[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] L3 VPN routing problem (without type errors)


  • Subject: Re: [Openvpn-users] L3 VPN routing problem (without type errors)
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 13 Dec 2007 16:02:02 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID465LLmwcJ0429X36

José Antonio Olivera Ortega wrote:
> Ronin (a machine on the client side)is configurated as follow:
>
> ronin:~# route -n -e
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt 
> Iface
> 10.2.0.3        0.0.0.0         255.255.255.255 UH        0 0          0 eth2
> 10.2.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth2
> 0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 eth2

First, it looks like ronin (your PC behind the VPN client) doesn't have
a proper gateway set for its default route.  The destination 0.0.0.0 has
an all-zero gateway listed.  For ronin to reach computers across the VPN
it needs to either have a default gateway set to berglek or add a route
to the host or network range and set berglek's LAN IP as the gateway for
this route.  Right now when ronin tries to ping 10.1.0.1 it won't know
how to reach that destination.

José Antonio Olivera Ortega wrote:
> berglek:~# route -n -e
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 10.1.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
> 10.2.0.4        0.0.0.0         255.255.255.255 UH        0 0          0 eth2
> 10.95.88.60     192.168.112.2   255.255.255.255 UGH       0 0          0 eth1
> 10.1.0.1        10.1.0.5        255.255.255.255 UGH       0 0          0 tun0
> 10.2.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth2
> 192.168.112.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
> 10.1.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
> 0.0.0.0         10.1.0.1        0.0.0.0         UG        0 0          0 tun0
>
> berglek:~# ifconfig
> eth1      Link encap:Ethernet  HWaddr 00:15:C5:BE:80:D3
>           inet addr:192.168.112.71  Bcast:192.168.112.255  Mask:255.255.255.0
>
> eth2      Link encap:Ethernet  HWaddr 00:18:DE:91:F8:AB
>           inet addr:10.2.0.3  Bcast:10.2.0.255  Mask:255.255.255.0
>
> tun0      Link encap:UNSPEC  HWaddr 
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet addr:10.1.0.6  P-t-P:10.1.0.5  Mask:255.255.255.255

I don't understand why you need a VPN between berglek and sercom if
berglek connects to 10.95.88.60 through a gateway on 192.168.112.2. 
berglek is attached to the 192.168.112.x network directly, so you
shouldn't need a VPN at all.  As far as I see, this route would
accomplish the same thing: route add 10.95.88.60 gw 192.168.112.2.

Why is berglek's default gateway the VPN server at 10.1.0.1?  Since you
don't use the redirect-gateway option in your config files it doesn't
look like you're trying to redirect all Internet-bound traffic from
berglek to be sent through sercom.  Since you have a host-route to reach
10.95.88.60 through eth1 it should still route properly, but you
probably want to either use the redirect-gateway option within OpenVPN
or leave the default gateway attached to the eth1 LAN.

José Antonio Olivera Ortega wrote:
> The vpn server config file (vpnServer.conf )is as follow:
>
> dev tun0
> server 10.1.0.0 255.255.255.0
> client-config-dir ccd
> route 10.2.0.0 255.255.255.0
> dh dh1024.pem
> ca ca.crt
> cert vpnServer.crt
> key vpnServer.key
> ping 15
> verb 3
>
> The ccd folder has a file (vpnClient). This file has just a line:
> iroute 10.2.0.0 255.255.255.0
>
> The vpn client config file (vpnClient.conf) is as follow:
> dev tun0
> client
> nobind
> ca ca.crt
> cert vpnClient.crt
> key vpnClient.key
> ping 15
> verb 3
> remote 10.95.88.6

If the above suggestions didn't solve your problem, you might want to
verify that the route on the VPN server for 10.2.0.0 is working
correctly and sending the packets to your VPN client through the tun0
device (tcpdump can tell you this.)  Whenever I have set up OpenVPN
between 2 networks I always give each client a static address in the ccd
file so I can declare the gateway explicitly.  If you discover that a
ping from sercom to 10.2.0.4 never arrives on the tun0 interface of
berglek, make the following 2 changes and see if the ping packet is
routed correctly:

    1. In your vpnServer.conf file, change the route line to read "route
10.2.0.0 255.255.255.0 10.1.0.6"
    2. Add a new line to the VPN client's ccd file that reads
"ifconfig-push 10.1.0.6 10.1.0.5"

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature