OpenVPN client cannot route to LAN

Discussion in 'Linux Networking' started by plshelpsteve, Sep 23, 2005.

  1. plshelpsteve

    plshelpsteve Guest

    I'm have problems configuring OpenVPN.

    While my WinXP box (in a test DMZ area, 192.168.1.15) can connect to my
    Debian (Sarge) server on my LAN (10.42.42.146), I cannot access other
    servers on the LAN. (Which, of course, is the whole purpose.)

    I can ping over the VPN to the server (10.42.5.1), but I cannot ping to
    other internal boxes (e.g. 10.42.42.20, which is pingable within my
    LAN).

    Since an initial connection and a direct ping work just fine, I belive
    my firewall is directing 192.1.68.1.75 UDP:1194 to 10.42.42.146 just
    fine.

    I have executed the following on Debian server, which should allow for
    packet forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -I INPUT -i tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -j ACCEPT
    iptables -I FORWARD -o tun0 -j ACCEPT
    iptables -I OUTPUT -o tun0 -j ACCEPT

    Any thoughts?

    - Steve

    server.conf:
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key # This file should be kept secret
    dh dh1024.pem
    server 10.42.5.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 10.42.42.0 255.255.255.0"
    keepalive 10 120
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    log-append openvpn.log
    verb 3

    client.conf:
    client
    dev tun
    proto udp
    remote 192.168.1.75 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3

    C:\>netstat -rn

    Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 ff 70 6c 63 de ...... TAP-Win32 Adapter V8 - Packet Scheduler
    Miniport

    0x10004 ...00 0a e6 42 22 32 ...... SiS 900-Based PCI Fast Ethernet
    Adapter - Vi
    rtual Machine Network Services Driver
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.15
    20
    10.42.5.1 255.255.255.255 10.42.5.5 10.42.5.6
    1
    10.42.5.4 255.255.255.252 10.42.5.6 10.42.5.6
    30
    10.42.5.6 255.255.255.255 127.0.0.1 127.0.0.1
    30
    10.42.42.0 255.255.255.0 10.42.5.5 10.42.5.6
    1
    10.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6
    30
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15
    20
    192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1
    20
    192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15
    20
    224.0.0.0 240.0.0.0 10.42.5.6 10.42.5.6
    30
    224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15
    20
    255.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6
    1
    255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15
    1
    Default Gateway: 192.168.1.1
    ===========================================================================
    Persistent Routes:
    None
     
    plshelpsteve, Sep 23, 2005
    #1
    1. Advertisements

  2. plshelpsteve

    James Knott Guest

    Do the other servers know the route to the XP system? If your VPN
    terminates on a server and not the firewall, that's likely the problem. My
    VPN terminates on my firewall, so any computer on my lan sends data for the
    remote computer to the default gateway, which is my firewall. It sorts out
    the stuff for the VPN. There are two solutions to your problem. Add a
    routing entry for the VPN systems to the routes or use proxy arp on the
    server where your VPN terminates.
     
    James Knott, Sep 23, 2005
    #2
    1. Advertisements

  3. plshelpsteve

    plshelpsteve Guest

    Yup! Route back to the client. I'll have to integerate the VPN
    through my gateway to make this work the way I want to.

    Thanks for steering me in the right direction!

    - Steve
     
    plshelpsteve, Sep 29, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.