basic routing help please

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cjgrdl
OpenVpn Newbie
Posts: 1
Joined: Tue Jul 05, 2011 11:32 am

basic routing help please

Post by cjgrdl » Tue Jul 05, 2011 11:41 am

I have set up a point to point VPN connection between:
- Server: ubuntu server 10.10 running on citrix xen using openvpn 2.2.1; IP address 10.66.0.15; subnet 10.66.0.0/24
- Client: macbookpro running tunnelblick on subnet 10.0.1.0/24
- note the Server connects to the internet via a SOHO router, 10.66.0.1 which also assigns IP addresses to other machines on 10.66.0.0/24; the router allows the reservation of addresses so I have fixed the Server at 10.66.0.15 and set up port forwarding on the router to direct all openvpn traffic to 10.66.0.15
- just to clarify the previous point, when I say Server, I mean this only with respect to openvpn. In all other respects, the Server is one of several machines on 10.66.0.0 which route via the 10.66.0.1 gateway

I wonder if someone could help me achieve the following objectives:

1) establish the correct server-side routing so that all traffic from my Client can be routed via my Server and out onto the Internet
2) establish the correct routing/forwarding/masquerading (not sure which) so that my Client can ping and contact other machines on 10.66.0.0/24.

Currently the Server and Client can ping each other but the Client cannot see anything else. Also when the Client connects to the Server, the external IP address of the Client does not change to that of the Server's.

Currently I have no IP Tables rules and I have enabled IPv4 forwarding in sysctl.conf. I'm pretty sure I need one of the 'redirect-gateway' commands and also I'm wondering whether I'm missing a ccd file. Here are my config files, the ifconfig on the openvpn server and the openvpn server logs:

Code: Select all

tls-server
port 1194
proto udp
dev tun
server 192.168.200.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
tls-auth ta.key 0
cipher BF-CBC
keysize 448
persist-key
persist-tun
keepalive 10 60
ifconfig-pool-persist ipp.txt
push "route 10.0.1.0 255.255.255.0"
topology subnet
user nobody
group nogroup
comp-lzo
verb 3
mute 20
daemon   
log-append /var/log/openvpn.log


client
proto udp
dev tun
ca ca.crt
dh dh4096.pem
cert client.crt
key client.key
remote [    ] 1194
tls-auth ta.key 1
cipher BF-CBC
user nobody
group nogroup
verb 3
mute 20
keepalive 10 60
comp-lzo
resolv-retry infinite
nobind
keysize 448
ns-cert-type server


eth0      Link encap:Ethernet  HWaddr 1e:48:0b:e7:bc:e2  
          inet addr:10.66.0.15  Bcast:10.66.0.255  Mask:255.255.255.0
          inet6 addr: fe80::1c48:bff:fee7:bce2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17891 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8695 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3529993 (3.5 MB)  TX bytes:3634506 (3.6 MB)
          Interrupt:16 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1340 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:221677 (221.6 KB)  TX bytes:221677 (221.6 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.200.1  P-t-P:192.168.200.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Tue Jul  5 16:20:59 2011 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul  1 2011
Tue Jul  5 16:20:59 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul  5 16:20:59 2011 Diffie-Hellman initialized with 4096 bit key
Tue Jul  5 16:20:59 2011 Control Channel Authentication: using 'servers/.../ta.key' as a OpenVPN static key file
Tue Jul  5 16:20:59 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 16:20:59 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 16:20:59 2011 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jul  5 16:20:59 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Tue Jul  5 16:20:59 2011 ROUTE default_gateway=10.66.0.1
Tue Jul  5 16:20:59 2011 TUN/TAP device tun0 opened
Tue Jul  5 16:20:59 2011 TUN/TAP TX queue length set to 100
Tue Jul  5 16:20:59 2011 /sbin/ifconfig tun0 192.168.200.1 pointopoint 192.168.200.2 mtu 1500
Tue Jul  5 16:20:59 2011 /sbin/route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.2
Tue Jul  5 16:20:59 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul  5 16:20:59 2011 GID set to nogroup
Tue Jul  5 16:20:59 2011 UID set to nobody
Tue Jul  5 16:20:59 2011 UDPv4 link local (bound): [undef]:1194
Tue Jul  5 16:20:59 2011 UDPv4 link remote: [undef]
Tue Jul  5 16:20:59 2011 MULTI: multi_init called, r=256 v=256
Tue Jul  5 16:20:59 2011 IFCONFIG POOL: base=192.168.200.4 size=62
Tue Jul  5 16:20:59 2011 IFCONFIG POOL LIST
Tue Jul  5 16:20:59 2011 client,192.168.200.4
Tue Jul  5 16:20:59 2011 Initialization Sequence Completed
Tue Jul  5 16:21:03 2011 MULTI: multi_create_instance called
Tue Jul  5 16:21:03 2011 [   ]:63148 Re-using SSL/TLS context
Tue Jul  5 16:21:03 2011 [   ]:63148 LZO compression initialized
Tue Jul  5 16:21:03 2011 [   ]2:63148 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jul  5 16:21:03 2011 [   ]:63148 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul  5 16:21:03 2011 [   ]:63148 Local Options hash (VER=V4): '1043962c'
Tue Jul  5 16:21:03 2011 [   ]:63148 Expected Remote Options hash (VER=V4): '606250c3'
Tue Jul  5 16:21:03 2011 [   ]:63148 TLS: Initial packet from [   ]:63148, sid=f902e524 e5b0aa56
Tue Jul  5 16:21:05 2011 [   ]:63148 CRL CHECK OK: /C=[  ]/ST=[  ]/L=[  ]/O=[ ]/emailAddress=[  ]
Tue Jul  5 16:21:05 2011 [   ]:63148 VERIFY OK: depth=1,  /C=[  ]/ST=[  ]/L=[  ]/O=[ ]/emailAddress=[  ]
Tue Jul  5 16:21:05 2011 [  ]:63148 CRL CHECK OK:  /C=[  ]/ST=[  ]/L=[  ]/O=[ ]/emailAddress=[  ]
Tue Jul  5 16:21:05 2011 [   ]:63148 VERIFY OK: depth=0,  /C=[  ]/ST=[  ]/L=[  ]/O=[ ]/emailAddress=[   ]
Tue Jul  5 16:21:05 2011 client [  ]:63148 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 448 bit key
Tue Jul  5 16:21:05 2011 client [  ]:63148 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 16:21:05 2011 client [  ]:63148 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 448 bit key
Tue Jul  5 16:21:05 2011 client [  ]:63148 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 16:21:05 2011 client [  ]:63148 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Tue Jul  5 16:21:05 2011 client [  ]:63148 [  ] Peer Connection Initiated with [   ]:63148
Tue Jul  5 16:21:05 2011 client [  ]:63148 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/.../ccd/[client]
Tue Jul  5 16:21:05 2011 client [  ]:63148 MULTI: Learn: 192.168.200.6 -> client [  ]:63148
Tue Jul  5 16:21:05 2011 client [  ]:63148 MULTI: primary virtual IP for client [  ]:63148: 192.168.200.6
Tue Jul  5 16:21:07 2011 client [  ]:63148 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul  5 16:21:07 2011 client [  ]:63148 SENT CONTROL [client]: 'PUSH_REPLY,route 10.66.0.0 255.255.255.0,route 192.168.200.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.200.6 192.168.200.5' (status=1)
Any help would be immensely appreciated as I've really started to go round in circles on this one.

Post Reply