OpenVPN working between client and server only, but not able to access any machines in server subnet

I installed openVPN package between two locations, both sites are with
public IP addresses with firewall/Router on both sites, all machines
are behind firewall at both locations, the VPN port 1194 is opened on
firewall box. The diagram below shows two locations, at location 1, the
server is running one of the machine on LAN (172.166.1.16), the 1194
port is redirected to this machine, the clinet is running at location
2, the client is connected to server, but the client cannot access any
other machines at location 1. do I have to install any Routing at this
VPN server at location 1 machine (172.16.1.16), I have some other
machines 172.16.1.17 and 172.16.1.18 cannot be accessable from lication
2 at al, I cannot even ping 172.16.1.1 which is firewall/router. Thanks
in advance.

Location 1
Location 2
__________________________________________________
|
|
|-------|------|----|
|------|-------|
172.16.1.x
172.16.2.x


GS.

GS wrote:
> I installed openVPN package between two locations, both sites are with
> public IP addresses with firewall/Router on both sites, all machines
> are behind firewall at both locations, the VPN port 1194 is opened on
> firewall box. The diagram below shows two locations, at location 1, the
> server is running one of the machine on LAN (172.166.1.16), the 1194
> port is redirected to this machine, the clinet is running at location
> 2, the client is connected to server, but the client cannot access any
> other machines at location 1. do I have to install any Routing at this
> VPN server at location 1 machine (172.16.1.16), I have some other
> machines 172.16.1.17 and 172.16.1.18 cannot be accessable from lication
> 2 at al, I cannot even ping 172.16.1.1 which is firewall/router. Thanks
> in advance.
>
> Location 1
> Location 2
> __________________________________________________
> |
> |
> |-------|------|----|
> |------|-------|
> 172.16.1.x
> 172.16.2.x
>
>
> GS.
>

Despite the fact that your diagram is none too clear, I don't need it to
help you out

What you are missing is a route on the router in location 1 that goes
back to the VPN server for any addresses it has to route over the VPN -
the clients in location 2.

As you indicated that the VPN server is not the default gateway for the
hosts on that subnet, you will need to add a route to 172.16.2.0/24 to
the default gateway on that subnet:

route add -net 172.16.2.0 netmask 255.255.255.0 gw 172.16.1.16

This will provide the clients - that come in to the 172.16.1.x network
over the VPN - with a route /back/ to the 172.16.2.x network - also over
the VPN.

In fact, if your intention is to be able to arbitrarily route packets
over the VPN between the two locations, you should set a similar route
on the gateway in location 2 and be done with it - you'll never have to
re-configure any clients again, it will "just work".


J.

Thanks for reply, sorry for my poor diagram.

I tried to run this that command (route add -net 172.16.2.0 netmask
255.255.255.0 gw 172.16.1.16) on the 172.16.1.16 machine and tried to
ping from location 2 machine (I can see vpn server and client can
communicate over tun0 interface, there is PPP address is assigned
between client and server, I can ping those ppp addresses between
client and server), I couldn't able to talk from location 2, then on
the I added static route on the gateway (Router) located at location 1
with these parameters:

destination IP addr: 172.16.2.0
netmask: 255.255.255.0
gateway addr: 172.16.1.16

then I activated this entry, then also I couldn't able to reach any
machine from location 2, these client and server communicationg on tun
interface rathertahn eth interface, do I have to specify interface
while I added that route?.

Thanks,

GS wrote:
> Thanks for reply, sorry for my poor diagram.
>
> I tried to run this that command (route add -net 172.16.2.0 netmask
> 255.255.255.0 gw 172.16.1.16) on the 172.16.1.16 machine

Errngh!

*Not* on the VPN server - on the *router* for location 1.
You never mentioned what the IP is for the default gateway of location
1, so I could hardly include it in my post.

> and tried to
> ping from location 2 machine (I can see vpn server and client can
> communicate over tun0 interface, there is PPP address is assigned
> between client and server, I can ping those ppp addresses between
> client and server),

What are the IP addresses of the ppp interfaces ?
That might have been valuable information to begin with...
If these addresses are not on either of the 172.16.x.x networks (this is
very possible) then you have to point to THOSE IP addresses as the
gateways for the respective networks when communicating over the VPN tunnel.

But ordinarily speaking, openvpn should take care of that as long as you
make sure traffic for the remote network gets routed to the VPN server
machine, and the VPN box itself has IP routing enabled.

> I couldn't able to talk from location 2, then on
> the I added static route on the gateway (Router) located at location 1
> with these parameters:
>
> destination IP addr: 172.16.2.0
> netmask: 255.255.255.0
> gateway addr: 172.16.1.16
> then I activated this entry, then also I couldn't able to reach any
> machine from location 2,

Okay - now we're getting somewhere.
I assume IP routing is enabled on the VPN server box ?
If not, or if you don't know what that means:

#echo 1 > /proc/sys/net/ipv4/ip_forward

And it wil magically start working now...

