I have a symmetric tunnel between two internal NAT realms, like this:
192.168.1.x <-> Public IP1 <--OpenVPN--> Public IP2 <->192.168.12.x
If I ping from Public IP1 to anything on the right side (192.168.12.x), the tunnels work great.
When I go between 192.168.12.x and 192.168.1.x, packets will flow, but only for a short
time (roughly one minute). Then it simply stops. After some period, the client/server
restarts and it goes again for another minute.
Public IP1 <-> 192.168.12.x always works, never a hiccup.
I'm using two symmetric tunnels, with both a client and server on each Public IPx.
---------- Public IP1 client config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
remote PublicIP2
ifconfig 10.8.0.2 10.8.0.1
route 192.168.12.0 255.255.255.0
secret my_secret.key
----------- Public IP2 server config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
ifconfig 10.8.0.1 10.8.0.2
secret my_secret.key
------------ Public IP1 server config
port 1195
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
replay-window 128 40
ifconfig 10.8.1.2 10.8.1.1
secret my_secret.key
----------- Public IP2 client config
port 1195
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
remote PublicIP1
ifconfig 10.8.1.1 10.8.1.2
route 192.168.1.0 255.255.255.0
secret my_secret.key
Notes:
* I have two tunnels because I could not figure out how to get the routing to work between the two NAT subnets with just one.
* This exact setup used to work, but one day (perhaps after some automatic update) it quit.
* Both systems are running [fairly up to date] Fedora systems:
Public IP1 - Fedora 13, kernel 2.6.34.8-68.fc13.i686.PAE, openvpn-2.1.1-2.fc13.i686
Public IP2 - Fedora 12, kernel 2.6.32.23-170.fc12.i686, openvpn-2.1.1-2.fc12.i686
(upgrading the system/kernel is not easy, so I hope that's not necessary)
Connection times out
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Connection times out
I'd use tcpdump or wireshark to watch the flow of packets .... you can do this using a single tunnel, using e.g.
---------- Public IP1 client config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
remote PublicIP2
ifconfig 10.8.0.2 10.8.0.1
route 192.168.12.0 255.255.255.0
secret my_secret.key
----------- Public IP2 server config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
ifconfig 10.8.0.1 10.8.0.2
route 192.168.1.0 255.255.255.0
secret my_secret.key
that should route the networks back and forth; whether this works largely depends on your NATting/firewall setup - can you post the iptables config files?
---------- Public IP1 client config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
remote PublicIP2
ifconfig 10.8.0.2 10.8.0.1
route 192.168.12.0 255.255.255.0
secret my_secret.key
----------- Public IP2 server config
port 1194
proto udp
dev tun
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
ifconfig 10.8.0.1 10.8.0.2
route 192.168.1.0 255.255.255.0
secret my_secret.key
that should route the networks back and forth; whether this works largely depends on your NATting/firewall setup - can you post the iptables config files?