Site-to-Site Config Issue. Partly Working.

[Mnemic]

(Edit) Added proper log files and current config

Hello, entering the world of openvpn, and trying to get this proof of concept scenario working.
Corporate Network: 10.0.0.0/24
Remote-Offices with 192.168.1.0/24, 192.168.2.0/24, etc...
using 10.255.255.0/24 as the tunnel network

I Want remote offices to communicate with select servers on the Corp network. for now, just trying to get everything talking, and having problems.

Corp Network:
10.0.0.254 - pfsense 2.0 / openVPN Server, connected to public internet.
10.0.0.50 - windows WebServer to be accessed remotely via vpn
10.0.0.155 - windows 7 desktop

Remote Network:
192.168.1.1 - Primary Router
192.168.1.3 - dd-wrt openVPN Client
192.168.1.100 - windows workstation

Currently:
Can ping from 10.0.0.155(Corp Network) to 192.168.1.3, 192.168.1.1, and 192.168.1.100 (remote network)
Cannot ping from 192.168.1.100 (remote w/s) to 10.0.0.50, 10.0.0.155
Can Ping from 192.168.1.100 to 10.0.0.254

So I have the reverse of what I want currently. I can from the Corp network access the devices on the remote side, but not the reverse. I'm sure I'm really close to having this working, just need a point in the right direction. The thing that confuses me is the remote tunnel gets assigned 10.255.255.6 with gateway of 10.255.255.5 but the server side gets 10.255.255.1 and .2, so I think this has somethign to do with it but can't figure out what to change.

Thanks in advance!

server startup command

Code: Select all

openvpn --config /var/etc/openvpn/server2.conf

Server Config File:

Code: Select all

dev ovpns2
dev-type tun
dev-node /dev/tun2
client-to-client
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 111.222.111.69
tls-server
server 10.255.255.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.255.255.1 10.255.255.2
lport 1195
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
comp-lzo
route 192.168.1.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
verb 5

csc for tunnel:

Code: Select all

cat /var/etc/openvpn-csc/PC-OVPNR
iroute 192.168.1.0 255.255.255.0

server Routes after connection:

Code: Select all

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            c-111-222-111-1.hd UGS         0   760707    dc1
10.0.0.0           link#3             U           0 13649993   fxp0
pfsense            link#3             UHS         0        0    lo0
10.0.8.0           10.0.8.2           UGS         0     1768 ovpns1
10.0.8.1           link#9             UHS         0        0    lo0
10.0.8.2           link#9             UH          0        0 ovpns1
10.255.255.0       10.255.255.2       UGS         0        0 ovpns2
10.255.255.1       link#10            UHS         0        0    lo0
10.255.255.2       link#10            UH          0        0 ovpns2
111.222.111.0/23   link#2             U           0    11257    dc1
111.222.111.69     link#2             UHS         0        0    lo0
localhost          link#5             UH          0       57    lo0
192.168.1.0        10.255.255.2       UGS         0        0 ovpns2

server logs for connection (verb 5)

