help on routing

[alex_carroll]

Hello everyone, I'm new to openvpn and new to forum and my prefer language is not english. I read all documentation, faq, guide and can't find solution. Can you help me please.
Many many thanks and I hope I do this post correctly.

installed on Ubuntu server 10
office network 10.10.0.0/16
openvpn box with 1 network card at 10.10.0.5/16
on the main router/firewall I forward openvpn port to 10.10.0.5 (1194udp, 443 and 943)
the goal is to setup an openvpn connection for Ip phones Snom 821 or a windows client. They must reach office network and must be reach by administrator to manage client computer or ip phones. I can connect the phone, I see in the log that the phone is connected but I cannot ping the phone from the office network but I can ping it from the openvpn box. what I do wrong?

the step I follow

apt-get install openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
touch /etc/openvpn/server.conf

Edit server.conf

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 5.5.0.0 255.255.0.0
client-config-dir ccd
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 6

create route on the main router to reach the network 5.5.0.0 on the openvpn box

Create workspace for certificates
mkdir /etc/openvpn/client-config
mkdir /etc/openvpn/client-config/tmp

create tunnel config
touch /etc/openvpn/client-config/vpn.cnf

Edit vpn.cnf

client
dev tun
proto udp
remote server-adress 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.key
ns-cert-type server
verb 0
ping 10
ping-restart 60


edit /etc/openvpn/easy-rsa/vars
change export KEY_DIR="$EASY_RSA/keys"
to KEY_DIR="$EASY_RSA/../keys"


create certificates

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client

Restart openvpn server
/etc/init.d/openvpn restart


create phone tarbal

cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/
cp /etc/openvpn/keys/client.crt /etc/openvpn/client-config/tmp/client.crt
cp /etc/openvpn/keys/client.key /etc/openvpn/client-config/tmp/client.key
cp /etc/openvpn/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt
cd /etc/openvpn/client-config/tmp/
chown -Rf root:root *
chmod -R 700 *
tar cvpf client.tar *

I provide the tar to the phone by a web server and it work. the phone install the config file and reboot on it. The connection work but the phone seems to not be able to see the office network. only the openvpn box seems to be reach.

Thanks again.

[maikcat]

hi there,

1)you dont write the contents (if any) of the ccd file
2)try adding push "route 10.10.0.0 255.255.0.0" inside server config
3)enable ip forwarding into openvpn server ubuntu

tell us if the above helped.

cheers,
michael.

[alex_carroll]

Hello
I enable ip forwarding persistent this time and now I can ping from my office, the client1 on the vpn at address 5.5.0.6. I can also ping 5.5.0.1 the network card adress. Client1 can ping 10.10.0.0 network and can ping 5.5.0.1 but nothing else work I mean I can’t do \\5.5.0.6\c$ or a rdp (mstsc) connection from the office to client. windows firewall is disable on the client.
I create a folder named ccd in /etc/openvpn/ Do I need to give the path client-config-dir /etc/openvpn/ccd or client-config-dir ccd
I place a file named client1 and put this inside
push "route 10.10.0.0 255.255.0.0"
It is the correct way to set this? no gateway?

I found this: push "dhcp-option DNS 10.10.100.100"
It is possible to set gateway?

Same question for ifconfig-pool-persist ipp.txt
It is ifconfig-pool-persist /etc/openvpn/ipp.txt or ifconfig-pool-persist ipp.txt
in this file I have client1,5.5.0.4 but this client always receive 5.5.0.6 and if I go to see the detail of the interface I see the dhcp server is 5.5.0.5 but I have nothing at this address.

ifconfig on the server
eth0 Link encap:Ethernet HWaddr 00:11:2f:74:12:cc
inet addr:10.10.0.5 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::211:2fff:fe74:12cc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4381 errors:0 dropped:0 overruns:0 frame:0
TX packets:547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:431924 (431.9 KB) TX bytes:59791 (59.7 KB)
Interrupt:22

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:88 (88.0 B) TX bytes:88 (88.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.5.0.1 P-t-P:5.5.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:237 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:17312 (17.3 KB) TX bytes:5612 (5.6 KB)

on the server if I do route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
5.5.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
5.5.0.0 5.5.0.2 255.255.0.0 UG 0 0 0 tun0
default 10.10.0.10 0.0.0.0 UG 100 0 0 eth0

server.conf
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 5.5.0.0 255.255.0.0
client-config-dir ccd
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.10.100.100"
push "dhcp-option DOMAIN domain.local"
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 9

client.conf
client
dev tun
proto udp
remote remote-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.key
ns-cert-type server
verb 0
ping 10
ping-restart 6

This is the log from client using securepoint ssl vpn.

