OK. I'm an idiot. I've read the HOWTO and still can't ping.

billo · **Joined:** Tue Feb 14, 2012 6:41 pm **Posts:** 1

I hate to do this, but I'm at the end of my rope. I have set up an openvpn server on my nameserver for a private lan behind a static ip router that does NAT, eg.

Verizon -> router (63.162.199.15) -> nameserver (192.68.0.20) The LAN side of the router is 192.168.0.1 and is the gateway for the LAN.

I'm running Fedora 16 on the nameserver, and the router is a Linksys/Cisco WRT320N

My client is behind a NAT firewall where I work:

web <- work router (198.232.103.150) <- client machine (172.17.36.104) The gateway for the LAN is 172.17.0.254

All ip addresses are real.

The problem is that I seem to be able to connect to the OpenVPN server fine, and in fact I can ping the local lan address of the server (i.e. ping 192.168.0.20 works), but I can't get out to the world, and ping to the inside of the server's router fails (e.g. ping 192.168.01 fails). I have been thinking that the problem is at my router. From what I read, I need to direct requests from 10.8.0.0/24 back to my nameserver, at least according to the graph at http://www.secure-computing.net/wiki/index.php/Graph. So, I added a static route to my server's router. The Linksys routing table looks like:

Routing Table

Destination LAN IP Subnet Mask Gateway Interface
63.162.199.0 255.255.255.0 0.0.0.0 Internet (WAN)
10.8.0.0 255.255.255.0 192.168.0.20 LAN & Wireless
192.168.0.0 255.255.255.0 0.0.0.0 LAN & Wireless
0.0.0.0 0.0.0.0 63.162.199.1 Internet (WAN)

But I think I'm missing something conceptually here. It seems to me that this *shouldn't* work. Why should 192.168.0.20 know what to do, since it's not "really" a gateway
, just the LAN address of the OpenVPN server? I don't get it.

Anyway, any help getting me over this block would be appreciated. As an aside, something I also don't understand: on the client, I can ssh to my home machine, then turn on VPN, and the established ssh connections keep working (which is convenient for looking at logs) though I can't set up new connections...

Now for the logs:

The messages seem to be getting to the server from the client. For instance, if I turn on the VPN on the client and type "ping www.google.com", tcpdump on tun0 on the server gives:

tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
14:25:08.487945 IP 10.8.0.6.58260 > google-public-dns-a.google.com.domain: 7503+ A? www.google.com. (32)
14:25:13.484458 IP 10.8.0.6.58260 > google-public-dns-a.google.com.domain: 7503+ A? www.google.com. (32)
14:25:18.493102 IP 10.8.0.6.52952 > google-public-dns-a.google.com.domain: 2473+ A? www.google.com.localdomain. (44)
14:25:23.495081 IP 10.8.0.6.52952 > google-public-dns-a.google.com.domain: 2473+ A? www.google.com.localdomain. (44)

(I use the google public dns service from home).

However, on the LAN side, it just looks like keepalive stuff:
tcpdump -i p6p1 'not port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p6p1, link-type EN10MB (Ethernet), capture size 65535 bytes
4:30:29.928838 IP 198.232.103.150.8818 > hope.billoblog.com.openvpn: Flags [.], ack 5963, win 13196, options [nop,nop,TS val 20234493 ecr 59080085], length 0
14:30:32.499598 IP 198.232.103.150.8818 > hope.billoblog.com.openvpn: Flags [P.], seq 4618:4729, ack 5963, win 13196, options [nop,nop,TS val 20237059 ecr 59080085], length 111
14:30:32.499660 IP hope.billoblog.com.openvpn > 198.232.103.150.8818: Flags [.], ack 4729, win 11528, options [nop,nop,TS val 59082828 ecr 20237059], length 0
14:30:37.504916 IP 198.232.103.150.8818 > hope.billoblog.com.openvpn: Flags [P.], seq 4729:4840, ack 5963, win 13196, options [nop,nop,TS val 20242064 ecr 59082828], length 111
14:30:37.504971 IP hope.billoblog.com.openvpn > 198.232.103.150.8818: Flags [.], ack 4840, win 11528, options [nop,nop,TS val 59087834 ecr 20242064], length 0
14:30:39.602865 IP hope.billoblog.com.openvpn > 198.232.103.150.8818: Flags [P.], seq 5963:6018, ack 4840, win 11528, options [nop,nop,TS val 59089932 ecr 20242064], length 55
14:30:39.781807 IP 198.232.103.150.8818 > hope.billoblog.com.openvpn: Flags [.], ack 6018, win 13196, options [nop,nop,TS val 20244345 ecr 59089932], length 0
14:30:47.822084 IP 198.232.103.150.8818 > hope.billoblog.com.openvpn: Flags [P.], seq 4840:4895, ack 6018, win 13196, options [nop,nop,TS val 20252382 ecr 59089932], length 55
14:30:47.822147 IP hope.billoblog.com.openvpn > 198.232.103.150.8818: Flags [.], ack 4895, win 11528, options [nop,nop,TS val 59098151 ecr 20252382], length 0

