[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN Routing Issue


  • Subject: Re: [Openvpn-users] OpenVPN Routing Issue
  • From: "Peter Roddan" <proddan@xxxxxxxxxxx>
  • Date: Wed, 16 Jan 2008 09:47:14 -0000

Hi Jan,

Fantastic!
Thanks very much for that, works perfectly now!
Makes sense now that you've explained it to me!

Thanks once again,

Peter.

-----Original Message-----
From: Jan Just Keijser [mailto:janjust@xxxxxxxxx] 
Sent: 16 January 2008 02:58
To: Peter Roddan
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] OpenVPN Routing Issue

Hi Peter,

OK the misconfig is hidden in there somewhere.... took me some time to 
figure it out but I think I found it:

when you say 'VPN server LAN can ping the VPN client LAN' I assume you 
mean that a
  ping 192.168.3.x
returns successfully for any host on that LAN. From a server LAN client,

try pinging the OpenVPN address of the VPN client, e.g.
  ping 10.8.0.14
Most likely that will fail.

The only difference between a ping from the VPN client itself and any 
host on the client LAN is the source address of the packets. Hosts on 
your client LAN will have 192.168.3.x as their source address as it is 
the only address they know. Packets sent from these hosts will traverse 
through the tunnel, be forwarded onto the server LAN and the host on the

server LAN will still see this 192.168.3.x address as the source IP 
address. Luckily the server gateway (your Cisco 1600) knows where to 
send these packets back to (the OpenVPN server) and thus the ping 
packets find their way back.
The VPN client itself however sees a more direct route to the server LAN

through the VPN tunnel itself. It will then use it's client VPN IP 
address (10.8.0.14) as the source address. The hosts and/or gateway on 
your server LAN will probably not know this subnet and hence will not 
return any packets.

Solution: use Linux ;-) it's easy to avoid these kinds of issues with
Linux
Solution #2: add a route to your server side Cisco 1600 and make sure 
that the network 10.8.0.0/24 also points to your VPN server.

