[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Strange routing behaviour between to networks


  • Subject: Re: [Openvpn-users] Strange routing behaviour between to networks
  • From: Gabriel Rosca <missnebun@xxxxxxxxx>
  • Date: Sun, 30 Dec 2007 17:09:10 -0500

Sebastian Mauer wrote:
> Hello Gabriel,
>
> Here is my Server Config (scooby.maz.lan / 192.168.148.2)
>
> port 1194
> proto udp
> dev tun
> pkcs12 scooby_vpn.p12
> dh dh1024.pem
> server 10.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp-vpn.txt
> push "route 192.168.148.0 255.255.255.0"
> push "route 192.168.0.0 255.255.255.0"
> client-config-dir ccd
> route 192.168.0.0 255.255.255.0
> client-connect ./maz_client_connect.sh
> client-disconnect ./maz_client_disconnect.sh
> push "dhcp-option DNS 192.168.148.2"
> push "dhcp-option WINS 192.168.148.2"
> push "dhcp-option NTP 192.168.148.2"
> push "dhcp-option DOMAIN maz.vpn"
> client-to-client
> fast-io
> keepalive 10 120
> comp-lzo
> persist-key
> persist-tun
> status openvpn-status-vpn.log
> verb 3
>
> I have a client config file for starsky on the VPN Server (ccd/starsky) with
> iroute 192.168.0.0 255.255.255.0
>
> Client Config (starsky.rnet.lan/192.168.0.2):
> client
> dev tun
> proto udp
> remote myremotes 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> pkcs12 starsky_vpn.p12
> ns-cert-type server
> comp-lzo
> verb 3
>
> -----Ursprüngliche Nachricht-----
> Von: Gabriel Rosca [mailto:missnebun@xxxxxxxxx] 
> Gesendet: Sonntag, 30. Dezember 2007 22:14
> An: Sebastian Mauer
> Cc: 'David Balazic'; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Betreff: Re: [Openvpn-users] Strange routing behaviour between to networks
>
> Sebastian Mauer wrote:
>   
>> Hello,
>>
>>  
>>
>> Yes, I doublechecked the two VPN gateway, but both have 
>> /proc/sys/net/ipv4/ip_forwarding set to 1.
>>
>>  
>>
>> This is a traceroute from a station on the network of my parents to a 
>> station on the remote network.
>>
>>  
>>
>> tracert 192.168.148.3
>>
>>  
>>
>> Routenverfolgung zu nas01.maz.lan [192.168.148.3] über maximal 30 
>> Abschnitte:
>>
>>  
>>
>>   1     1 ms     2 ms     1 ms  gateway.rnet.lan [192.168.0.1] (Local 
>> Gateway to the web (has route set up to forward to VPN gateway)
>>
>>   2     5 ms     4 ms     4 ms  starsky.rnet.lan [192.168.0.2] (Local 
>> VPN Gateway)
>>
>>   3   208 ms   187 ms   186 ms  scooby.maz.lan [10.8.0.1] (Far VPN 
>> Gateway)
>>
>>   4     *        *        *     Zeitüberschreitung der Anforderung.
>>
>>  
>>
>> I suspect scooby.maz.lan to be the weak link ;). The strange thing 
>> however is that I am able to ping .1 (gateway) and .2 (vpngateway) on 
>> each network but no other local station.
>>
>>  
>>
>> *Von:* David Balazic [mailto:David.Balazic@xxxxxxxxxxxxxxxxxx]
>> *Gesendet:* Samstag, 29. Dezember 2007 20:41
>> *An:* Sebastian Mauer; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> *Betreff:* RE: [Openvpn-users] Strange routing behaviour between to 
>> networks
>>
>>  
>>
>> Did you trace the packets ?
>>
>> Do the VPN endpoints have packet forwarding enabled ("routing").
>>
>>  
>>
>> David
>>
>>  
>>
>> ------------------------------------------------------------------------
>>
>> *From:* openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of 
>> Sebastian Mauer
>> *Sent:* Fri 28-Dec-07 01:19
>> *To:* openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> *Subject:* [Openvpn-users] Strange routing behaviour between to networks
>>
>> Hello there,
>> I have set up a little OpenVPN Tunnel between my parents and my LAN. 
>> However
>> I put some work on figuring out the correct settings for routing 
>> between the