Wed Feb 16 14:39:22 2011 SENT CONTROL [hgpgateway]: 'PUSH_REQUEST' (status=1)
Wed Feb 16 14:39:22 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.100.100,dhcp-option DOMAIN domain.local,route 5.5.0.0 255.255.0.0,topology net30,ping 10,ping-restart 120,route 10.10.0.0 255.255.0.0,ifconfig 5.5.0.6 5.5.0.5'
Wed Feb 16 14:39:22 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb 16 14:39:22 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 16 14:39:22 2011 OPTIONS IMPORT: route options modified
Wed Feb 16 14:39:22 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified


Wed Feb 16 14:39:22 2011 ROUTE default_gateway=192.168.20.1
Wed Feb 16 14:39:22 2011 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{B09DF136-C6B0-4440-813A-4C71083B6566}.tap
Wed Feb 16 14:39:22 2011 TAP-Win32 Driver Version 9.4
Wed Feb 16 14:39:22 2011 TAP-Win32 MTU=1500
Wed Feb 16 14:39:22 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 5.5.0.6/255.255.255.252 on interface {B09DF136-C6B0-4440-813A-4C71083B6566} [DHCP-serv: 5.5.0.5, lease-time: 31536000]
Wed Feb 16 14:39:22 2011 Successful ARP Flush on interface [3] {B09DF136-C6B0-4440-813A-4C71083B6566}


Wed Feb 16 14:39:24 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Feb 16 14:39:24 2011 Route: Waiting for TUN/TAP interface to come up...


Wed Feb 16 14:39:27 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Feb 16 14:39:27 2011 Route: Waiting for TUN/TAP interface to come up...


Wed Feb 16 14:39:28 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Feb 16 14:39:28 2011 Route: Waiting for TUN/TAP interface to come up...


Wed Feb 16 14:39:29 2011 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up


Wed Feb 16 14:39:29 2011 C:\WINDOWS\system32\route.exe ADD 5.5.0.0 MASK 255.255.0.0 5.5.0.5
Wed Feb 16 14:39:29 2011 C:\WINDOWS\system32\route.exe ADD 10.10.0.0 MASK 255.255.0.0 5.5.0.5


Wed Feb 16 14:39:29 2011 Initialization Sequence Completed


Wed Feb 16 14:39:22 2011 ROUTE default_gateway=192.168.20.1
Wed Feb 16 14:39:22 2011 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{B09DF136-C6B0-4440-813A-4C71083B6566}.tap
Wed Feb 16 14:39:22 2011 TAP-Win32 Driver Version 9.4
Wed Feb 16 14:39:22 2011 TAP-Win32 MTU=1500
Wed Feb 16 14:39:22 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 5.5.0.6/255.255.255.252 on interface {B09DF136-C6B0-4440-813A-4C71083B6566} [DHCP-serv: 5.5.0.5, lease-time: 31536000]
Wed Feb 16 14:39:22 2011 Successful ARP Flush on interface [3] {B09DF136-C6B0-4440-813A-4C71083B6566}

Thanks

[maikcat]

hi there,

>I enable ip forwarding persistent this time and now I can ping from my office, the client1 on the vpn at >address 5.5.0.6. I can also ping 5.5.0.1 the network card adress. Client1 can ping 10.10.0.0 network and can >ping 5.5.0.1 but nothing else work I mean I can’t do \\5.5.0.6\c$ or a rdp (mstsc) connection from the office >to client. windows firewall is disable on the client.

if you try to connect FROM vpn client to your lan it doesnt work? f.e ssh to your ubuntu fails?
or if you try to access your client from the vpn fails..?
BTW the ubuntu has iptables on or off?

>I create a folder named ccd in /etc/openvpn/ Do I need to give the path client-config-dir /etc/openvpn/ccd > or client-config-dir ccd

absolute pathnames i believe are better...