Code: Select all

openvpn --config /var/etc/openvpn/server2.conf
Wed May 18 18:10:30 2011 us=924020 Current Parameter Settings:
Wed May 18 18:10:30 2011 us=924364   config = '/var/etc/openvpn/server2.conf'
Wed May 18 18:10:30 2011 us=924393   mode = 1
Wed May 18 18:10:30 2011 us=924413   show_ciphers = DISABLED
Wed May 18 18:10:30 2011 us=924431   show_digests = DISABLED
Wed May 18 18:10:30 2011 us=924448   show_engines = DISABLED
Wed May 18 18:10:30 2011 us=924465   genkey = DISABLED
Wed May 18 18:10:30 2011 us=924485   key_pass_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=924503   show_tls_ciphers = DISABLED
Wed May 18 18:10:30 2011 us=924540 Connection profiles [default]:
Wed May 18 18:10:30 2011 us=924583   proto = udp
Wed May 18 18:10:30 2011 us=924605   local = '111.222.11.69'
Wed May 18 18:10:30 2011 us=924622   local_port = 1195
Wed May 18 18:10:30 2011 us=924639   remote = '[UNDEF]'
Wed May 18 18:10:30 2011 us=924656   remote_port = 1194
Wed May 18 18:10:30 2011 us=924673   remote_float = DISABLED
Wed May 18 18:10:30 2011 us=924690   bind_defined = DISABLED
Wed May 18 18:10:30 2011 us=924707   bind_local = ENABLED
Wed May 18 18:10:30 2011 us=924724   connect_retry_seconds = 5
Wed May 18 18:10:30 2011 us=924741   connect_timeout = 10
Wed May 18 18:10:30 2011 us=924758   connect_retry_max = 0
Wed May 18 18:10:30 2011 us=924776   socks_proxy_server = '[UNDEF]'
Wed May 18 18:10:30 2011 us=924793   socks_proxy_port = 0
Wed May 18 18:10:30 2011 us=924810   socks_proxy_retry = DISABLED
Wed May 18 18:10:30 2011 us=924836 Connection profiles END
Wed May 18 18:10:30 2011 us=924857   remote_random = DISABLED
Wed May 18 18:10:30 2011 us=924875   ipchange = '[UNDEF]'
Wed May 18 18:10:30 2011 us=924892   dev = 'ovpns2'
Wed May 18 18:10:30 2011 us=924909   dev_type = 'tun'
Wed May 18 18:10:30 2011 us=924926   dev_node = '/dev/tun2'
Wed May 18 18:10:30 2011 us=924944   lladdr = '[UNDEF]'
Wed May 18 18:10:30 2011 us=924961   topology = 1
Wed May 18 18:10:30 2011 us=925538   tun_ipv6 = DISABLED
Wed May 18 18:10:30 2011 us=925603   ifconfig_local = '10.255.255.1'
Wed May 18 18:10:30 2011 us=925624   ifconfig_remote_netmask = '10.255.255.2'
Wed May 18 18:10:30 2011 us=925642   ifconfig_noexec = DISABLED
Wed May 18 18:10:30 2011 us=925660   ifconfig_nowarn = DISABLED
Wed May 18 18:10:30 2011 us=925678   ifconfig_ipv6_local = '[UNDEF]'
Wed May 18 18:10:30 2011 us=925696   ifconfig_ipv6_netbits = 0
Wed May 18 18:10:30 2011 us=925713   ifconfig_ipv6_remote = '[UNDEF]'
Wed May 18 18:10:30 2011 us=925732   shaper = 0
Wed May 18 18:10:30 2011 us=925750   tun_mtu = 1500
Wed May 18 18:10:30 2011 us=925768   tun_mtu_defined = ENABLED
Wed May 18 18:10:30 2011 us=925786   link_mtu = 1500
Wed May 18 18:10:30 2011 us=926661   link_mtu_defined = DISABLED
Wed May 18 18:10:30 2011 us=926711   tun_mtu_extra = 0
Wed May 18 18:10:30 2011 us=926730   tun_mtu_extra_defined = DISABLED
Wed May 18 18:10:30 2011 us=926748   fragment = 0
Wed May 18 18:10:30 2011 us=926766   mtu_discover_type = -1
Wed May 18 18:10:30 2011 us=926784   mtu_test = 0
Wed May 18 18:10:30 2011 us=926800   mlock = DISABLED
Wed May 18 18:10:30 2011 us=926817   keepalive_ping = 10
Wed May 18 18:10:30 2011 us=926833   keepalive_timeout = 60
