Configure clients to access all networks

[wures7]

Hi! Need some help getting VPN clients to access all resources on my domain.

I have three Cisco ASA gateways.
196.196.196.21 255.255.255.0
172.16.0.2 255.255.254.0
172.16.0.3 255.255.254.0

My OpenVPN server is installed on CentOS 5.5 and has an IP 172.16.0.248 255.255.254.0 which clients connect through the 172.16.0.3 gateway.
196.196.196.21 is a remote datacenter that has site-to-site connectivity with 172.16.0.2.

When my clients connect, they can access all resources on 172.16.0.x but cannot access anything on the 196.196.196.x network. In order for clients to connect to the second network, they first have to remote into their work PC, and from there remote into the second network.

My goal is to skip that step and give clients the ability to access the second network directly from their home computer. If they ping a host server on the second network from their home PC, DNS will resolve an IP address but does not get a reply. So it looks like I'm supposed to put a static route somewhere that points connected clients to the 172.16.0.2 gateway instead of the gateway they came through so that it routes properly but not sure how and where I go about to configuring this.

I'm only a Jr. Systems Admin who's just getting his feet wet. Help?

[janjust]

post your config files - what you want is possible but depends greatly on how you've set up openvpn. And, as always, this is a routing issue, not an OpenVPN issue

[wures7]

I'll post the config files ASAP. I made a slight change to my CentOS server. I used GUI Network applet and added a static route to the NIC and now I can ping servers on the 196.196.196.0 in the server terminal. I just added 196.196.196.0 255.255.255.0 and the gateway 172.16.0.2. I want to note that my AS isn't joined to my Windows domain. This shouldn't matter right?

So away, since I was able to ping servers on the other end of the site-to-site, I assumed that clients would get that additional route upon connection. Sadly, not the case.

[wures7]

It doesn't look like the default install of OpenVPN on CentOS installs the server.conf and client.conf files? In the web based admin console under advanced VPN settings, I see server and client config directives. Under server config directives, I tried inputing ;push "route 196.196.196.0 255.255.255.0". Didn't work. Can I push a gateway here?

[janjust]

a normal openvpn installation does not install client.conf/server.conf files, except for sample config files in a special directory (e.g. /usr/share/doc/openvpn-2.X.Y)

which web admin GUI are you talking about:

web based admin console under advanced VPN settings

If your version of the NetworkManager is new enough then you can export the config file - it will be (almost) the same as a regular openvpn config file. For older versions (< 0.8) the format is quite different.

[wures7]

The web gui accessed by https://url/admin
Anyway, I found the ifcfg-eth0 in /etc/sysconfig/networking/devices

# VMware VMXNET Ethernet Controller
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:50:56:af:00:09
NETMASK=255.255.254.0
IPADDR=172.16.0.248
GATEWAY=172.16.0.3
TYPE=Ethernet
USERCTL=no
PEERDNS=yes

Here's route-eth0 from the same location. This route lets me ping the remote address from the terminal. Can I push this config to clients?

GATEWAY0=172.16.0.2
NETMASK0=255.255.255.0
ADDRESS0=196.196.196.0

[janjust]

sounds like you're using OpenVPN Access Server; please read topic7036.html