OpenVPN working between client and server only, but not able to access any machines in server subnet

Discussion in 'Linux Networking' started by GS, Oct 15, 2006.

  1. GS

    GS Guest

    I installed openVPN package between two locations, both sites are with
    public IP addresses with firewall/Router on both sites, all machines
    are behind firewall at both locations, the VPN port 1194 is opened on
    firewall box. The diagram below shows two locations, at location 1, the
    server is running one of the machine on LAN (172.166.1.16), the 1194
    port is redirected to this machine, the clinet is running at location
    2, the client is connected to server, but the client cannot access any
    other machines at location 1. do I have to install any Routing at this
    VPN server at location 1 machine (172.16.1.16), I have some other
    machines 172.16.1.17 and 172.16.1.18 cannot be accessable from lication
    2 at al, I cannot even ping 172.16.1.1 which is firewall/router. Thanks
    in advance.

    Location 1
    Location 2
    __________________________________________________
    |
    |
    |-------|------|----|
    |------|-------|
    172.16.1.x
    172.16.2.x


    GS.
     
    GS, Oct 15, 2006
    #1
    1. Advertisements

  2. Despite the fact that your diagram is none too clear, I don't need it to
    help you out :)

    What you are missing is a route on the router in location 1 that goes
    back to the VPN server for any addresses it has to route over the VPN -
    the clients in location 2.

    As you indicated that the VPN server is not the default gateway for the
    hosts on that subnet, you will need to add a route to 172.16.2.0/24 to
    the default gateway on that subnet:

    route add -net 172.16.2.0 netmask 255.255.255.0 gw 172.16.1.16

    This will provide the clients - that come in to the 172.16.1.x network
    over the VPN - with a route /back/ to the 172.16.2.x network - also over
    the VPN.

    In fact, if your intention is to be able to arbitrarily route packets
    over the VPN between the two locations, you should set a similar route
    on the gateway in location 2 and be done with it - you'll never have to
    re-configure any clients again, it will "just work".


    J.
     
    Jeroen Geilman, Oct 15, 2006
    #2
    1. Advertisements

  3. GS

    GS Guest

    Thanks for reply, sorry for my poor diagram.

    I tried to run this that command (route add -net 172.16.2.0 netmask
    255.255.255.0 gw 172.16.1.16) on the 172.16.1.16 machine and tried to
    ping from location 2 machine (I can see vpn server and client can
    communicate over tun0 interface, there is PPP address is assigned
    between client and server, I can ping those ppp addresses between
    client and server), I couldn't able to talk from location 2, then on
    the I added static route on the gateway (Router) located at location 1
    with these parameters:

    destination IP addr: 172.16.2.0
    netmask: 255.255.255.0
    gateway addr: 172.16.1.16

    then I activated this entry, then also I couldn't able to reach any
    machine from location 2, these client and server communicationg on tun
    interface rathertahn eth interface, do I have to specify interface
    while I added that route?.

    Thanks,
     
    GS, Oct 16, 2006
    #3
  4. Errngh!

    *Not* on the VPN server - on the *router* for location 1.
    You never mentioned what the IP is for the default gateway of location
    1, so I could hardly include it in my post.
    What are the IP addresses of the ppp interfaces ?
    That might have been valuable information to begin with...
    If these addresses are not on either of the 172.16.x.x networks (this is
    very possible) then you have to point to THOSE IP addresses as the
    gateways for the respective networks when communicating over the VPN tunnel.

    But ordinarily speaking, openvpn should take care of that as long as you
    make sure traffic for the remote network gets routed to the VPN server
    machine, and the VPN box itself has IP routing enabled.
    Okay - now we're getting somewhere.
    I assume IP routing is enabled on the VPN server box ?
    If not, or if you don't know what that means:

    #echo 1 > /proc/sys/net/ipv4/ip_forward

    And it wil magically start working now...
    Since you won't be adding any routes on the openVPN machines, no.

    J.
     
    Jeroen Geilman, Oct 16, 2006
    #4
  5. GS

    GS Guest

    the default gateway address is: 172.16.1.1


    the default gateway address at locations 2: 172.16.2.1

    the PPP address at location 1 (VPN server running) is: 10.8.0.1
    the PPP address at location 2 (VPN server running) is: 10.8.0.2

    the port 1194 is opened on Router at location 1, whenever the client
    connects the packet reaches the 172.16.1.16 directly, the connection
    establishesd, I can ping 10.8.0.1 from client and 10.8.0.2 from server.

    do I have to add a route to point to the ppp address?. Could you give
    me some clue here.
    I added this on both sides, still I can't reach any machine at location
    1 subnet from location 2.

    still waiting for some clues, why my client cannot talk to the other
    machines at the location 1 subnet.
     
    GS, Oct 17, 2006
    #5
  6. GS

    GS Guest

    Hello,

    Still I have problem in accessing othr machines in the same subnet at
    location 1. I am giving some details below:

    1) Location 1:
    openvpn server is running 172.16.1 subnet
    gateway address 172.16.1.1 (port 1194 is opened)
    vpn server running 172.16.1.16
    opebvpn server can connection establishes with remote client
    tun0 interface created, PPP address is 10.0.8.1
    ping works to 10.8.0.2, which is remote vpn client.


