Lan to Lan tun Problems

Samples of working configurations.
Locked
alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Lan to Lan tun Problems

Post by alext » Sat May 03, 2014 4:49 am

Hi all

I have an openvpn tunnel setup between two networks. The setup is working to a point here is what's happening:

1) I cannot ping anything on the server lan (192.168.1.0) from the client's lan (192.168.3.0)
2) I can ping anything on the server lan (192.168.1.0) from the client itself (eth0 - 192.168.3.254, tun0 - 10.8.0.10)
3) I cannot ping anything on the client lan (192.168.3.0) from the server itself (eth0 - 192.168.1.1, tun0 - 10.8.0.1)
4) I cannot ping anything on the client lan (192.168.3.0) from the server lan (192.168.1.0)

The openvpn server is not the default host on it's lan but the router (192.168.1.254) forwards the following to it (10.8.0.0, 192.168.3.0) hence the server lan replies to ping's from the client.

Here is my server routing table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.3.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
Here is my client routing table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.64.64.64     0.0.0.0         UG    0      0        0 3g-wan
10.8.0.1        10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 3g-wan
192.168.1.0     10.8.0.9        255.255.255.0   UG    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
Here is the output of tcpdump -i tun0 on the server when I ping the client from the server itself (This doesn't work) and tcpdump -i tun0 on the client is unchanged:

Code: Select all

$ping 192.168.3.234
...
12:29:13.431174 IP 10.8.0.1 > 192.168.3.234: ICMP echo request, id 3097, seq 1, length 64
12:29:14.430747 IP 10.8.0.1 > 192.168.3.234: ICMP echo request, id 3097, seq 2, length 64
12:29:15.430736 IP 10.8.0.1 > 192.168.3.234: ICMP echo request, id 3097, seq 3, length 64
12:29:16.430739 IP 10.8.0.1 > 192.168.3.234: ICMP echo request, id 3097, seq 4, length 64
Here is the output of tcpdump -i tun0 on the client when I ping the server from the client itself (This works):

Code: Select all

$ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56 bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=545.421 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=979.658 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=569.381 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=509.185 ms
...
12:31:35.200868 IP 10.8.0.10 > 192.168.1.1: ICMP echo request, id 3286, seq 4, length 64
12:31:35.647585 IP 192.168.1.1 > 10.8.0.10: ICMP echo reply, id 3286, seq 4, length 64
I have forwarding enabled on the server and the client

Code: Select all

$ cat /proc/sys/net/ipv4/ip_forward
1
Here is my openvpn server config:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd  #contains "iroute 192.168.3.0 255.255.255.0" in client1 file
client-to-client
route 192.168.3.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
chroot /etc/openvpn
group nogroup
daemon
up ./openvpn.up # this is empty at the moment
persist-key
persist-tun
status openvpn-status.log
verb 3
There is some routing problem but I have been unable to fix this for days.

Any help would be greatly appreciated.
Alex

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Sat May 03, 2014 2:13 pm

I have followed this HOWTO already

http://openvpn.net/index.php/open-sourc ... html#scope

I have checked all the steps for the section on Including multiple machines on the client side when using a routed VPN (dev tun)

I have included the routing table of both the client and server in the first post, as can be seen the routing rules are being implemented on the client side.
I have since changed the server.config to include:

Code: Select all

client-to-client
This changed the client routing table to:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.64.64.64     0.0.0.0         UG    0      0        0 3g-wan
10.8.0.0        10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 3g-wan
192.168.1.0     10.8.0.9        255.255.255.0   UG    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
As the 10.8.0.1 address has changed to 10.8.0.0 the changes are working.

Please look at the tcpdump's above, they show how the network is behaving.

