[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] no ping to vpn-server net


  • Subject: [Openvpn-users] no ping to vpn-server net
  • From: "Dmitry Seliverstov" <dseliverstov@xxxxxxxxx>
  • Date: Sun, 23 Dec 2007 18:31:35 +0300

Hi, all OpenVPN users!
I'm new to OpenVPN and I face with a problem.
So...
I built follow lab environment:

PC1 ------- switch --------- Router1 ------------switch--------- Router2 ---------- crossover cable----------- PC2

All settings:

1) on PC1:
Linux Ubuntu desktop amd64 7.10
ip address 10.0.2.2
netmask 255.255.255.0
gateway 10.0.2.1

2)on Router1:
There are 2 NICs.
Linux Ubuntu server x86 7.10
First NIC:
ip address 192.168.0.1
netmask 255.255.255.0
This NIC connects to Router 2
Second NIC:
ip address 10.0.2.1
netmask 255.255.255.0
net.ipv4.ip_forward = 1
There aren't iptables rules.
This Router is OpenVPN-server
OpenVpn settings:
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.0.16.0 255.255.255.0
tls-server
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3


3) on Router2:
There are 2 NICs.
Linux Ubuntu server x86 7.10
First NIC:
ip address: 10.16.1.1
netmask: 255.255.255.0
This NIC connect to PC2
Second NIC:
ip address 192.168.0.2
netmask 255.255.255.0
net.ipv4.ip_forward = 1
There aren't iptables rules.
This Router is OpenVPN-client
OpenVpn settings:
client
dev tun
proto udp
remote 192.168.0.1 1194
tls-client
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/energostroyinvest-001.crt
key /etc/openvpn/keys/energostroyinvest-001.key
comp-lzo
verb 3


4) PC2
Windows XP SP2
ip address 10.16.1.2
netmask 255.255.255.0
gateway 10.16.1.1

So...
Before starting OpenVPN.
When I was writing on Routers routes to both network ( 10.0.2.0/24 and 10.16.1.0/24) then I could pinging PC1 from PC2 and vice versa.

After starting OpenVPN on two Routers I saw:
on Router1 (interface tun and routing table):
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.0.16.1  P-t-P: 10.0.16.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:504 (504.0 b)  TX bytes:504 ( 504.0 b)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.16.2       *               255.255.255.255 UH    0      0        0 tun0
10.0.16.0       10.0.16.2       255.255.255.0   UG    0      0        0 tun0
10.0.2.0        *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0    U     0      0        0 eth0

on Router2 (interface tun and routing table):
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr: 10.0.16.6  P-t-P:10.0.16.5  Mask: 255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:504 (504.0 b)  TX bytes:624 (624.0 b)


Kernel IP routing table
Destination    Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.16.1       10.0.16.5       255.255.255.255 UGH   0      0        0 tun0
10.0.16.5        *               255.255.255.255 UH    0      0        0 tun0
10.16.1.0       *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

At the time I could to see ping from Router1 to Router2:
 ping 10.0.16.6
PING 10.0.16.6 (10.0.16.6) 56(84) bytes of data.
64 bytes from 10.0.16.6: icmp_seq=1 ttl=64 time= 0.404 ms
64 bytes from 10.0.16.6: icmp_seq=2 ttl=64 time=0.344 ms

and from Router2 to Router1:
 ping 10.0.16.1
PING 10.0.16.1 (10.0.16.1) 56(84) bytes of data.
64 bytes from 10.0.16.1: icmp_seq=1 ttl=64 time=0.477 ms
64 bytes from 10.0.16.1 : icmp_seq=2 ttl=64 time=0.340 ms

Later I wrote on Router2:
route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.16.5

And routing table showed follow:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.16.1       10.0.16.5       255.255.255.255 UGH   0      0        0 tun0
10.0.16.5       *               255.255.255.255 UH    0      0        0 tun0
10.16.1.0       *               255.255.255.0   U     0      0        0 eth1
10.0.2.0        10.0.16.5       255.255.255.0   UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

And I wrote on Router1:
route add -net 10.16.1.0 netmask 255.255.255.0 gw 10.0.16.2

Routing Table was:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.16.2       *               255.255.255.255 UH    0      0        0 tun0
10.16.1.0       10.0.16.2       255.255.255.0   UG    0      0        0 tun0
10.0.16.0       10.0.16.2       255.255.255.0   UG    0      0        0 tun0
10.0.2.0        *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

After this I couldn't to ping from PC2 to Router1 ( 10.0.2.1 address) and I couldn't  to ping from PC2 to PC1 ( 10.0.2.2 address).
And I couldn't to ping from PC1 to Router2 (10.16.1.1 ) and PC2 (10.16.1.2).

My first question is why can't I ping from PC2 to PC1 and from PC1 to PC2 in this configuration?

After this I experimented. I wrote on Router1 iptables rules:
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 10.16.1.0/24 -o tun0 -j MASQUERADE

and on router 2:
iptables -t nat -A POSTROUTING -s 10.16.1.0/24 -d 10.0.2.0/24 -o tun0 -j MASQUERADE

In this configuration I could to ping from PC2 to Router1 (10.0.2.1) and PC1 (10.0.2.2), but I couldn't to ping from PC1 to PC2 ( 10.16.1.2) and Router2 (10.16.1.1).
My second question is why can't I ping from PC1 to PC2?
Where is my wrong?

Excuse me for long examples.
Sorry for my English.
Thanks.

P.S. Merry Xmas!!!   :)


--
Best regards...
Dmitry V. Seliverstov