[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Strange routing behaviour between to networks


  • Subject: Re: [Openvpn-users] Strange routing behaviour between to networks
  • From: "Sebastian Mauer" <sebastian@xxxxxxxxxx>
  • Date: Mon, 31 Dec 2007 11:16:02 +0100

Hello David,

Gabriel was able to help me. After doing iptables --table nat --append
POSTROUTING --out-interface eth0 ?j I was able to reach every station on the
two networks.
Can you tell me why push "route 192.168.0.0 255.255.255.0" is wrong? I do
also have clients who do not expose a whole subnetbut should be able to
route into the 192.168.0.0 network.

Greetings,

Sebastian

Von: David Balazic [mailto:David.Balazic@xxxxxxxxxxxxxxxxxx] 
Gesendet: Montag, 31. Dezember 2007 10:43
An: Sebastian Mauer; Gabriel Rosca
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: RE: [Openvpn-users] Strange routing behaviour between to networks

Boy, you did manage to complicate things to the max ...
 
Do you have multiple clients ?
 
This line in the server config is wrong, delete it:
push "route 192.168.0.0 255.255.255.0"
Regards,
David

________________________________________
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Sebastian
Mauer
Sent: Sun 30-Dec-07 22:25
To: 'Gabriel Rosca'
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Strange routing behaviour between to networks
Hello Gabriel,

Here is my Server Config (scooby.maz.lan / 192.168.148.2)

port 1194
proto udp
dev tun
pkcs12 scooby_vpn.p12
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp-vpn.txt
push "route 192.168.148.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-config-dir ccd
route 192.168.0.0 255.255.255.0
client-connect ./maz_client_connect.sh
client-disconnect ./maz_client_disconnect.sh
push "dhcp-option DNS 192.168.148.2"
push "dhcp-option WINS 192.168.148.2"
push "dhcp-option NTP 192.168.148.2"
push "dhcp-option DOMAIN maz.vpn"
client-to-client
fast-io
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status-vpn.log
verb 3

I have a client config file for starsky on the VPN Server (ccd/starsky) with
iroute 192.168.0.0 255.255.255.0

Client Config (starsky.rnet.lan/192.168.0.2):
client
dev tun
proto udp
remote myremotes 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 starsky_vpn.p12
ns-cert-type server
comp-lzo
verb 3

-----Ursprüngliche Nachricht-----
Von: Gabriel Rosca [mailto:missnebun@xxxxxxxxx]
Gesendet: Sonntag, 30. Dezember 2007 22:14
An: Sebastian Mauer
Cc: 'David Balazic'; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: [Openvpn-users] Strange routing behaviour between to networks