> these client and server communicationg on tun
> interface rathertahn eth interface, do I have to specify interface
> while I added that route?.

Since you won't be adding any routes on the openVPN machines, no.

J.

>
> *Not* on the VPN server - on the *router* for location 1.
> You never mentioned what the IP is for the default gateway of location
> 1, so I could hardly include it in my post.

the default gateway address is: 172.16.1.1


the default gateway address at locations 2: 172.16.2.1


>
> > and tried to
> > ping from location 2 machine (I can see vpn server and client can
> > communicate over tun0 interface, there is PPP address is assigned
> > between client and server, I can ping those ppp addresses between
> > client and server),
>
> What are the IP addresses of the ppp interfaces ?
> That might have been valuable information to begin with...
> If these addresses are not on either of the 172.16.x.x networks (this is
> very possible) then you have to point to THOSE IP addresses as the
> gateways for the respective networks when communicating over the VPN tunnel.

the PPP address at location 1 (VPN server running) is: 10.8.0.1
the PPP address at location 2 (VPN server running) is: 10.8.0.2

the port 1194 is opened on Router at location 1, whenever the client
connects the packet reaches the 172.16.1.16 directly, the connection
establishesd, I can ping 10.8.0.1 from client and 10.8.0.2 from server.

do I have to add a route to point to the ppp address?. Could you give
me some clue here.

>
> But ordinarily speaking, openvpn should take care of that as long as you
> make sure traffic for the remote network gets routed to the VPN server
> machine, and the VPN box itself has IP routing enabled.
>
> > I couldn't able to talk from location 2, then on
> > the I added static route on the gateway (Router) located at location 1
> > with these parameters:
> >
> > destination IP addr: 172.16.2.0
> > netmask: 255.255.255.0
> > gateway addr: 172.16.1.16
> > then I activated this entry, then also I couldn't able to reach any
> > machine from location 2,
>
> Okay - now we're getting somewhere.
> I assume IP routing is enabled on the VPN server box ?
> If not, or if you don't know what that means:
>
> #echo 1 > /proc/sys/net/ipv4/ip_forward

I added this on both sides, still I can't reach any machine at location
1 subnet from location 2.


>
> And it wil magically start working now...
>
> > these client and server communicationg on tun
> > interface rathertahn eth interface, do I have to specify interface
> > while I added that route?.
>
> Since you won't be adding any routes on the openVPN machines, no.
>
> J.

still waiting for some clues, why my client cannot talk to the other
machines at the location 1 subnet.

Hello,

Still I have problem in accessing othr machines in the same subnet at
location 1. I am giving some details below:

1) Location 1:
openvpn server is running 172.16.1 subnet
gateway address 172.16.1.1 (port 1194 is opened)
vpn server running 172.16.1.16
opebvpn server can connection establishes with remote client
tun0 interface created, PPP address is 10.0.8.1
ping works to 10.8.0.2, which is remote vpn client.


2) Location 2:

openvpn client is running 172.16.2 subnet
gateway address 172.16.2.1
vpn client is running on one of the machine on this subnet
openvpn client was connected with remote server
tun0 interface is created, ppp address is 10.8.0.2
ping works to 10.8.0.1, whihc is remote server


I can't access ping any other machine at location 1 from client, I
added static route on location 1 gateway, to redict 172.16.2.0 packets
to 172.16.1.16 machine with 255.255.255.0 subnet.

Any idea, did I am doing something wrong here which is causing I can't
access the machines at the location 1.

GS wrote:
> Hello,
>
> Still I have problem in accessing othr machines in the same subnet at
> location 1. I am giving some details below:
>
> 1) Location 1:
> openvpn server is running 172.16.1 subnet
> gateway address 172.16.1.1 (port 1194 is opened)
> vpn server running 172.16.1.16
> opebvpn server can connection establishes with remote client
> tun0 interface created, PPP address is 10.0.8.1
> ping works to 10.8.0.2, which is remote vpn client.
>
>
> 2) Location 2:
>
> openvpn client is running 172.16.2 subnet
> gateway address 172.16.2.1
> vpn client is running on one of the machine on this subnet
> openvpn client was connected with remote server
> tun0 interface is created, ppp address is 10.8.0.2
> ping works to 10.8.0.1, whihc is remote server
>
>
> I can't access ping any other machine at location 1 from client, I
> added static route on location 1 gateway, to redict 172.16.2.0 packets
> to 172.16.1.16 machine with 255.255.255.0 subnet.

An actual routing table would help *a lot*.

#route -n

or

#ip route list table all

(but I prefer the old style table, since it's more compact...)


J.

Thanks for reply. Here is the route output at both locations.