My client side is a Linux based 3G router, there may be some other step I need to do on it, some firewall config or something, I am not sure what to look at to find what is causing the problem.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Sun May 04, 2014 3:12 am

From server.conf:

Code: Select all

client-config-dir /etc/openvpn/ccd

Code: Select all

$: /etc/openvpn/ccd$ ls
flexo_client

Code: Select all

$: cat /etc/openvpn/ccd/flexo_client
iroute 192.168.3.0 255.255.255.0
This is an exert from the syslog on the server, I have modified the ip address and personal details of the client:

Code: Select all

May  4 10:33:09 mom openvpn[1641]: flexo_client/x.x.x.x:34613 TLS: tls_process: killed expiring key
May  4 10:33:15 mom openvpn[1641]: flexo_client/x.x.x.x:34613 TLS: soft reset sec=0 bytes=36856/0 pkts=702/0
May  4 10:33:21 mom openvpn[1641]: flexo_client/x.x.x.x:34613 VERIFY OK: depth=1, <Removed Info>, name=flexo_client, <Removed Info>
May  4 10:33:21 mom openvpn[1641]: flexo_client/x.x.x.x:34613 VERIFY OK: depth=1, <Removed Info>, name=flexo_client, <Removed Info>
May  4 10:33:22 mom openvpn[1641]: flexo_client/x.x.x.x:34613 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:33:22 mom openvpn[1641]: flexo_client/x.x.x.x:34613 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:33:22 mom openvpn[1641]: flexo_client/x.x.x.x:34613 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:33:22 mom openvpn[1641]: flexo_client/x.x.x.x:34613 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:33:23 mom openvpn[1641]: flexo_client/x.x.x.x:34613 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

May  4 10:57:16 mom openvpn[1641]: x.x.x.x:54743 TLS: Initial packet from [AF_INET]x.x.x.x:54743, sid=6f57d686 b3b48d23
May  4 10:57:20 mom openvpn[1641]: x.x.x.x:54743 VERIFY OK: depth=1, <Removed Info>, CN=mom_server, name=mom_server, <Removed Info>
May  4 10:57:20 mom openvpn[1641]: x.x.x.x:54743 VERIFY OK: depth=0, <Removed Info>, CN=flexo_client, name=flexo_client, <Removed Info>
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May  4 10:57:22 mom openvpn[1641]: x.x.x.x:54743 [flexo_client] Peer Connection Initiated with [AF_INET]x.x.x.x:54743
May  4 10:57:22 mom openvpn[1641]: MULTI: new connection by client 'flexo_client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
May  4 10:57:22 mom openvpn[1641]: MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
May  4 10:57:22 mom openvpn[1641]: MULTI: Learn: 10.8.0.10 -> flexo_client/x.x.x.x:54743
May  4 10:57:22 mom openvpn[1641]: MULTI: primary virtual IP for flexo_client/x.x.x.x:54743: 10.8.0.10
May  4 10:57:24 mom openvpn[1641]: flexo_client/x.x.x.x:54743 PUSH: Received control message: 'PUSH_REQUEST'
May  4 10:57:24 mom openvpn[1641]: flexo_client/x.x.x.x:54743 send_push_reply(): safe_cap=940
May  4 10:57:24 mom openvpn[1641]: flexo_client/x.x.x.x:54743 SENT CONTROL [flexo_client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)

This is an exert from the syslog on the Client just after reconnect, I have modified the ip address and personal details:

Code: Select all

May  4 10:33:09 daemon.notice GW2022 openvpn(flexo_client)[26208]: TLS: tls_process: killed expiring key
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: VERIFY OK: depth=1, <Removed Info>, CN=mom_server, name=mom_server, <Removed Info>
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: VERIFY OK: nsCertType=SERVER
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: Validating certificate key usage
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: ++ Certificate has key usage  00a0, expects 00a0
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: VERIFY KU OK
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: Validating certificate extended key usage
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: VERIFY EKU OK
May  4 10:33:19 daemon.notice GW2022 openvpn(flexo_client)[26208]: VERIFY OK: depth=0, <Removed Info>, CN=mom_server, name=mom_server, <Removed Info>
May  4 10:33:23 daemon.notice GW2022 openvpn(flexo_client)[26208]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:33:23 daemon.notice GW2022 openvpn(flexo_client)[26208]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:33:23 daemon.notice GW2022 openvpn(flexo_client)[26208]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:33:23 daemon.notice GW2022 openvpn(flexo_client)[26208]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:33:23 daemon.notice GW2022 openvpn(flexo_client)[26208]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA


May  4 10:57:10 daemon.err GW2022 openvpn(flexo_client)[26208]: event_wait : Interrupted system call (code=4)
May  4 10:57:11 daemon.notice GW2022 openvpn(flexo_client)[26208]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
May  4 10:57:11 daemon.warn GW2022 openvpn(flexo_client)[26208]: ERROR: Linux route delete command failed: external program exited with error status: 1
May  4 10:57:11 daemon.notice GW2022 openvpn(flexo_client)[26208]: /sbin/route del -net 192.168.1.0 netmask 255.255.255.0
May  4 10:57:11 daemon.warn GW2022 openvpn(flexo_client)[26208]: ERROR: Linux route delete command failed: external program exited with error status: 1
May  4 10:57:11 daemon.notice GW2022 openvpn(flexo_client)[26208]: Closing TUN/TAP interface
May  4 10:57:11 daemon.notice GW2022 openvpn(flexo_client)[26208]: /sbin/ifconfig tun0 0.0.0.0
May  4 10:57:11 daemon.notice GW2022 openvpn(flexo_client)[26208]: SIGTERM[hard,] received, process exiting
May  4 10:57:16 daemon.notice GW2022 openvpn(flexo_client)[5812]: OpenVPN 2.3.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 27 2014
May  4 10:57:16 daemon.warn GW2022 openvpn(flexo_client)[5812]: WARNING: file '/etc/openvpn/flexo_client.key' is group or others accessible
May  4 10:57:16 daemon.notice GW2022 openvpn(flexo_client)[5812]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May  4 10:57:16 daemon.notice GW2022 openvpn(flexo_client)[5812]: UDPv4 link local: [undef]
May  4 10:57:16 daemon.notice GW2022 openvpn(flexo_client)[5812]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
May  4 10:57:16 daemon.notice GW2022 openvpn(flexo_client)[5812]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=e86fb43f 4cbde448
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: VERIFY OK: depth=1, <Removed Info>, CN=mom_server, name=mom_server, <Removed Info>
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: VERIFY OK: nsCertType=SERVER
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: Validating certificate key usage
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: ++ Certificate has key usage  00a0, expects 00a0
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: VERIFY KU OK
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: Validating certificate extended key usage
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: VERIFY EKU OK
May  4 10:57:19 daemon.notice GW2022 openvpn(flexo_client)[5812]: VERIFY OK: depth=0, <Removed Info>, CN=mom_server, name=mom_server, <Removed Info>
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May  4 10:57:22 daemon.notice GW2022 openvpn(flexo_client)[5812]: [mom_server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: SENT CONTROL [mom_server]: 'PUSH_REQUEST' (status=1)
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: OPTIONS IMPORT: timers and/or timeouts modified
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: OPTIONS IMPORT: --ifconfig/up options modified
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: OPTIONS IMPORT: route options modified
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: TUN/TAP device tun0 opened
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: TUN/TAP TX queue length set to 100
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: /sbin/ifconfig tun0 10.8.0.10 pointopoint 10.8.0.9 mtu 1500
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.9
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.9
May  4 10:57:25 daemon.notice GW2022 openvpn(flexo_client)[5812]: Initialization Sequence Completed

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 2:57 am

Here is a, hopefully explanatory image of what my set-up is doing at the moment.

Image

I need all the red paths to be green. So far only the OpenVPN client itself can access everything.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 4:14 am

Image

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 6:53 am

I have confirmed that the problem is that the Server is not routing the traffic for the Client's network to the tun0 connection. This should be working as per: route -n

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.3.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.4.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
if I ping 192.168.3.254 on the server I see the following on the tcpdump -i tun0 on the Server:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
14:48:33.573742 IP 10.8.0.1 > 192.168.3.254: ICMP echo request, id 19833, seq 1, length 64
14:48:34.573013 IP 10.8.0.1 > 192.168.3.254: ICMP echo request, id 19833, seq 2, length 64
14:48:35.582059 IP 10.8.0.1 > 192.168.3.254: ICMP echo request, id 19833, seq 3, length 64
14:48:36.590042 IP 10.8.0.1 > 192.168.3.254: ICMP echo request, id 19833, seq 4, length 64
14:48:37.598066 IP 10.8.0.1 > 192.168.3.254: ICMP echo request, id 19833, seq 5, length 64
I have confirmed that the client receives absolutely nothing of this data, on ether the tun0 interface or its external connection.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 4:50 pm

