[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Weird route issue with VMWare


  • Subject: Re: [Openvpn-users] Weird route issue with VMWare
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Fri, 11 Jan 2008 02:30:04 +0100

Hi Rida,

this does not sound like an VMware issue but more like a routing issue.
How would clients in the vmnet8 domain (10.8.0.128) know where to send 
stuff back to? Do they know that all packets intended for 10.1.0.6 
should be fed back to the openvpn server? In most cases the clients on 
your LAN (vmnet LAN in this case) will not know any route for the 10.1.0 
net and will return packets thru the default gateway. Again, in most 
cases that is not what you want ;-)

HTH,

JJK

PS I use a openvpn-on-vmware setup all the time without problems (tun 
setup).


Rida wrote:
>
> Hello everybody,
>
> I want, first, to say thank you to all openvpn developers for this 
> very useful
> piece of software! Happy new year too.
>
> So, i got a very strange problem that is getting on my nerve because i 
> can't
> resolve the issue. I got vmware server running on a basic server ; 
> there is 1
> virtual network (in NAT mode). Here are the routes on the server 
> (after vmware
> and openvpn are started):
>
> 10.1.0.2 <http://10.1.0.2> dev tun0  proto kernel  scope link  src 
> 10.1.0.1 <http://10.1.0.1>
> 10.8.0.0/24 <http://10.8.0.0/24> dev vmnet8  proto kernel  scope link  
> src 10.8.0.1 <http://10.8.0.1>
> <public-ip> dev eth0  proto kernel  scope link  src <public-ip>
> 10.1.0.0/24 <http://10.1.0.0/24> via 10.1.0.2 <http://10.1.0.2> dev tun0
> default via 91.121.95.254 <http://91.121.95.254> dev eth0
>
> Nothing special then (the only thing to keep in mind is that vmware 
> uses source
> routing). I set up an openvpn server on the server (the one with the 
> public IP),
> and it is working fine, because i can connect to it and i got an IP 
> address on
> windows clients. Here's the server's configuration file:
>
> local <public-ip>
> port 1194
> proto tcp
> dev tun
> ca keys/ca.crt
> cert keys/server.crt
> key keys/server.key
> dh keys/dh1024.pem
> server 10.1.0.0 <http://10.1.0.0> 255.255.255.0 <http://255.255.255.0>
> ifconfig-pool-persist ipp.txt
> push "route 10.2.0.0 <http://10.2.0.0> 255.255.255.0 
> <http://255.255.255.0>"
> push "route 10.8.0.0 <http://10.8.0.0> 255.255.255.0 
> <http://255.255.255.0>"
> push "route-delay 2 600"
> client-to-client
> keepalive 10 120
> tls-auth keys/ta.key 0
> cipher AES-128-CBC # AES
> comp-lzo
> max-clients 250
> user nobody
> group nobody
> persist-key
> persist-tun
> status /var/log/openvpn-status.log
> log-append /var/log/openvpn.log
> verb 6
> mute 20
>
> Now the clients one:
>
> client
> dev tun0
> proto tcp
> remote 91.121.95.16 <http://91.121.95.16> 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca ca.crt
> cert client.crt
> key client.key
> ns-cert-type server
> tls-auth ta.key 1
> cipher AES-128-CBC # AES
> comp-lzo
> verb 3
>
> Still nothing special, these are basic configuration files. Before 
> i'll "draw" a
> network topology so you'll have a better idea of how vmware implement 
> their NAT
> (hope there is no error):
>
> [Windows client](10.1.0.6/30 <http://10.1.0.6/30> tap) <-> 
> (10.1.0.5/30 <http://10.1.0.5/30> tap gw) <-> (10.1.0.2/24 
> <http://10.1.0.2/24> vpn
> real gw) <-> (10.1.0.1/24 <http://10.1.0.1/24> tun) [server] 
> (10.8.0.1/24 <http://10.8.0.1/24> vmnet8) <-> [virtual
> machine](10.8.0.128/24 <http://10.8.0.128/24> gw 10.8.0.1/24 
> <http://10.8.0.1/24>)
>
> The virtual machine route is just a default gw to 10.8.0.1/24 
> <http://10.8.0.1/24>. Routes on the
> client :
>
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  
> Metric
>          0.0.0.0 <http://0.0.0.0>          0.0.0.0 
> <http://0.0.0.0>      192.168.0.1 <http://192.168.0.1>   192.168.0.117 
> <http://192.168.0.117>       25
>         10.1.0.0 <http://10.1.0.0>    255.255.255.0 
> <http://255.255.255.0>         10.1.0.5 <http://10.1.0.5>        
> 10.1.0.6 <http://10.1.0.6>       1
>         10.1.0.4 <http://10.1.0.4>  255.255.255.252 
> <http://255.255.255.252>         10.1.0.6 <http://10.1.0.6>        
> 10.1.0.6 <http://10.1.0.6>       30
>         10.1.0.6 <http://10.1.0.6>  255.255.255.255 
> <http://255.255.255.255>        127.0.0.1 <http://127.0.0.1>       
> 127.0.0.1 <http://127.0.0.1>       30
>         10.8.0.0 <http://10.8.0.0>    255.255.255.0 
> <http://255.255.255.0>         10.1.0.5 <http://10.1.0.5>        
> 10.1.0.6 <http://10.1.0.6>       1
> ...
>
> Client's output:
>
> Thu Jan 10 00:25:21 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built 
> on Oct  1
> 2006
> Thu Jan 10 00:25:21 2008 IMPORTANT: OpenVPN's default port number is 
> now 1194,
> based on an official port number assignment by IANA.  OpenVPN 
> 2.0-beta16 and