My server.conf is (comments removed for brevity
**************************
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
cipher BF-CBC # Blowfish (default)
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 6
*********************************************

My client.conf is:
**********************************************
client
dev tun
proto tcp
remote www.billoblog.com 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca /home/oliver/openvpn/ca.crt
cert /home/oliver/openvpn/billo.crt
key /home/oliver/openvpn/billo.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
***************************************************

It seems to come up just fine. Here's the low verbosity 3 log on starting:
******************************************************************************************
Tue Feb 14 14:01:55 2012 OpenVPN 2.2.1 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 9 2011
Tue Feb 14 14:01:55 2012 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Feb 14 14:01:55 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 14 14:01:55 2012 Diffie-Hellman initialized with 1024 bit key
Tue Feb 14 14:01:55 2012 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 14 14:01:55 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 14 14:01:55 2012 ROUTE default_gateway=192.168.0.1
Tue Feb 14 14:01:55 2012 TUN/TAP device tun0 opened
Tue Feb 14 14:01:55 2012 TUN/TAP TX queue length set to 100
Tue Feb 14 14:01:55 2012 /sbin/ip link set dev tun0 up mtu 1500
Tue Feb 14 14:01:55 2012 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Feb 14 14:01:55 2012 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Feb 14 14:01:55 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb 14 14:01:55 2012 GID set to nobody
Tue Feb 14 14:01:55 2012 UID set to nobody
Tue Feb 14 14:01:55 2012 Listening for incoming TCP connection on [undef]:1194
Tue Feb 14 14:01:55 2012 TCPv4_SERVER link local (bound): [undef]:1194
Tue Feb 14 14:01:55 2012 TCPv4_SERVER link remote: [undef]
Tue Feb 14 14:01:55 2012 MULTI: multi_init called, r=256 v=256
Tue Feb 14 14:01:55 2012 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Feb 14 14:01:55 2012 IFCONFIG POOL LIST
Tue Feb 14 14:01:55 2012 billo,10.8.0.4
Tue Feb 14 14:01:55 2012 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Feb 14 14:01:55 2012 Initialization Sequence Completed
*********************************************************************************
ifconfig on the server looks good to me:

******************************************************************************88
ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18228 errors:0 dropped:0 overruns:0 frame:0
TX packets:18228 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3073307 (2.9 MiB) TX bytes:3073307 (2.9 MiB)

p6p1 Link encap:Ethernet HWaddr 00:26:9E:56:5E:67
inet addr:192.168.0.20 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::226:9eff:fe56:5e67/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90312 errors:0 dropped:0 overruns:0 frame:0
TX packets:96139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13411552 (12.7 MiB) TX bytes:64148213 (61.1 MiB)
Interrupt:46 Base address:0x4000

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:69 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:12206 (11.9 KiB) TX bytes:252 (252.0 b)
********************************************************************************************

ifconfig on the client looks good to me:

*****************************************************

ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:306 errors:0 dropped:0 overruns:0 frame:0
TX packets:306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24861 (24.2 KiB) TX bytes:24861 (24.2 KiB)

p5p1 Link encap:Ethernet HWaddr 14:DA:E9:4A:1E:1D
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:46 Base address:0xc000

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

wlan1 Link encap:Ethernet HWaddr 00:C0:CA:32:45:68
inet addr:172.17.36.104 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::2c0:caff:fe32:4568/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58772 errors:0 dropped:0 overruns:0 frame:0
TX packets:60346 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41140831 (39.2 MiB) TX bytes:8483172 (8.0 MiB)
*********************************************************************************************

Thanks!

billo

Forum rules

OK. I'm an idiot. I've read the HOWTO and still can't ping.