    2) Location 2:

    openvpn client is running 172.16.2 subnet
    gateway address 172.16.2.1
    vpn client is running on one of the machine on this subnet
    openvpn client was connected with remote server
    tun0 interface is created, ppp address is 10.8.0.2
    ping works to 10.8.0.1, whihc is remote server


    I can't access ping any other machine at location 1 from client, I
    added static route on location 1 gateway, to redict 172.16.2.0 packets
    to 172.16.1.16 machine with 255.255.255.0 subnet.

    Any idea, did I am doing something wrong here which is causing I can't
    access the machines at the location 1.
     
    GS, Oct 20, 2006
    #6
  7. An actual routing table would help *a lot*.

    #route -n

    or

    #ip route list table all

    (but I prefer the old style table, since it's more compact...)


    J.
     
    Jeroen Geilman, Oct 20, 2006
    #7
  8. GS

    GS Guest

    Thanks for reply. Here is the route output at both locations.

    Location 1:
    =================
    [[email protected] root]# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use
    Iface
    10.8.0.2 * 255.255.255.255 UH 0 0 0
    tun0
    10.8.0.0 172.16.1.1 255.255.255.0 UG 0 0 0
    eth0
    172.16.1.0 * 255.255.255.0 U 0 0 0
    eth0
    169.254.0.0 * 255.255.0.0 U 0 0 0
    eth0
    127.0.0.0 * 255.0.0.0 U 0 0 0
    lo
    default 172.16.1.1 0.0.0.0 UG 0 0 0
    eth0
    [[email protected] root]#


    Location 2:
    ==============

    [[email protected] ~]# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use
    Iface
    10.8.0.1 * 255.255.255.255 UH 0 0 0
    tun0
    172.16.2.0 * 255.255.255.0 U 0 0 0
    eth0
    169.254.0.0 * 255.255.0.0 U 0 0 0
    eth0
    default 172.16.2.1 0.0.0.0 UG 0 0 0
    eth0
    [[email protected] ~]#

    Only thing, I didn't add any static route at location 2.
     
    GS, Oct 21, 2006
    #8
  9. I think you need to check your OpenVPN config - you're *only* routing
    traffic for 10.8.0.2 over the VPN, nothing else.
    You probably want to route the whole of 10.8.0.0/24 over tun0.

    Same here, but since this is the client side, it's possible.

    What you have *is*, in fact, a point-to-point VPN link - with the
    current routing tables it is not possible to route to addresses other
    than the directly connected VPN machines.


    J.
     
    Jeroen Geilman, Oct 24, 2006
    #9
  10. GS

    estebanko Guest

    I have the same problem. I am not able to see beyond OpenVPN server
    (i.e. unable to ping any hosts on OpenVPN subnet)There must be simple
    routing entry I must've overlooked... Here are my settings for routed
    vpn :

    OpenVPN Server IP: 192.168.0.44/24
    Client IP: 192.168.2.2/24

    PPP: 10.8.1.1<------> 10.8.1.2
    Client tun0: 10.8.1.6

    Like orignal author my OpenVPN sever is behind a firewall with correct
    port forwarding and static routing for anything 10.8.1.0/24. Using
    tcpdump I've come to following conclusion. A host in the server subnet
    sees ICMP requests from 10.8.1.6 and responds but the response gets
    lost somewhere in the OpenVPN server.

    For example, when I ping 192.168.0.24 from the client(192.168.2.2), it
    sees the ping originating from 10.8.1.6 which makes sense but response
    gets lost when 192.168.0.24 sends ping back to 10.8.1.6. It's either
    the gateway handling 10.8.1.0/24 throwing it into /dev/null or
    192.168.0.44 is completely ignoring it. Problem is that the gateway is
    el cheapo Dell Truemobile 2300 so there is no way for me to check.. :-(

    Any help would be greatly appreciated.

    Stephen.



     
    estebanko, Dec 6, 2006
    #10
  11. This problem is almost always one of the following problems:

    1) You must arrange so that any packets that should go through the VPN
    wind up at the VPN machine. This applies on both ends to machines that
    are supposed to communicate through the VPN.

    2) You must arrange so that, on the VPN machine, packets that should go
    through the VPN do go through the VPN. You must also ensure that the
    packets that contain the data going through the VPN does not try to go
    through the VPN.

    So, consider the following:

    <router>-<Machine>-<VPNEnd1>-<VPNEnd2>

    Now, suppose you want 'VPNEnd2 to reach 'Machine' using the VPN. This
    requires two things:

    1) VPNEnd2 must be configured to route packets to 'machine' through the
    VPN.

    2) Machine must be configured to route packets to 'VPNEnd2' through the
    VPN. (Or the router that its default points to must be configured to do
    so.)

    You can track down the problems with 'traceroute'. Just remember, if
    the traceroute from 'VPNEnd2' ends at 'VPNEnd1', that either means
    packets don't go to the right place from 'VPNEnd1', or that they go to
    someplace that can't send back responses (because those don't know
    where to go).

    When you get problems like this without any detailed analysis, it's
    almost always because the person setting things up didn't take into
    account the fact that getting packets to the destination does no good
    if replies can't find their way back.

    DS
     
    David Schwartz, Dec 6, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.