Wed May 18 18:10:30 2011 us=926849   inactivity_timeout = 0
Wed May 18 18:10:30 2011 us=926866   ping_send_timeout = 10
Wed May 18 18:10:30 2011 us=926883   ping_rec_timeout = 120
Wed May 18 18:10:30 2011 us=926899   ping_rec_timeout_action = 2
Wed May 18 18:10:30 2011 us=926916   ping_timer_remote = ENABLED
Wed May 18 18:10:30 2011 us=926932   remap_sigusr1 = 0
Wed May 18 18:10:30 2011 us=927476   explicit_exit_notification = 0
Wed May 18 18:10:30 2011 us=927511   persist_tun = ENABLED
Wed May 18 18:10:30 2011 us=927529   persist_local_ip = DISABLED
Wed May 18 18:10:30 2011 us=927546   persist_remote_ip = DISABLED
Wed May 18 18:10:30 2011 us=927563   persist_key = ENABLED
Wed May 18 18:10:30 2011 us=927583   mssfix = 1450
Wed May 18 18:10:30 2011 us=927601   passtos = DISABLED
Wed May 18 18:10:30 2011 us=927618   resolve_retry_seconds = 1000000000
Wed May 18 18:10:30 2011 us=927635   username = '[UNDEF]'
Wed May 18 18:10:30 2011 us=928365   groupname = '[UNDEF]'
Wed May 18 18:10:30 2011 us=928384   chroot_dir = '[UNDEF]'
Wed May 18 18:10:30 2011 us=928401   cd_dir = '[UNDEF]'
Wed May 18 18:10:30 2011 us=928419   writepid = '/var/run/openvpn_server2.pid'
Wed May 18 18:10:30 2011 us=928437   up_script = '/usr/local/sbin/ovpn-linkup'
Wed May 18 18:10:30 2011 us=928454   down_script = '/usr/local/sbin/ovpn-linkdown'
Wed May 18 18:10:30 2011 us=928472   down_pre = DISABLED
Wed May 18 18:10:30 2011 us=928491   up_restart = DISABLED
Wed May 18 18:10:30 2011 us=929602   up_delay = DISABLED
Wed May 18 18:10:30 2011 us=929652   daemon = DISABLED
Wed May 18 18:10:30 2011 us=929674   inetd = 0
Wed May 18 18:10:30 2011 us=929691   log = DISABLED
Wed May 18 18:10:30 2011 us=929708   suppress_timestamps = DISABLED
Wed May 18 18:10:30 2011 us=929726   nice = 0
Wed May 18 18:10:30 2011 us=929743   verbosity = 5
Wed May 18 18:10:30 2011 us=929760   mute = 0
Wed May 18 18:10:30 2011 us=929776   gremlin = 0
Wed May 18 18:10:30 2011 us=929793   status_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=929810   status_file_version = 1
Wed May 18 18:10:30 2011 us=929828   status_file_update_freq = 60
Wed May 18 18:10:30 2011 us=929845   occ = ENABLED
Wed May 18 18:10:30 2011 us=929863   rcvbuf = 65536
Wed May 18 18:10:30 2011 us=929880   sndbuf = 65536
Wed May 18 18:10:30 2011 us=929897   sockflags = 0
Wed May 18 18:10:30 2011 us=929913   fast_io = DISABLED
Wed May 18 18:10:30 2011 us=929930   lzo = 7
Wed May 18 18:10:30 2011 us=929947   route_script = '[UNDEF]'
Wed May 18 18:10:30 2011 us=929964   route_default_gateway = '[UNDEF]'
Wed May 18 18:10:30 2011 us=930343   route_default_metric = 0
Wed May 18 18:10:30 2011 us=930389   route_noexec = DISABLED
Wed May 18 18:10:30 2011 us=930412   route_delay = 0
Wed May 18 18:10:30 2011 us=930431   route_delay_window = 30
Wed May 18 18:10:30 2011 us=930448   route_delay_defined = DISABLED
Wed May 18 18:10:30 2011 us=930466   route_nopull = DISABLED
Wed May 18 18:10:30 2011 us=930486   route_gateway_via_dhcp = DISABLED
Wed May 18 18:10:30 2011 us=930505   max_routes = 100
Wed May 18 18:10:30 2011 us=930522   allow_pull_fqdn = DISABLED
Wed May 18 18:10:30 2011 us=930542   route 192.168.1.0/255.255.255.0/nil/nil