> earlier used 5000 as the default port.
> Thu Jan 10 00:25:21 2008 Control Channel Authentication: using 
> 'ta.key' as a
> OpenVPN static key file
> Thu Jan 10 00:25:21 2008 Outgoing Control Channel Authentication: 
> Using 160 bit
> message hash 'SHA1' for HMAC authentication
> Thu Jan 10 00:25:21 2008 Incoming Control Channel Authentication: 
> Using 160 bit
> message hash 'SHA1' for HMAC authentication
> Thu Jan 10 00:25:21 2008 LZO compression initialized
> Thu Jan 10 00:25:21 2008 Control Channel MTU parms [ L:1560 D:168 
> EF:68 EB:0
> ET:0 EL:0 ]
> Thu Jan 10 00:25:21 2008 Data Channel MTU parms [ L:1560 D:1450 EF:60 
> EB:135
> ET:0 EL:0 AF:3/1 ]
> Thu Jan 10 00:25:21 2008 Local Options hash (VER=V4): '<hash>'
> Thu Jan 10 00:25:21 2008 Expected Remote Options hash (VER=V4): '<hash>'
> Thu Jan 10 00:25:21 2008 Attempting to establish TCP connection with
> 91.121.95.16:1194 <http://91.121.95.16:1194>
> Thu Jan 10 00:25:21 2008 TCP connection established with <public-ip>:1194
> Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link local: [undef]
> Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link remote: <public-ip>:1194
> Thu Jan 10 00:25:21 2008 TLS: Initial packet from <public-ip>:1194, 
> sid=<hash>
> Thu Jan 10 00:25:22 2008 VERIFY OK: depth=1, <certificate fqn>
> Thu Jan 10 00:25:22 2008 VERIFY OK: nsCertType=SERVER
> Thu Jan 10 00:25:22 2008 VERIFY OK: depth=0, <certificate fqn>
> Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Cipher 'AES-128-CBC' 
> initialized
> with 128 bit key
> Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Using 160 bit message 
> hash 'SHA1'
> for HMAC authentication
> Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Cipher 'AES-128-CBC' 
> initialized
> with 128 bit key
> Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Using 160 bit message 
> hash 'SHA1'
> for HMAC authentication
> Thu Jan 10 00:25:25 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 1024 bit RSA
> Thu Jan 10 00:25:25 2008 [client] Peer Connection Initiated with 
> <public-ip>:1194
> Thu Jan 10 00:25:27 2008 SENT CONTROL [client]: 'PUSH_REQUEST' (status=1)
> Thu Jan 10 00:25:27 2008 PUSH: Received control message: 'PUSH_REPLY,route
> 10.8.0.0 <http://10.8.0.0> 255.255.255.0 
> <http://255.255.255.0>,route-delay 2 600,route 10.1.0.0 
> <http://10.1.0.0> 255.255.255.0 <http://255.255.255.0>,ping
> 10,ping-restart 120,ifconfig 10.1.0.6 <http://10.1.0.6> 10.1.0.5 
> <http://10.1.0.5>'
> Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: timers and/or timeouts modified
> Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: --ifconfig/up options modified
> Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: route options modified
> Thu Jan 10 00:25:27 2008 TAP-WIN32 device [Local Area Connection 5] 
> opened:
> \\.\Global\{F71B3A07-5805-4B69-97C9-73926191180F}.tap 
> <file:////Global/%7BF71B3A07-5805-4B69-97C9-73926191180F%7D.tap>
> Thu Jan 10 00:25:27 2008 TAP-Win32 Driver Version 8.4
> Thu Jan 10 00:25:27 2008 TAP-Win32 MTU=1500
> Thu Jan 10 00:25:27 2008 Notified TAP-Win32 driver to set a DHCP 
> IP/netmask of
> 10.1.0.6/255.255.255.252 <http://10.1.0.6/255.255.255.252> on 
> interface {F71B3A07-5805-4B69-97C9-73926191180F}
> [DHCP-serv: 10.1.0.5 <http://10.1.0.5>, lease-time: 31536000]
> Thu Jan 10 00:25:27 2008 Successful ARP Flush on interface [7]
> {F71B3A07-5805-4B69-97C9-73926191180F}
> Thu Jan 10 00:25:29 2008 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 
> u/d=down
> Thu Jan 10 00:25:29 2008 Route: Waiting for TUN/TAP interface to come 
> up...
> Thu Jan 10 00:25:31 2008 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
> Thu Jan 10 00:25:31 2008 route ADD 10.8.0.0 <http://10.8.0.0> MASK 
> 255.255.255.0 <http://255.255.255.0> 10.1.0.5 <http://10.1.0.5>
> Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
> Thu Jan 10 00:25:31 2008 route ADD 10.1.0.0 <http://10.1.0.0> MASK 
> 255.255.255.0 <http://255.255.255.0> 10.1.0.5 <http://10.1.0.5>
> Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
> Thu Jan 10 00:25:31 2008 Initialization Sequence Completed
>
> Now the issue... From the client, i can ping 10.1.0.5 
> <http://10.1.0.5> (tap gw), 10.1.0.1 <http://10.1.0.1> (vpn
> gw), 10.8.0.1 <http://10.8.0.1> (vmnet8, but on server's side) but not 
> in vmnet8's network
> (10.8.0.128 <http://10.8.0.128> for example).
>
> I've tried everything.... Here are some:
> * Set up a virtual interface (on eth0:0) with IP 10.1.0.1 
> <http://10.1.0.1>,
> * Put the openvpn network in vmware's network subnet (i think openvpn 
> won't
> understand, well it didn't work anyway),
> * pushed gw for routes to the client (the client is slow to connect 
> and tells me
> that the gw doesn't exists)
>
> I'm lost. Please help.
>  

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users