Location 1:
=================
[root@host1 root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0
tun0
10.8.0.0 172.16.1.1 255.255.255.0 UG 0 0 0
eth0
172.16.1.0 * 255.255.255.0 U 0 0 0
eth0
169.254.0.0 * 255.255.0.0 U 0 0 0
eth0
127.0.0.0 * 255.0.0.0 U 0 0 0
lo
default 172.16.1.1 0.0.0.0 UG 0 0 0
eth0
[root@host1 root]#


Location 2:
==============

[root@maza ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.8.0.1 * 255.255.255.255 UH 0 0 0
tun0
172.16.2.0 * 255.255.255.0 U 0 0 0
eth0
169.254.0.0 * 255.255.0.0 U 0 0 0
eth0
default 172.16.2.1 0.0.0.0 UG 0 0 0
eth0
[root@maza ~]#

Only thing, I didn't add any static route at location 2.

GS wrote:
> Thanks for reply. Here is the route output at both locations.
>
> Location 1:
> =================
> [root@host1 root]# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.8.0.2 * 255.255.255.255 UH 0 0 0
> tun0
> 10.8.0.0 172.16.1.1 255.255.255.0 UG 0 0 0
> eth0
> 172.16.1.0 * 255.255.255.0 U 0 0 0
> eth0
> 169.254.0.0 * 255.255.0.0 U 0 0 0
> eth0
> 127.0.0.0 * 255.0.0.0 U 0 0 0
> lo
> default 172.16.1.1 0.0.0.0 UG 0 0 0
> eth0
> [root@host1 root]#

I think you need to check your OpenVPN config - you're *only* routing
traffic for 10.8.0.2 over the VPN, nothing else.
You probably want to route the whole of 10.8.0.0/24 over tun0.


> Location 2:
> ==============
>
> [root@maza ~]# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.8.0.1 * 255.255.255.255 UH 0 0 0
> tun0
> 172.16.2.0 * 255.255.255.0 U 0 0 0
> eth0
> 169.254.0.0 * 255.255.0.0 U 0 0 0
> eth0
> default 172.16.2.1 0.0.0.0 UG 0 0 0
> eth0
> [root@maza ~]#
>
> Only thing, I didn't add any static route at location 2.

Same here, but since this is the client side, it's possible.

What you have *is*, in fact, a point-to-point VPN link - with the
current routing tables it is not possible to route to addresses other
than the directly connected VPN machines.


J.

I have the same problem. I am not able to see beyond OpenVPN server
(i.e. unable to ping any hosts on OpenVPN subnet)There must be simple
routing entry I must've overlooked... Here are my settings for routed
vpn :

OpenVPN Server IP: 192.168.0.44/24
Client IP: 192.168.2.2/24

PPP: 10.8.1.1<------> 10.8.1.2
Client tun0: 10.8.1.6

Like orignal author my OpenVPN sever is behind a firewall with correct
port forwarding and static routing for anything 10.8.1.0/24. Using
tcpdump I've come to following conclusion. A host in the server subnet
sees ICMP requests from 10.8.1.6 and responds but the response gets
lost somewhere in the OpenVPN server.

For example, when I ping 192.168.0.24 from the client(192.168.2.2), it
sees the ping originating from 10.8.1.6 which makes sense but response
gets lost when 192.168.0.24 sends ping back to 10.8.1.6. It's either
the gateway handling 10.8.1.0/24 throwing it into /dev/null or
192.168.0.44 is completely ignoring it. Problem is that the gateway is
el cheapo Dell Truemobile 2300 so there is no way for me to check.. :-(

Any help would be greatly appreciated.

Stephen.



Jeroen Geilman wrote:
> GS wrote:
> > Thanks for reply. Here is the route output at both locations.
> >
> > Location 1:
> > =================
> > [root@host1 root]# route
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> > Iface
> > 10.8.0.2 * 255.255.255.255 UH 0 0 0
> > tun0
> > 10.8.0.0 172.16.1.1 255.255.255.0 UG 0 0 0
> > eth0
> > 172.16.1.0 * 255.255.255.0 U 0 0 0
> > eth0
> > 169.254.0.0 * 255.255.0.0 U 0 0 0
> > eth0
> > 127.0.0.0 * 255.0.0.0 U 0 0 0
> > lo
> > default 172.16.1.1 0.0.0.0 UG 0 0 0
> > eth0
> > [root@host1 root]#
>
> I think you need to check your OpenVPN config - you're *only* routing
> traffic for 10.8.0.2 over the VPN, nothing else.
> You probably want to route the whole of 10.8.0.0/24 over tun0.
>
>
> > Location 2:
> > ==============
> >
> > [root@maza ~]# route
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> > Iface
> > 10.8.0.1 * 255.255.255.255 UH 0 0 0
> > tun0
> > 172.16.2.0 * 255.255.255.0 U 0 0 0
> > eth0
> > 169.254.0.0 * 255.255.0.0 U 0 0 0
> > eth0
> > default 172.16.2.1 0.0.0.0 UG 0 0 0
> > eth0
> > [root@maza ~]#
> >
> > Only thing, I didn't add any static route at location 2.
>
> Same here, but since this is the client side, it's possible.
>
> What you have *is*, in fact, a point-to-point VPN link - with the
> current routing tables it is not possible to route to addresses other
> than the directly connected VPN machines.
>
>
> J.