Wed May 18 18:10:30 2011 us=931072   route 10.255.255.0/255.255.255.0/nil/nil
Wed May 18 18:10:30 2011 us=931109   management_addr = '/var/etc/openvpn/server2.sock'
Wed May 18 18:10:30 2011 us=931128   management_port = 0
Wed May 18 18:10:30 2011 us=931146   management_user_pass = '[UNDEF]'
Wed May 18 18:10:30 2011 us=931165   management_log_history_cache = 250
Wed May 18 18:10:30 2011 us=931182   management_echo_buffer_size = 100
Wed May 18 18:10:30 2011 us=931200   management_write_peer_info_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=931217   management_client_user = '[UNDEF]'
Wed May 18 18:10:30 2011 us=931749   management_client_group = '[UNDEF]'
Wed May 18 18:10:30 2011 us=931780   management_flags = 256
Wed May 18 18:10:30 2011 us=931799   shared_secret_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=931817   key_direction = 0
Wed May 18 18:10:30 2011 us=931834   ciphername_defined = ENABLED
Wed May 18 18:10:30 2011 us=931852   ciphername = 'BF-CBC'
Wed May 18 18:10:30 2011 us=932373   authname_defined = ENABLED
Wed May 18 18:10:30 2011 us=932428   authname = 'SHA1'
Wed May 18 18:10:30 2011 us=932450   prng_hash = 'SHA1'
Wed May 18 18:10:30 2011 us=932468   prng_nonce_secret_len = 16
Wed May 18 18:10:30 2011 us=932489   keysize = 0
Wed May 18 18:10:30 2011 us=932506   engine = DISABLED
Wed May 18 18:10:30 2011 us=933046   replay = ENABLED
Wed May 18 18:10:30 2011 us=933070   mute_replay_warnings = DISABLED
Wed May 18 18:10:30 2011 us=933088   replay_window = 64
Wed May 18 18:10:30 2011 us=933614   replay_time = 15
Wed May 18 18:10:30 2011 us=933637   packet_id_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=933655   use_iv = ENABLED
Wed May 18 18:10:30 2011 us=934162   test_crypto = DISABLED
Wed May 18 18:10:30 2011 us=934204   tls_server = ENABLED
Wed May 18 18:10:30 2011 us=934223   tls_client = DISABLED
Wed May 18 18:10:30 2011 us=934241   key_method = 2
Wed May 18 18:10:30 2011 us=934258   ca_file = '/var/etc/openvpn/server2.ca'
Wed May 18 18:10:30 2011 us=934276   ca_path = '[UNDEF]'
Wed May 18 18:10:30 2011 us=934294   dh_file = '/etc/dh-parameters.1024'
Wed May 18 18:10:30 2011 us=934809   cert_file = '/var/etc/openvpn/server2.cert'
Wed May 18 18:10:30 2011 us=934843   priv_key_file = '/var/etc/openvpn/server2.key'
Wed May 18 18:10:30 2011 us=934862   pkcs12_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=934879   cipher_list = '[UNDEF]'
Wed May 18 18:10:30 2011 us=934896   tls_verify = '[UNDEF]'
Wed May 18 18:10:30 2011 us=934913   tls_export_cert = '[UNDEF]'
Wed May 18 18:10:30 2011 us=935455   tls_remote = '[UNDEF]'
Wed May 18 18:10:30 2011 us=935487   crl_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=935506   ns_cert_type = 0
Wed May 18 18:10:30 2011 us=935524   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=935541   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936063   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936098   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936116   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936133   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936655   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936677   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936696   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=936713   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937051   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937084   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937102   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937119   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937136   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937153   remote_cert_ku[i] = 0
