[SOLVED] openvpn route add not working

[nadiar3009]

hi
I have installed openvpn server on a linux redhat5 machine. and my client is running on windows xp.
connecting client to server works fine and client gets an ip address from the server without any problem. but i had to add routes to client manually.

client configuration:
client
;dev tap
dev tun

;proto tcp
proto udp
remote 193.1.253.30 1194
;remote my-server-2 1194

resolv-retry infinite
nobind

persist-key
ca ca.crt
cert test-client.crt
key test-client.key

verb 3




so i wanted to automate the route add to client. for that i configured my server configuration as below:
server conf:
local 10.12.4.200

port 1194

# TCP or UDP server?
#proto tcp
proto udp

dev tun


server 10.12.4.0 255.255.255.0


ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

client-config-dir /etc/openvpn/ccd/

ifconfig-pool-persist ipp.txt

keepalive 10 60


#comp-lzo

log openvpn.log
log-append openvpn.log


and in ccd forlder i have the file for my client which i created manually:

route 10.12.64.0 255.255.255.0
route 10.12.8.0 255.255.255.0
route 10.12.9.0 255.255.255.0
route 10.12.10.0 255.255.255.0
route 10.12.11.0 255.255.255.0
route *.*.*.*.0 255.255.255.224

but if i use the above server config and the ccd folder my client gets connects to the server, gets an ip address but does not add any routes and able to ping to server, viseversa.

so again i changed my server config to below:
local 10.12.4.200

port 1194

# TCP or UDP server?
#proto tcp
proto udp

dev tun


server 10.12.4.0 255.255.255.0


ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem


client-config-dir /etc/openvpn/ccd/



push "route 10.12.4.0 255.255.255.0"
push "route 10.12.64.0 255.255.255.0"
push "route 10.12.8.0 255.255.255.0"
push "route 10.12.9.0 255.255.255.0"
push "route 10.12.10.0 255.255.255.0"
push "route 10.12.11.0 255.255.255.0"
push "route 193.1.253.0 255.255.255.224"


ifconfig-pool-persist ipp.txt

keepalive 10 60


#comp-lzo

log openvpn.log
log-append openvpn.log


after using this configuration my client is able to connect to the server, gets ip address from the server but not able to ping the server and server is not able to ping the client.

moreover my servers logs shows nothing about any client connection.

i really need some helo to resolve the issue........

please please let me knwo what should i do.

Thanks alott!!!

[nadiar3009]

a quick note:
i tried with "iroute" in the server.conf and "route" in clients file in ccd folder. but it does not make it add routes automatically to the client. it looks like the "client-config-dir /etc/openvpn/ccd/" is not working, the server is not using that folder!!

[janjust]

inside a CCD file you can only use the 'iroute' statement which is used for OpenVPN internal purposes.
To make the VPN server route those subnets to that particular client you need to specify the corresponding 'route' statements in the global server configuration file.

A patch has been suggested to overcome this limitation, even though there are good reasons for having this limitation.

[nadiar3009]

Hi
thanks alot for your quick reply.

I have changed my configuration according to your suggestion:
server.conf:
local 10.12.4.200

port 1194

# TCP or UDP server?
#proto tcp
proto udp

dev tun


server 10.12.4.0 255.255.255.0


ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem


client-config-dir /etc/openvpn/ccd/



route 10.12.64.0 255.255.255.0
route 10.12.8.0 255.255.255.0
route 10.12.9.0 255.255.255.0
route 10.12.10.0 255.255.255.0
route 10.12.11.0 255.255.255.0
route *.*.*.0 255.255.255.224


ifconfig-pool-persist ipp.txt

keepalive 10 60


#comp-lzo

log openvpn.log
log-append openvpn.log


and in client file under ccd folder:
iroute 10.12.64.0 255.255.255.0
iroute 10.12.8.0 255.255.255.0
iroute 10.12.9.0 255.255.255.0
iroute 10.12.10.0 255.255.255.0
iroute 10.12.11.0 255.255.255.0
iroute 193.1.253.0 255.255.255.224


then after starting my openvpn server it changes the routing table of the server and pushes the changes in client routing table. But client is not able to ping server ip address. this is strange ...the client is getting ip from the server but the server and client are not able to ping each other. after this configuration changes server's routing table it stops my ssh session to the server.

please advice me.

[nadiar3009]

all changed routes in the server has tun0 gateway.

[janjust]

this combo

local 10.12.4.200
server 10.12.4.0 255.255.255.0

will never work - choose a different subnet for your VPN, as it cannot be the same as the subnet on which the server is listening.

[nadiar3009]

i will make the change and change all the firewall rules for the new subnet.
i will get back to you as soon as i m able to made those changes and test.

thanks again

[nadiar3009]

Hi
I have made the changes as you asked. I am using different subnet blocks for my vpn clients now. After allowing the new ip block in the firewall and with the above configuration it didnt work. Then i made the below change on my server configuration file :


local 10.12.4.200

port 1194

# TCP or UDP server?
#proto tcp
proto udp

dev tun


server 10.12.128.0 255.255.255.0


ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem


client-config-dir /etc/openvpn/ccd/



push route 10.12.64.0 255.255.255.0
push route 10.12.2.0 255.255.255.0
#route 10.12.9.0 255.255.255.0
#route 10.12.10.0 255.255.255.0
#route 10.12.11.0 255.255.255.0



ifconfig-pool-persist ipp.txt

keepalive 10 60


#comp-lzo

log openvpn.log
log-append openvpn.log

after using the "push" command on the server my client is able to connect to server with the routes being added automatically. That works out fine.
but when ever i connect another client with the server using new client keys/crts and same ca.crt, the client gets an new ip address (10.12.128.*) from server but the routes are not being added automatically to the new client. i have tried with a windows vm as a client (living on my mac) and also with tunnelblick from my mac. but none of them gets auto routes from the server. `client configuration are same with individual crt/keys. but the first client (windows xp on a separate laptop) is always getting the routes no matter whenever i connect it. i have created the client file under ccd folder exactly as same as the first client.


am i doing the right thing using push command? i have tried with route and iroute but hey dont work. why my other clients only getting ips from server but not routes???

any help is much appreciated. PLease let me know.

[nadiar3009]

HI
I have removed the line "client-config-dir /etc/openvpn/ccd/" from the server configuration because i was not trying to put a static ip to the client and the client dont need to push any subnet to the server. after that restarting openvpn and connecting client worked fine with individual ip address and routes.

Thanks very much for your help.

[janjust]

things which get solved by themselves are the best ones
glad things are working now.
Closing topic.