>I place a file named client1 and put this inside
>push "route 10.10.0.0 255.255.0.0"
>It is the correct way to set this? no gateway?

yeap

your configs seems ok...

cheers,

michael

[alex_carroll]

Hello
The client can ping 10.10.0.0 network and can do ssh on the openvpn server. The server and 10.10.0.0 network can ping client but 10.10.0.0 network cannot access files on client or do remote desktop. client cannot access file on 10.10.0.0 network or do remote desktop.

I add the full path for ccd and ipp.txt
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /etc/openvpn/ipp.txt

>>>>>>the client always obtain 5.5.0.6 ip address but ipp.txt set this client to 5.5.0.4. It is normal to have different ip than ipp.txt?

Iptables is open I think. iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source

>>>>>>>How to turn off for testing?

on the client I see in securepoint ssl vpn log
push "route 10.10.0.0 255.255.0.0 5.5.0.5"
it seems to push the route but the gateway seems to be wrong 5.5.0.5
ifconfig on server tun0 have 5.5.0.1 ip address not 5.5.0.5

eth0 Link encap:Ethernet HWaddr 00:11:2f:74:12:cc
inet addr:10.10.0.5 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::211:2fff:fe74:12cc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47132 errors:0 dropped:0 overruns:0 frame:0
TX packets:2463 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4580037 (4.5 MB) TX bytes:275146 (275.1 KB)
Interrupt:22

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:88 (88.0 B) TX bytes:88 (88.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.5.0.1 P-t-P:5.5.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:889 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:69953 (69.9 KB) TX bytes:672 (672.0 B)

>>>>>the route 5.5.0.0 have the gateway 5.5.0.2????

route on server
Destination Gateway Genmask Flags Metric Ref Use Iface
5.5.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
5.5.0.0 5.5.0.2 255.255.0.0 UG 0 0 0 tun0
default 10.10.0.10 0.0.0.0 UG 100 0 0 eth0

>>>>>>>>route print on client route 5.5.0.0 have gateway 5.5.0.5?????
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.121 20
> 5.5.0.0 255.255.0.0 5.5.0.5 5.5.0.6 1
5.5.0.4 255.255.255.252 5.5.0.6 5.5.0.6 30
5.5.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30
5.255.255.255 255.255.255.255 5.5.0.6 5.5.0.6 30
> 10.10.0.0 255.255.0.0 5.5.0.5 5.5.0.6 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.20.0 255.255.255.0 192.168.20.121 192.168.20.121 20
192.168.20.121 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.20.255 255.255.255.255 192.168.20.121 192.168.20.121 20
224.0.0.0 240.0.0.0 5.5.0.6 5.5.0.6 30
224.0.0.0 240.0.0.0 192.168.20.121 192.168.20.121 20
255.255.255.255 255.255.255.255 5.5.0.6 5.5.0.6 1
255.255.255.255 255.255.255.255 192.168.20.121 192.168.20.121 1
Default Gateway: 192.168.20.1

thanks Michael

[janjust]

>>>>>>the client always obtain 5.5.0.6 ip address but ipp.txt set this client to 5.5.0.4. It is normal to have different ip than ipp.txt?

this is normal for an 'ipp.txt' file when 'topology net30' is used, which is the default. Each client is allocated a mini /30 network containing 4 addresses:

• - 5.5.0.4: the network address ; this is record in ipp.txt
  - 5.5.0.5: the virtual remote endpoint ; it must be present but it is not reachable
  - 5.5.0.6: the client VPN IP address
  - 5.5.0.7: the mini network broadcast address

>>>>>>>How to turn off for testing?

it's pretty much disabled , no need to turn it off any further

on the client I see in securepoint ssl vpn log
push "route 10.10.0.0 255.255.0.0 5.5.0.5"
it seems to push the route but the gateway seems to be wrong 5.5.0.5
ifconfig on server tun0 have 5.5.0.1 ip address not 5.5.0.5

the 5.5.0.5 address is the virtual endpoint address - this is normal and must NOT be altered

>>>>>the route 5.5.0.0 have the gateway 5.5.0.2????

again, this is normal behaviour in 'topology net30' mode

>>>>>>>>route print on client route 5.5.0.0 have gateway 5.5.0.5?????

again, this is normal behaviour (see above).