Wed May 18 18:10:30 2011 us=937170   remote_cert_eku = '[UNDEF]'
Wed May 18 18:10:30 2011 us=937187   tls_timeout = 2
Wed May 18 18:10:30 2011 us=937205   renegotiate_bytes = 0
Wed May 18 18:10:30 2011 us=937222   renegotiate_packets = 0
Wed May 18 18:10:30 2011 us=937239   renegotiate_seconds = 3600
Wed May 18 18:10:30 2011 us=937256   handshake_window = 60
Wed May 18 18:10:30 2011 us=937273   transition_window = 3600
Wed May 18 18:10:30 2011 us=937290   single_session = DISABLED
Wed May 18 18:10:30 2011 us=937307   push_peer_info = DISABLED
Wed May 18 18:10:30 2011 us=937324   tls_exit = DISABLED
Wed May 18 18:10:30 2011 us=937341   tls_auth_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=937364   server_network = 10.255.255.0
Wed May 18 18:10:30 2011 us=937384   server_netmask = 255.255.255.0
Wed May 18 18:10:30 2011 us=937415   server_network_ipv6 = ::
Wed May 18 18:10:30 2011 us=937434   server_netbits_ipv6 = 0
Wed May 18 18:10:30 2011 us=937454   server_bridge_ip = 0.0.0.0
Wed May 18 18:10:30 2011 us=937473   server_bridge_netmask = 0.0.0.0
Wed May 18 18:10:30 2011 us=937495   server_bridge_pool_start = 0.0.0.0
Wed May 18 18:10:30 2011 us=937515   server_bridge_pool_end = 0.0.0.0
Wed May 18 18:10:30 2011 us=937533   push_entry = 'route 10.0.0.0 255.255.255.0'
Wed May 18 18:10:30 2011 us=937551   push_entry = 'route 10.255.255.0 255.255.255.0'
Wed May 18 18:10:30 2011 us=937569   push_entry = 'topology net30'
Wed May 18 18:10:30 2011 us=937585   push_entry = 'ping 10'
Wed May 18 18:10:30 2011 us=937602   push_entry = 'ping-restart 60'
Wed May 18 18:10:30 2011 us=937619   ifconfig_pool_defined = ENABLED
Wed May 18 18:10:30 2011 us=938234   ifconfig_pool_start = 10.255.255.4
Wed May 18 18:10:30 2011 us=938275   ifconfig_pool_end = 10.255.255.251
Wed May 18 18:10:30 2011 us=938297   ifconfig_pool_netmask = 0.0.0.0
Wed May 18 18:10:30 2011 us=938315   ifconfig_pool_persist_filename = '[UNDEF]'
Wed May 18 18:10:30 2011 us=938334   ifconfig_pool_persist_refresh_freq = 600
Wed May 18 18:10:30 2011 us=938351   ifconfig_ipv6_pool_defined = DISABLED
Wed May 18 18:10:30 2011 us=938371   ifconfig_ipv6_pool_base = ::
Wed May 18 18:10:30 2011 us=938389   ifconfig_ipv6_pool_netbits = 0
Wed May 18 18:10:30 2011 us=938406   n_bcast_buf = 256
Wed May 18 18:10:30 2011 us=938423   tcp_queue_limit = 64
Wed May 18 18:10:30 2011 us=938441   real_hash_size = 256
Wed May 18 18:10:30 2011 us=938459   virtual_hash_size = 256
Wed May 18 18:10:30 2011 us=938477   client_connect_script = '[UNDEF]'
Wed May 18 18:10:30 2011 us=938496   learn_address_script = '[UNDEF]'
Wed May 18 18:10:30 2011 us=938514   client_disconnect_script = '[UNDEF]'
Wed May 18 18:10:30 2011 us=938531   client_config_dir = '/var/etc/openvpn-csc'