Yes I have added the routing rules to my default gateway on the server's network, this forwards all traffic for the 10.8.0.0/24, 192.168.3.0/24 and 192.168.4.0/24 subnets to the server (192.168.1.1). I have confirmed this is working as my client can ping another machine on the server's lan (192.168.1.4).

The Client is the default gateway on it's own lan.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 5:22 pm

I have just rechecked, and yes both the server and client have forwarding enabled.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Tue May 06, 2014 5:31 pm

The output of ip route get on the client follows:

Code: Select all

$ ip route get 10.8.0.1
10.8.0.1 via 10.8.0.9 dev tun0  src 10.8.0.10 
    cache  ipid 0x9b2f

Code: Select all

$ ip route get 192.168.1.1
192.168.1.1 via 10.8.0.9 dev tun0  src 10.8.0.10 
    cache  
I'm not sure if this means anything.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Wed May 07, 2014 3:28 am

I have confirmed that ip-forwarding is working on the client. I did this by using it to route from one subnet to another directly between two interfaces (not over the tun). This works.

I think the problem is on the server side.

With Wireshark I watched the traffic and can confirm that an attempt to ping the client's eth0 or eth1 address through the tunnel from the server does not generate any traffic between the two public IP's of the server and client. The same action from the client does work and I can see the traffic between the public ip's.

I am going to try the standalone routing test on the server and see if it works.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Wed May 07, 2014 3:58 am

I have just done the same test on the server and I can confirm that ip-forwarding is absolutely working.

This brings the problem to the tun interface on the server not operating properly. Can anyone suggest some tests I could do to debug this?

Another thing I tried is using tap instead of tun (Not in bridged mode), this worked perfectly and both server and client could access all they needed. Unfortunately the vpn connection will be using a 3G connection and we can't afford to have extra traffic on the link.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Thu May 08, 2014 1:56 am

I have found a server config setting: "topology subnet" that sounds like it has some promise to solve my problem. I will give it a try today, if anyone has any advice on how to use this setting and the differences to p2p please let me know.

alext
OpenVPN User
Posts: 13
Joined: Mon Apr 28, 2014 4:08 am

Re: Lan to Lan tun Problems

Post by alext » Thu May 08, 2014 5:24 am

I have gotten this working now.

Here is a useful link: http://backreference.org/2009/11/15/openvpn-and-iroute/

And here is my working server config:

Code: Select all

port 1194
proto udp
dev tun

topology subnet
mode server
tls-server

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # flexo_client,10.8.0.4

client-config-dir ccd
client-to-client

#ifconfig 10.8.0.1 255.255.255.0
route 192.168.3.0 255.255.255.0 10.8.0.4
route 192.168.4.0 255.255.255.0 10.8.0.4

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

keepalive 10 120i

comp-lzo

user nobody
chroot /etc/openvpn
group nogroup
daemon

persist-key
persist-tun

status openvpn-status.log

verb 3
the contents of /etc/openvpn/ccd/flexo_client

Code: Select all

push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0
Here is my client config in the format for my client:

Code: Select all

config openvpn 'flexo_client'
   option nobind '1'
   option float '1'
   option client '1'
   option comp_lzo '1'
   option dev 'tun0'
   option verb '3'
   option persist_tun '1'
   option persist_key '1'
   option remote_cert_tls 'server'
   option remote 'x.x.x.x'
   option proto 'udp'
   option resolv_retry 'infinite'
   option ca '/etc/openvpn/ca.crt'
   option cert '/etc/openvpn/flexo_client.crt'
   option key '/etc/openvpn/flexo_client.key'
   option ns_cert_type 'server'
   option topology 'subnet'
   option enable '1'
Hopefully this helps someone to spend less time on this than I did.

Locked