Sebastian Mauer wrote:
>
> Hello,
>
> 
>
> Yes, I doublechecked the two VPN gateway, but both have
> /proc/sys/net/ipv4/ip_forwarding set to 1.
>
> 
>
> This is a traceroute from a station on the network of my parents to a
> station on the remote network.
>
> 
>
> tracert 192.168.148.3
>
> 
>
> Routenverfolgung zu nas01.maz.lan [192.168.148.3] über maximal 30
> Abschnitte:
>
> 
>
>   1     1 ms     2 ms     1 ms  gateway.rnet.lan [192.168.0.1] (Local
> Gateway to the web (has route set up to forward to VPN gateway)
>
>   2     5 ms     4 ms     4 ms  starsky.rnet.lan [192.168.0.2] (Local
> VPN Gateway)
>
>   3   208 ms   187 ms   186 ms  scooby.maz.lan [10.8.0.1] (Far VPN
> Gateway)
>
>   4     *        *        *     Zeitüberschreitung der Anforderung.
>
> 
>
> I suspect scooby.maz.lan to be the weak link ;). The strange thing
> however is that I am able to ping .1 (gateway) and .2 (vpngateway) on
> each network but no other local station.
>
> 
>
> *Von:* David Balazic [mailto:David.Balazic@xxxxxxxxxxxxxxxxxx]
> *Gesendet:* Samstag, 29. Dezember 2007 20:41
> *An:* Sebastian Mauer; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> *Betreff:* RE: [Openvpn-users] Strange routing behaviour between to
> networks
>
> 
>
> Did you trace the packets ?
>
> Do the VPN endpoints have packet forwarding enabled ("routing").
>
> 
>
> David
>
> 
>
> ------------------------------------------------------------------------
>
> *From:* openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of
> Sebastian Mauer
> *Sent:* Fri 28-Dec-07 01:19
> *To:* openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> *Subject:* [Openvpn-users] Strange routing behaviour between to networks
>
> Hello there,
> I have set up a little OpenVPN Tunnel between my parents and my LAN.
> However
> I put some work on figuring out the correct settings for routing
> between the
> two networks it doesn't work as expected.
>
> [My parents LAN]                                     [My LAN]
> 192.168.0.0/24                                       192.168.148.0/24
>
> 192.168.0.2         192.168.0.1                      192.168.148.1
> 192.168.148.2
>
starsky.rnet.lan----gateway.rnet.lan----<TheWeb>----gateway.maz.lan----scoob
y.maz.lan
> (OpenVPN Endpoint)  (WRT54G Router)                   (WRT54G Router)
(OpenVPN Endpoint)
>                            |                                |
>                  ...other hosts on lan              ...other hosts on lan
>
> The OpenVPN Tunnel Subnet is 10.8.0.0
>
> By now I am only able to ping the gateway and OpenVPN Endpoint of each lan
> (and vice versa). Other hosts like 192.168.148.3 can't be reached from a
> station on my parents lan. Please, can someone help me to find out what
> prevents my setup from being able to ping/reach ALL stations from every
> station of the two networks.
>
> Thanks in Advance,
> Sebastian Maui
>
> My routing tables are as follows:
>
> starsky.rnet.lan
> 10.8.0.9 dev tun0  proto kernel  scope link  src 10.8.0.10
> 10.8.0.0/24 via 10.8.0.9 dev tun0
> 192.168.148.0/24 via 10.8.0.9 dev tun0
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
> default via 192.168.0.1 dev eth0
>
> gateway.rnet.lan
> 62.112.90.254 dev ppp0  src 62.112.90.202
> 10.8.0.0/24 via 192.168.0.2 dev br0
> 192.168.0.0/24 dev br0  src 192.168.0.1
> 192.168.148.0/24 via 192.168.0.2 dev br0
> 127.0.0.0/8 dev lo
> default via 62.112.90.254 dev ppp0
>
> scooby.maz.lan
> 10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
> 10.7.0.2 dev tun1  proto kernel  scope link  src 10.7.0.1
> 10.0.0.0/24 via 192.168.148.1 dev eth0
> 10.8.0.0/24 via 10.8.0.2 dev tun0
> 192.168.0.0/24 via 10.8.0.2 dev tun0
> 192.168.148.0/24 dev eth0  proto kernel  scope link  src 192.168.148.2
> 10.7.0.0/24 via 10.7.0.2 dev tun1
> default via 192.168.148.1 dev eth0
>
> gateway.maz.lan
> 10.0.0.1 dev eth0.1  scope link
> 217.0.116.146 dev ppp0  proto kernel  scope link  src 80.137.139.86
> 10.8.0.0/24 via 192.168.148.2 dev br-lan
> 192.168.0.0/24 via 192.168.148.2 dev br-lan
> 192.168.148.0/24 dev br-lan  proto kernel  scope link  src 192.168.148.1
> 10.0.0.0/8 dev eth0.1  proto kernel  scope link  src 10.0.0.10
> default via 217.0.116.146 dev ppp0
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>  
Can you please show the server.conf and client.conf ? Also, the easy was
to enable ip_forwarding do vi /etc/sysctl.conf and change
"net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1". Also on the vpn
server config name sure you do :

push "route 192.168.148.0 255.255.255.0" whatever lan is behind  the vpn
server and also route 192.168.0.0 255.255.255.0 whatever subnet you have
behind the client. Save and then go to the ccd folder under
/etc/openvpn/ccd or whatever is the path :)) there you have to create a
file with the name of the client ( if the cleint name is gabe then you
do vi /et c/openvpn/ccd/gabe and add iroute 192.160.0.0 255.255.255.0 )
whatever is the lan behind the client :))

thats all for now :) if you have any issues send me an email :)

Gabe

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users