[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] L3 VPN routing problem (without type errors)

  • Subject: Re: [Openvpn-users] L3 VPN routing problem (without type errors)
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 13 Dec 2007 16:02:02 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID465LLmwcJ0429X36

José Antonio Olivera Ortega wrote:
> Ronin (a machine on the client side)is configurated as follow:
> ronin:~# route -n -e
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt 
> Iface
> UH        0 0          0 eth2
>   U         0 0          0 eth2
>         U         0 0          0 eth2

First, it looks like ronin (your PC behind the VPN client) doesn't have
a proper gateway set for its default route.  The destination has
an all-zero gateway listed.  For ronin to reach computers across the VPN
it needs to either have a default gateway set to berglek or add a route
to the host or network range and set berglek's LAN IP as the gateway for
this route.  Right now when ronin tries to ping it won't know
how to reach that destination.

José Antonio Olivera Ortega wrote:
> berglek:~# route -n -e
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> UH        0 0          0 tun0
> UH        0 0          0 eth2
> UGH       0 0          0 eth1
> UGH       0 0          0 tun0
>   U         0 0          0 eth2
>   U         0 0          0 eth1
>   U         0 0          0 tun0
>         UG        0 0          0 tun0
> berglek:~# ifconfig
> eth1      Link encap:Ethernet  HWaddr 00:15:C5:BE:80:D3
>           inet addr:  Bcast:  Mask:
> eth2      Link encap:Ethernet  HWaddr 00:18:DE:91:F8:AB
>           inet addr:  Bcast:  Mask:
> tun0      Link encap:UNSPEC  HWaddr 
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet addr:  P-t-P:  Mask:

I don't understand why you need a VPN between berglek and sercom if
berglek connects to through a gateway on 
berglek is attached to the 192.168.112.x network directly, so you
shouldn't need a VPN at all.  As far as I see, this route would
accomplish the same thing: route add gw

Why is berglek's default gateway the VPN server at  Since you
don't use the redirect-gateway option in your config files it doesn't
look like you're trying to redirect all Internet-bound traffic from
berglek to be sent through sercom.  Since you have a host-route to reach through eth1 it should still route properly, but you
probably want to either use the redirect-gateway option within OpenVPN
or leave the default gateway attached to the eth1 LAN.

José Antonio Olivera Ortega wrote:
> The vpn server config file (vpnServer.conf )is as follow:
> dev tun0
> server
> client-config-dir ccd
> route
> dh dh1024.pem
> ca ca.crt
> cert vpnServer.crt
> key vpnServer.key
> ping 15
> verb 3
> The ccd folder has a file (vpnClient). This file has just a line:
> iroute
> The vpn client config file (vpnClient.conf) is as follow:
> dev tun0
> client
> nobind
> ca ca.crt
> cert vpnClient.crt
> key vpnClient.key
> ping 15
> verb 3
> remote

If the above suggestions didn't solve your problem, you might want to
verify that the route on the VPN server for is working
correctly and sending the packets to your VPN client through the tun0
device (tcpdump can tell you this.)  Whenever I have set up OpenVPN
between 2 networks I always give each client a static address in the ccd
file so I can declare the gateway explicitly.  If you discover that a
ping from sercom to never arrives on the tun0 interface of
berglek, make the following 2 changes and see if the ping packet is
routed correctly:

    1. In your vpnServer.conf file, change the route line to read "route"
    2. Add a new line to the VPN client's ccd file that reads


Attachment: signature.asc
Description: OpenPGP digital signature