Hello everyone, how're you doing ?

OK, I just though you might give me a hint as to the nature of my problem.
I'm establishing a connection to my office network (192.168.0.0 255.255.255.224) through the OpenVPN server, which is also the Internet gateway for the mentioned above LAN (192.168.0.1), as can be logically understood.

So, here it is in a nutshell:
1) Openvpn server is 192.168.0.1 on the office network 192.168.0.0/27

2) In the server.conf I have, as regards routing, this:


3) For the VPN I'm using static client address asignment, so in the file ccd/client1 file (which is also declared in the server.conf as required) I have this line:


So I successfully connect to my server through Internet and have:

among other thigs in the output, as I'm by now connecting manually, till I fix it all.
So now I can "see" all the machines on 192.168.0.0/27, ping them, nmap them and can, for example, connect to my router web-interface on 192.168.0.17:88.

PROBLEM: I cannot start a SSH session to the 192.168.0.1 (which is the VPN server itself as seen from the local LAN interface, and to which I usually connect via SSH from the LAN) !
The session just hangs (until I Ctrl-C to stop it). However, I can ping that machine OK.

What could possibly cause this? Any ideas? Just can it be related to any routing problems?
BTW, is it OK that I can ping 10.0.0.6 but cannot ping 10.0.0.5?

thanks in advance,
Kostya

hi there,

can you post the output of iptables -L command?
also do you use tcp wrappers? (check /etc/hosts.allow /etc/hosts.deny).

which linux are you using?

cheers,

michael.

your ccd file should read


note the order of the IP addresses; it is normal that you cannot reach 10.0.0.5, try pinging and SSH'ing to 10.0.0.1 instead.

1. On the server I'm using Fedora 13.
2. The output of iptables -L I will get as soon as I get to my server.
3. Yea I thought about tcp wrappers being a possible cause of it... anyway I'll be certain when I get to my server.

So I'll post it as soon as I get there.
Great thanks .

I've tried pinging and SSH'ing (and telneting) to 10.0.0.1, but with the same result.
So it looks as though ping packets do get back, but SSH nor telnet don't come back.

Here is what I actually get from my SSH session:

Notice, that when I try to SSH directly to the outbound server interface, which is firewall protected, the session never comes this far, but stops at the words "Connecting to 192.168.0.1 [192.168.0.1] port 22.".

And thanks for the correction about the order of the IP addresses; I took mine from the HOWTO.

OK, it's way easier when I ask questions and you dear friends say YES or NO .

So...
The thing now works, although being in the office I could only test it connecting from inside the
192.168.0.0/27 network itself to the address 10.0.0.1. Prior to that I had, for the testing purposes, to disable the 'push "route 192.168.0.0 ..."' directive in server config.
So I VPNed to the server and then SSH'ed to 10.0.0.1 without any problems.

And here is what I did, and you please tell me which of these are necessary and which are not.

1.I added the following to my iptables script:

Guess this won't hurt in any case.

2.But then I also added the following string to the server conf:

right below

Guess this is unnecessary, right? In't the "server 10.0.0...." directive enough for the server to learn about the existence of that network?
I just added it because I know such things won't hurt anyway.


OK. I'll go back home and try it from there. If it can SSH to 10.0.0.1, then it MUST also be able to connect to 192.168.0.1.
Then I'll try to configure SAMBA connectivity to the office, but that's another story.

hi there,

>iptables -A INPUT -i tun0 -j ACCEPT

this is defenitely needed if you try to connect from your clients into vpn server address


>route 10.0.0.0 255.255.255.0
remove it....

>Guess this is unnecessary, right? In't the "server 10.0.0...." directive enough for the server to learn about the existence of that network?

yeap..



michael.

Thanks!

And the files /etc/host.allow, hosts.deny are empty. For now I'll leave them as they are, until after I finish configuring everything the way I want it.

Yea, now I can confirm that it works OK from home over Internet to both 192.168.0.1 and 10.0.0.1.

So I consider the problem to be resolved.

Thanks to everyone for help and support .

ok then

marked as SOLVED

closed.

michael