[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN Routing Issue

  • Subject: Re: [Openvpn-users] OpenVPN Routing Issue
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Mon, 14 Jan 2008 03:05:52 +0100

Hi Peter,

plz post the routing table of your VPN client machine after connecting; 
this is definitely a routing issue. Also, I was a bit confused by your 
answer; please read your previous answer again and make sure that you're 
not mixing client and server

An "old style" config does not use any certificates but uses pre-shared 
keys instead. It is not related to tun or tap setups. In its simplest 
form an old style config looks something like

# client
remote server-IP
port 1194
dev tun
secret c:\program files\openvpn\keys\secret.txt ## a text file 
containing the PSK
tun-mtu 1500
# add other openvpn config commands here...

# server
remote client-IP
port 1194
dev tun
ifconfig ## note the reversal of IPs!
secret c:\program files\openvpn\keys\secret.txt ## a text file 
containing the PSK
tun-mtu 1500
# add other openvpn config commands here...

This is also explained quite well in the openvpn HOWTO page on 



Peter Roddan wrote:
> Hi Jan,
> Thanks very much for your assistance!
> That's almost correct... Server LAN can reach all on the Client LAN 
> including the Client...
> It's the Client that can't reach anything on the Server LAN, except 
> for the Server. However, anything on the Client LAN can reach anything 
> on the Serevr LAN.... it's just the server itself .....
> Both client and serevr are running Windows 2003 with no firewall 
> installed - the Windows firewall is not active as the ICS service is 
> not active...
> How would I go about setting up an "old style" peer-to-peer config? 
> Would this by a tap config rather than a tun one?
> Thanks,
> Peter.
> ------------------------------------------------------------------------
> *From:* Jan Just Keijser [mailto:janjust@xxxxxxxxx]
> *Sent:* Sat 12/01/2008 02:14
> *To:* Peter Roddan
> *Cc:* openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> *Subject:* Re: [Openvpn-users] OpenVPN Routing Issue
> Hi Peter,
> so the server can reach all machines on the client LAN except the client
> itself? Congrats, at least you have managed to set up a net-to-net
> config ;-)
> The 'iroute' and 'route' statements are fine, and are definitely
> required for net-to-net setups.
> if you cannot ping/connect to the VPN client itself then my first bet
> would be a firewalling issue on the VPN client side. Can you try
> loosening/removing the firewall on the TAP-win32 adapter on the VPN 
> client?
> Another option is to not use an openvpn client/server setup like you
> have done now. If all you're trying to do is connect two LANs using a
> secure tunnel then an "old style" openvpn peer-to-peer config will work
> just as well (or perhaps even better).
> HTH,
> Peter Roddan wrote:
> >
> > Hi Everyone,
> >
> > I’m a new-ish user to OpenVPN, and I’m having a small issue with it..
> >
> > I’m using it to run a VPN to a new remote office that I am setting up.
> >
> > I have an openVPN server running here in our main office. It runs on
> > Windows 2003, site here on our LAN ( and has the appropriate
> > port forwarded to it from our Cisco PIX firewall.
> >
> > The satellite office openVPN is also running on Windows 2003
> > ( I’ve not installed routing and remote access as I’ve
> > read this can cause problems, but I have manually enabled IP routing
> > in the registry. The same has been done on the server.
> >
> > I’ve created a basic tunnel config for the server and the client. The
> > VPN connects ok, and I can ping server to client and client to server
> > using the VPN IP addresses.
> >
> > I’ve pushed the server LAN route through to the client (push "route
> >"), and have included the client IP also (route
> >
> >
> > I have a file with the same name as the client cerfiticate in the CCD
> > folder, with the line “iroute” in it.
> >
> > Finally, I have added a route to the network on the router
> > that is the default gateway in the main office.
> >
> > The default gateway in the satellite office is the VPN server.
> >
> > Now comes my problem.
> >
> > >From the VPN server I can ping the VPN client using it’s real IP
> > address. I can also ping any machines on the VPN client local LAN – 
> great!
> >
> > However, I can’t seem to be able to ping anything on the Server side
> > LAN from the VPN client machine. I can ping the VPN server by it’s
> > real IP (, but can’t ping anything else on that LAN. A
> > tracert shows the traffic routing to (which I believe is the
> > IP of the Server VPN adapter) but it times out from then on.
> >
> > At first I thought it was a problem with the routing on the server
> > side lan, but then I realised that any other PC on the client side LAN
> > can ping anything on the server side LAN. It’s only the VPN client
> > itself that can’t ping anything on the server LAN.
> >
> > I’ve read through the documentation several times, but can’t seem to
> > find out where I’ve gone wrong.
> >
> > Any assistance that anyone can give me will be greatly appreciated!
> >

OpenVPN mailing lists