There are two things to check:
- is IP forwarding enabled on the server:

Code: Select all

cat /proc/sys/net/ipv4/ip_forward

If not, enable it

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

- do the hosts on the 10.10.0.0 network know that packets with a source IP address of 5.5.0.0 need to go back to the VPN server? Is there a default route on the 10.10.0.0 gateway? A quick&dirty hack is to use iptables masquerading:

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

HTH,

JJK

[alex_carroll]

Hello
What I want to do is a vpn server to connect my client pc and ip phone (snom 821) to the corporate office network. We have a router connected on the internet on the wan port and on the lan side we have 10.10.0.0 network. On this network I have an openvpn server at adress 10.10.0.5. Port forward is made on the main router to forward openvpn port to 10.10.0.5.

Client connect from home and have usually 192.168.0.x adress beside their home router. client connect on the server, obtain an ip of 5.5.0.x and are able to ping and do ssh on the openvpn server at 10.10.0.5. they are able to ping every server on the 10.10.0.0 network but can't access file or do ssh on theses servers.

If I ping the client (5.5.0.6) from my office, it's work but I can't access file on the client or do remote desktop. (exemple : \\5.5.0.6\c$) no firewall on client. Client use Securepoint ssl vpn to connect.

I added a route on the main router to 5.5.0.0 redirect to 10.10.0.5. So the 10.10.0.0 network know where is the 5.5.0.0 network and ip forwarding is enable on the server.

If I do this : iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
It's work, the client can access other server on 10.10.0.0 network but I can't access the client.

It is possible to do what I want to do?
The first goal is to connect Snom 821 phone on server at 10.10.100.140,
second is to be able to manage the phone and the pc from the office.

here is config stuff if can help.
Thank you very much

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 5.5.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "dhcp-option DNS 10.10.100.100"
push "dhcp-option DOMAIN domain.local"
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
comp-lzo
verb 9


ccd file

push "route 10.10.0.0 255.255.0.0"


iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



ifconfig on openvpn server

eth0 Link encap:Ethernet HWaddr 00:11:2f:74:12:cc
inet addr:10.10.0.5 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::211:2fff:fe74:12cc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9533 errors:0 dropped:0 overruns:0 frame:0
TX packets:274 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:951366 (951.3 KB) TX bytes:77263 (77.2 KB)
Interrupt:22

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:88 (88.0 B) TX bytes:88 (88.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.244.0.1 P-t-P:10.244.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Thanks

[janjust]

the fact that , with masquerading, you can reach the server from the client but not vice versa makes sense.
If you want to reach the clients from the server then you need to properly set up routing : the machines on the server-side LAN need to know that the network 5.5.0.0/24 is to be routed via the openvpn server. If you configure this properly then no masquerading is needed.

[alex_carroll]

ok so with my actual setup it's supposed to already work?
I have already done a route to 5.5.0.0 because I can ping client from office network... what's wrong?

[janjust]

your server 'ifconfig' output shows in your latest posting

Code: Select all

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.244.0.1 P-t-P:10.244.0.2 Mask:255.255.255.255

so something is out of whack here - check your setup.
*IF* the return route is set correctly it should work without using masquerading.

[alex_carroll]

this was just a try with another set of adress.
now it's 5.5.0.0. If I can ping client at 5.5.0.6 from the office network 10.10.10.97. I think routing is ok?

[janjust]

without masquerading, yes.
Also, check the reverse.

BTW I don't think you'll be able to reach a client connecting via another VPN protocol but you might get lucky.

[alex_carroll]

reverse? client can ping 10.10.0.0 network. It is what you mean?
you say another vpn protocol, you talk about securepoint?
I use windows xp and windows 7, what client should I use? and how to create the .ovpn from my linux openvpn box?
Do you have experience with the ipphone snom 821?
thanks for your help

[janjust]

* if the client can ping the 10.10.0.0 network, does it also mean that a host on the 10.10.0.0 network can ping the client? (sometimes this does not work due to firewalls or NATting).

* Yes, I was talking about the securepoint SSL VPN client.

* And the client can be windows XP, 7 or Linux.

* Nope I have zero experience with the ipphone snom 821

[alex_carroll]

Hello
Now everything work fine. The problem was the route to the vpn network. I add a route on the main router but it's not enough. I add the route to all server in the office network and now it's work. I can do remote desktop on both side.

The client software Securepoint ssl vpn work fine too.
The ip phone Snom 821 work too.

Thank you very much for your help.