>> two networks it doesn't work as expected.
>>
>> [My parents LAN]                                     [My LAN]
>> 192.168.0.0/24                                       192.168.148.0/24
>>
>> 192.168.0.2         192.168.0.1                      192.168.148.1
>> 192.168.148.2
>>
>>     
> starsky.rnet.lan----gateway.rnet.lan----<TheWeb>----gateway.maz.lan----scoob
> y.maz.lan
>   
>> (OpenVPN Endpoint)  (WRT54G Router)                   (WRT54G Router)
>>     
> (OpenVPN Endpoint)
>   
>>                            |                                |
>>                  ...other hosts on lan              ...other hosts on lan
>>
>> The OpenVPN Tunnel Subnet is 10.8.0.0
>>
>> By now I am only able to ping the gateway and OpenVPN Endpoint of each lan
>> (and vice versa). Other hosts like 192.168.148.3 can't be reached from a
>> station on my parents lan. Please, can someone help me to find out what
>> prevents my setup from being able to ping/reach ALL stations from every
>> station of the two networks.
>>
>> Thanks in Advance,
>> Sebastian Maui
>>
>> My routing tables are as follows:
>>
>> starsky.rnet.lan
>> 10.8.0.9 dev tun0  proto kernel  scope link  src 10.8.0.10
>> 10.8.0.0/24 via 10.8.0.9 dev tun0
>> 192.168.148.0/24 via 10.8.0.9 dev tun0
>> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
>> default via 192.168.0.1 dev eth0
>>
>> gateway.rnet.lan
>> 62.112.90.254 dev ppp0  src 62.112.90.202
>> 10.8.0.0/24 via 192.168.0.2 dev br0
>> 192.168.0.0/24 dev br0  src 192.168.0.1
>> 192.168.148.0/24 via 192.168.0.2 dev br0
>> 127.0.0.0/8 dev lo
>> default via 62.112.90.254 dev ppp0
>>
>> scooby.maz.lan
>> 10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
>> 10.7.0.2 dev tun1  proto kernel  scope link  src 10.7.0.1
>> 10.0.0.0/24 via 192.168.148.1 dev eth0
>> 10.8.0.0/24 via 10.8.0.2 dev tun0
>> 192.168.0.0/24 via 10.8.0.2 dev tun0
>> 192.168.148.0/24 dev eth0  proto kernel  scope link  src 192.168.148.2
>> 10.7.0.0/24 via 10.7.0.2 dev tun1
>> default via 192.168.148.1 dev eth0
>>
>> gateway.maz.lan
>> 10.0.0.1 dev eth0.1  scope link
>> 217.0.116.146 dev ppp0  proto kernel  scope link  src 80.137.139.86
>> 10.8.0.0/24 via 192.168.148.2 dev br-lan
>> 192.168.0.0/24 via 192.168.148.2 dev br-lan
>> 192.168.148.0/24 dev br-lan  proto kernel  scope link  src 192.168.148.1
>> 10.0.0.0/8 dev eth0.1  proto kernel  scope link  src 10.0.0.10
>> default via 217.0.116.146 dev ppp0
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>   
>>     
> Can you please show the server.conf and client.conf ? Also, the easy was 
> to enable ip_forwarding do vi /etc/sysctl.conf and change 
> "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1". Also on the vpn 
> server config name sure you do :
>
> push "route 192.168.148.0 255.255.255.0" whatever lan is behind  the vpn 
> server and also route 192.168.0.0 255.255.255.0 whatever subnet you have 
> behind the client. Save and then go to the ccd folder under 
> /etc/openvpn/ccd or whatever is the path :)) there you have to create a 
> file with the name of the client ( if the cleint name is gabe then you 
> do vi /etc/openvpn/ccd/gabe and add iroute 192.160.0.0 255.255.255.0 ) 
> whatever is the lan behind the client :))
>
> thats all for now :) if you have any issues send me an email :)
>
> Gabe
>
>
>   
Tmm do you have iptables ? can you do " iptables -t nat -L -n -v " 
iptables -and also
iptables -L -n -v and see the FORWARD chain if you have something in 
there :))

and try to add this on your firewall

iptables --table nat --append POSTROUTING --out-interface tun0 -j 
MASQUERADE
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users