Page 1 of 1

Able to connect tap, but unable to ping or access pls helppp

Posted: Tue Mar 22, 2011 11:11 pm
by sameerrrr
i am having problem in my openvpn server on centos. can you help me out please?

i am able to connec to my openvpn server, but unable to ping my local network at office.

LAN network: (172.17.0.0/16) servers=172.17.1.0/24, users 172.17.3.0/24 & onwards.
VPN server LAN ip: 172.17.17.17
VPN Server tun0: 172.17.16.1

VPN Users: 172.17.16.0/24

openvpn connects but unable to ping or access anything.

i can ping the gw (tun0) but cant ping vpn server (lan ip) or my local network.

my server.conf:

local 172.17.17.17
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.17.16.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.17.1.0 255.255.255.0"
push "redirect-gateway"
client-to-client
keepalive 10 120
comp-lzo
max-clients 150
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
mute 20

client.ovpn:

client
dev tap
proto udp

remote mydomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

auth-user-pass

comp-lzo

verb 3

routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.17.1.3 0.0.0.0 UG 0 0 0 eth0

iptables are off/stopped.

please help me in this regards. i am damn in need of help. because i am already tardy the deadline in my office. i created and had running the openvpn server before, it was working fine but due to some disaster, the server was crashed and now i am creating again the new openvpn server on centos but this time where am i mistaking, i really dont know. i am stuck in it.

anxiously waiting for reply

regards

Sam

Re: Able to connect tap, but unable to ping or access pls he

Posted: Wed Mar 23, 2011 10:59 am
by maikcat
hi there,

already responded to previous topic..

anyway

check if ip forwarding is enabled on your server

michael.

Re: Able to connect tap, but unable to ping or access pls he

Posted: Wed Mar 23, 2011 11:23 am
by sameerrrr
hi maikcat

thank you so much for replying...

please check
/etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456


regards

Re: Able to connect tap, but unable to ping or access pls he

Posted: Wed Mar 23, 2011 11:37 am
by maikcat
hi there,

172.17.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

your eth0 has 16 bit mask
your tap0 has 24 bit mask..

they both belong to 172.17 subnet

:shock:

is there a typo????

michael

Re: Able to connect tap, but unable to ping or access pls he

Posted: Wed Mar 23, 2011 12:10 pm
by sameerrrr
hi maikcat

our local LAN network including server is on 172.17.0.0/16

172.17.1.3/16 is my router's local ip on eht0

I was running vpn users on 172.17.16.0/24 on the same network.

and yes; now i am able to ping my VPN server local Ip 172.17.17.17. i ran the command again echo 1 > /proc/sys/net/ipv4/ip_forward
but still no ping to other servers or pcs.

regards

Re: Able to connect tap, but unable to ping or access pls he

Posted: Wed Mar 23, 2011 12:20 pm
by maikcat
please use for your vpn users a different subnet...
(fe 10.x.x.x/24)
also setup a static route to your lan servers for vpn subnet

cheers,


michael.

Re: Able to connect tap, but unable to ping or access pls he

Posted: Thu Mar 24, 2011 4:01 am
by sameerrrr
hi Micheal

even after using 10.x.x.x/24 subnet, still unable to ping or access. any idea now?

regards

Sam

Re: Able to connect tap, but unable to ping or access pls he

Posted: Thu Mar 24, 2011 7:33 am
by maikcat
lets review your setup...

your servers have 172.17/16 ips

what gateway they have? (they must have at least a static route for
network 10/8 (the vpn) pointing to your lan ip of vpn server)

your centos now..

you have ip forwarding enabled (ok)
what is your selinux status?
what is your firewall status?

try disabling them both for testing..

>push "route 172.17.1.0 255.255.255.0"
>push "redirect-gateway"

i say for start leave redirect gateway aside
and change to this
push "route 172.17.0.0 255.255.0.0"

check the clients routing table that recieves the static routes..

tell us what happened.

michael.

Re: Able to connect tap, but unable to ping or access pls he

Posted: Sun Mar 27, 2011 5:21 pm
by sameerrrr
hi Micheal,

sorry for late reply....

i tried your provided conf changes but still invain:

ip forwarding enabled
selinux disabled
firewall disabled
push "route 172.17.0.0 255.255.0.0"
#redirect gateway (commented)
server 10.8.0.0 255.255.255.0

i can ping the vpn server local ip.
i can ping the router's local ip.
resulting no gateway assign when openvpn connected and still the same situation "no ping & no access"

well Micheal, do you think should I re-install everything from scratch? to sort out whats going on? there must a little problem but where? I dont know, i am just little scared if the problem persist even after re-installation and re-configuration of the server from scratch, if it will show the same problem then?
what do you suggest now? have you got it whats going wrong with my configuration? this is really embarrassing situation :(

thanks & regards

Sam

Re: Able to connect tap, but unable to ping or access pls he

Posted: Sun Mar 27, 2011 5:27 pm
by sameerrrr
sorry not to mention this that servers have router's LAN as their GW.
static route on router set IF LAN network 10.0.0.0/8 gw vpnserver

Regards

Sam

Re: Able to connect tap, but unable to ping or access pls he

Posted: Mon Mar 28, 2011 9:44 am
by maikcat
hi there,

if you try a traceroute from a lan server to your openvpn subnet
(first at 10.0.0.1 the vpn server itself and then to a connected client)
does your router properly forwards the packets to your openvpn server?.

also i hope that your lan servers dont have any type of firewall enabled...

>well Micheal, do you think should I re-install everything from scratch?

i dont think that this will solve your problem..
i believe there is a routing misconfiguration or firewall problem somewhere...

ps:try adding the static route directly into one of yours servers in case your router blocks something..
some zyxel firewalls drops traffic if you dont enable it..

cheers,

michael

Re: Able to connect tap, but unable to ping or access pls he

Posted: Tue Mar 29, 2011 7:32 am
by sameerrrr
hi Micheal,

really thanks for you concern, I'll get back to you and vpn server by tomorrow or may be day after tomorrow. I have temporarily installed & configured vpn using community firewall version. but i am going to continue the same configuration of vpn server by day after tomorrow. This is my id theonlyoneurs at yahoo dot com for better communication in this regards.

Thanks alot regards

Sameer