracert wouldn’t reach any target.
>
> From that point I tried several things to make sure the client still 
> could access the internet. No progres in this.  After several days of 
> leaving this project, because it was getting frustrating, I tried 
> again today.
>
> Now I have these problems /questions:
> 1.      is the config I’m using above a good starting direction, to 
> accomplish my final goal? (unique gateways for each client)
>
> 2.      With the above config I can’t ping the server anymore! I 
> didn’t change a thing but for some reason the packets get dropped at 
> the server (192.168.100.1):
>
> "client1/84.x.x.83:4740 MULTI: bad source address from client 
> [10.0.0.2], packet dropped"
>
> This 10.0.0.2 ip address is from my physical nic in my clients pc! 
> (the one connected with my ADSL router!) Shouldn’t it be using the 
> IP-address it gets from the VPN connection  à 192.168.100.5
>
> 3.  If I do Ipconfig /all, I get this info from the OpenVPN network 
> device on the client:
>
>        IP-adres. . . . . . . . . . . . . : 192.168.100.6
>        Subnetmasker. . . . . . . . . . . : 255.255.255.252
>        Standaardgateway. . . . . . . . . : 192.168.100.5
>        DHCP-server . . . . . . . . . . . : 192.168.100.5
>
> Why does it use 192.168.100.5 for the gateway and dhcp? My guess would 
> that I uses 192.168.100.1 (= server). I don’t have that much 
> networking knowledge. This 192.168.100.5 can’t be pinged or whatever. 
> What is this exactly?
>
> My routing table on the client looks like this:
> Netwerkadres               Netmask          Gateway       Interface  
> Metric
>           0.0.0.0          0.0.0.0    192.168.100.5   
> 192.168.100.6       1
>          10.0.0.0        255.0.0.0         10.0.0.2        
> 10.0.0.2       20
>          10.0.0.2  255.255.255.255        127.0.0.1       
> 127.0.0.1       20
>    10.255.255.255  255.255.255.255         10.0.0.2        
> 10.0.0.2       20
>      85.x.x.79  255.255.255.255       10.0.0.138        10.0.0.2       1
>         127.0.0.0        255.0.0.0        127.0.0.1       
> 127.0.0.1       1
>     192.168.100.1  255.255.255.255    192.168.100.5   
> 192.168.100.6       1
>     192.168.100.4  255.255.255.252    192.168.100.6   
> 192.168.100.6       30
>     192.168.100.6  255.255.255.255        127.0.0.1       
> 127.0.0.1       30
>   192.168.100.255  255.255.255.255    192.168.100.6   
> 192.168.100.6       30
>         224.0.0.0        240.0.0.0         10.0.0.2        
> 10.0.0.2       20
>         224.0.0.0        240.0.0.0    192.168.100.6   
> 192.168.100.6       30
>   255.255.255.255  255.255.255.255         10.0.0.2        
> 10.0.0.2       1
>   255.255.255.255  255.255.255.255    192.168.100.6   
> 192.168.100.6       1
> Standaard-gateway:     192.168.100.5
> =========================================================================== 
>
> Permanente routes:
>   None
>
> 3.      If I look in the ipp.txt document on the server it says this:
> client1,192.168.100.4
>
> So you would assume that client1 would get the ip address 
> 192.168.100.4 and not 192.168.100.6
>
> Any ideas why this is?
>
> Sorry for asking all these questions, but it’s really frustrating to 
> be trying this for hours without any progress.
>
> And please tell me, if my direction is going the right way, or that I 
> should complete change the configs that I’m using for OpenVpn!
>
> Many thanks in advance!
>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users