HTH,

JJK

Peter Roddan wrote:
> Hi Jan,
>
> Thanks for your help and sorry for the confusion!
> Just to clarify....
>
> VPN Server - Can ping VPN Client and all machines on the VPN Client
LAN
> VPN Server LAN - Can Ping VPN Server and all machines on the VPN
Client
> LAN
>
> VPN Client - Can ping VPN server ONLY. Unable to PING anything else on
> the server LAN
> VPN Client LAN - Can ping VPN server and all machines on the VPN
server
> LAN.
>
> Hope this clears it up!
> Both server and client are running Windows 2003 Server R2.
>
> Server has one nic and is NOT the default gateway on the server LAN,
but
> route has been added onto the Server LAN default gateway (cisco 1600)
>
> Client openvpn box has 2 NICs, one connecting to ADSL router, one
> connecting to Client LAN. Routing and remote access NOT installed, but
> the IPENABLEROUTER key has been changed to 1 in the registry.
>
> ADSL router NIC IP is 192.168.13.253 subnet 255.255.255.0
> Client LAN NIC IP is 192.168.3.254 subnet 255.255.255.0
>
> Client OpenVPN box is default gateway for the rest of the PCs on the
> CLIENT LAN (192.168.3.x)
>
> The routing table for the client openvpn box is :
>
>
> IPv4 Route Table
>
========================================================================
> ===
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 ff 8a e7 d0 47 ...... TAP-Win32 Adapter V8
> 0x10004 ...00 18 71 ea e4 33 ...... HP NC110T PCIe Gigabit Server
> Adapter
> 0x10005 ...00 1c c4 ae 1f ad ...... HP NC320i PCIe Gigabit Server
> Adapter
>
========================================================================
> ===
>
========================================================================
> ===
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
> Metric
>           0.0.0.0          0.0.0.0   192.168.13.254   192.168.13.253
> 20
>          10.1.1.0    255.255.255.0        10.8.0.13        10.8.0.14
> 1
>          10.8.0.1  255.255.255.255        10.8.0.13        10.8.0.14
> 1
>         10.8.0.12  255.255.255.252        10.8.0.14        10.8.0.14
> 30
>         10.8.0.14  255.255.255.255        127.0.0.1        127.0.0.1
> 30
>    10.255.255.255  255.255.255.255        10.8.0.14        10.8.0.14
> 30
>         127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1
> 1
>       192.168.3.0    255.255.255.0    192.168.3.254    192.168.3.254
> 20
>     192.168.3.254  255.255.255.255        127.0.0.1        127.0.0.1
> 20
>     192.168.3.255  255.255.255.255    192.168.3.254    192.168.3.254
> 20
>      192.168.13.0    255.255.255.0   192.168.13.253   192.168.13.253
> 20
>    192.168.13.253  255.255.255.255        127.0.0.1        127.0.0.1
> 20
>    192.168.13.255  255.255.255.255   192.168.13.253   192.168.13.253
> 20
>         224.0.0.0        240.0.0.0        10.8.0.14        10.8.0.14
> 30
>         224.0.0.0        240.0.0.0    192.168.3.254    192.168.3.254
> 20
>         224.0.0.0        240.0.0.0   192.168.13.253   192.168.13.253
> 20
>   255.255.255.255  255.255.255.255        10.8.0.14        10.8.0.14
> 1
>   255.255.255.255  255.255.255.255    192.168.3.254    192.168.3.254
> 1
>   255.255.255.255  255.255.255.255   192.168.13.253   192.168.13.253
> 1
> Default Gateway:    192.168.13.254
>
========================================================================
> ===
> Persistent Routes:
>   None
>
>
>
>
> Routing table for the server openvpn box is :
>
> IPv4 Route Table
>
========================================================================
> ===
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 ff 80 ac d3 f6 ...... TAP-Win32 Adapter V8
> 0x10004 ...00 13 21 1b d5 b2 ...... HP Network Team #1
>
========================================================================
> ===
>
========================================================================
> ===
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
> Metric
>           0.0.0.0          0.0.0.0       10.1.1.254        10.1.1.46
> 20
>          10.1.1.0    255.255.255.0        10.1.1.46        10.1.1.46
> 20
>         10.1.1.46  255.255.255.255        127.0.0.1        127.0.0.1
> 20
>          10.8.0.0  255.255.255.252         10.8.0.1         10.8.0.1
> 30
>          10.8.0.0    255.255.255.0         10.8.0.2         10.8.0.1
> 1
>          10.8.0.1  255.255.255.255        127.0.0.1        127.0.0.1
> 30
>    10.255.255.255  255.255.255.255        10.1.1.46        10.1.1.46
> 20
>    10.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1
> 30
>      62.49.61.223  255.255.255.255         10.1.1.1        10.1.1.46
> 1
>      62.49.68.110  255.255.255.255         10.1.1.1        10.1.1.46
> 1
>         127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1
> 1
>       192.168.1.0    255.255.255.0         10.8.0.2         10.8.0.1
> 1
>       192.168.3.0    255.255.255.0         10.8.0.2         10.8.0.1
> 1
>      192.168.10.0    255.255.255.0         10.8.0.2         10.8.0.1
> 1
>      192.168.13.0    255.255.255.0         10.8.0.2         10.8.0.1
> 1
>    194.78.203.193  255.255.255.255         10.1.1.1        10.1.1.46
> 1
>         224.0.0.0        240.0.0.0        10.1.1.46        10.1.1.46
> 20
>         224.0.0.0        240.0.0.0         10.8.0.1         10.8.0.1
> 30
>   255.255.255.255  255.255.255.255        10.1.1.46        10.1.1.46
> 1
>   255.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1
> 1
> Default Gateway:        10.1.1.254
>
========================================================================
> ===
> Persistent Routes:
>   None
>
>
>
> Hope I've explained this well enough!
>
> Thanks,
>
> Peter.
>
>
> -----Original Message-----
> From: Jan Just Keijser [mailto:janjust@xxxxxxxxx] 
> Sent: 14 January 2008 02:06
> To: Peter Roddan
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] OpenVPN Routing Issue
>
> Hi Peter,
>
> plz post the routing table of your VPN client machine after
connecting; 
> this is definitely a routing issue. Also, I was a bit confused by your

> answer; please read your previous answer again and make sure that
you're
>
> not mixing client and server
>
>
> An "old style" config does not use any certificates but uses
pre-shared 
> keys instead. It is not related to tun or tap setups. In its simplest 
> form an old style config looks something like
>
> # client
> remote server-IP
> port 1194
> dev tun
> ifconfig 10.200.0.1 10.200.0.2
> secret c:\program files\openvpn\keys\secret.txt ## a text file 
> containing the PSK
> route 10.1.1.0 255.255.255.0
> tun-mtu 1500
> comp-lzo
> # add other openvpn config commands here...
>
>
> # server
> remote client-IP
> port 1194
> dev tun
> ifconfig 10.200.0.2 10.200.0.1 ## note the reversal of IPs!
> secret c:\program files\openvpn\keys\secret.txt ## a text file 
> containing the PSK
> route 192.168.3.0 255.255.255.0
> tun-mtu 1500
> comp-lzo
> # add other openvpn config commands here...
>
> This is also explained quite well in the openvpn HOWTO page on 
> http://openvpn.net
>
> HTH,
>
> JJK
>
>
>
>
>
>   




Registered in UK. Registered Number 561496. Registered Office: Ocean House, The Ring, Bracknell, Berkshire. BG12 1AN



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.clearswift.com
**********************************************************************

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users