Wed May 18 18:10:30 2011 us=938548   ccd_exclusive = DISABLED
Wed May 18 18:10:30 2011 us=938566   tmp_dir = '/tmp'
Wed May 18 18:10:30 2011 us=938583   push_ifconfig_defined = DISABLED
Wed May 18 18:10:30 2011 us=938603   push_ifconfig_local = 0.0.0.0
Wed May 18 18:10:30 2011 us=938623   push_ifconfig_remote_netmask = 0.0.0.0
Wed May 18 18:10:30 2011 us=938641   push_ifconfig_ipv6_defined = DISABLED
Wed May 18 18:10:30 2011 us=938660   push_ifconfig_ipv6_local = ::/0
Wed May 18 18:10:30 2011 us=938679   push_ifconfig_ipv6_remote = ::
Wed May 18 18:10:30 2011 us=938697   enable_c2c = ENABLED
Wed May 18 18:10:30 2011 us=938714   duplicate_cn = DISABLED
Wed May 18 18:10:30 2011 us=938732   cf_max = 0
Wed May 18 18:10:30 2011 us=938749   cf_per = 0
Wed May 18 18:10:30 2011 us=938766   max_clients = 1024
Wed May 18 18:10:30 2011 us=938782   max_routes_per_client = 256
Wed May 18 18:10:30 2011 us=939242   auth_user_pass_verify_script = '[UNDEF]'
Wed May 18 18:10:30 2011 us=939280   auth_user_pass_verify_script_via_file = DISABLED
Wed May 18 18:10:30 2011 us=939300   ssl_flags = 0
Wed May 18 18:10:30 2011 us=939317   port_share_host = '[UNDEF]'
Wed May 18 18:10:30 2011 us=939335   port_share_port = 0
Wed May 18 18:10:30 2011 us=939351   client = DISABLED
Wed May 18 18:10:30 2011 us=939368   pull = DISABLED
Wed May 18 18:10:30 2011 us=939387   auth_user_pass_file = '[UNDEF]'
Wed May 18 18:10:30 2011 us=940123 OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2011
Wed May 18 18:10:30 2011 us=950349 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock
Wed May 18 18:10:30 2011 us=951086 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 18 18:10:31 2011 us=2296 Diffie-Hellman initialized with 1024 bit key
Wed May 18 18:10:31 2011 us=42717 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 18 18:10:31 2011 us=43469 Socket Buffers: R=[42080->65536] S=[57344->65536]
Wed May 18 18:10:31 2011 us=44369 ROUTE default_gateway=69.139.122.1
Wed May 18 18:10:31 2011 us=45427 TUN/TAP device /dev/tun2 opened
Wed May 18 18:10:31 2011 us=45835 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed May 18 18:10:31 2011 us=46452 /sbin/ifconfig ovpns2 10.255.255.1 10.255.255.2 mtu 1500 netmask 255.255.255.255 up
Wed May 18 18:10:31 2011 us=55455 /usr/local/sbin/ovpn-linkup ovpns2 1500 1542 10.255.255.1 10.255.255.2 init
OK
Wed May 18 18:10:31 2011 us=119771 /sbin/route add -net 192.168.1.0 10.255.255.2 255.255.255.0
add net 192.168.1.0: gateway 10.255.255.2
Wed May 18 18:10:31 2011 us=219776 /sbin/route add -net 10.255.255.0 10.255.255.2 255.255.255.0
add net 10.255.255.0: gateway 10.255.255.2
Wed May 18 18:10:31 2011 us=230854 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 18 18:10:31 2011 us=242936 UDPv4 link local (bound): [AF_INET]111.222.11.69:1195
Wed May 18 18:10:31 2011 us=243376 UDPv4 link remote: [undef]
Wed May 18 18:10:31 2011 us=243921 MULTI: multi_init called, r=256 v=256
Wed May 18 18:10:31 2011 us=245238 IFCONFIG POOL: base=10.255.255.4 size=62, ipv6=0
Wed May 18 18:10:31 2011 us=245731 Initialization Sequence Completed
Wed May 18 18:10:55 2011 us=483756 MULTI: multi_create_instance called
Wed May 18 18:10:55 2011 us=483965 69.137.88.230:32774 Re-using SSL/TLS context
Wed May 18 18:10:55 2011 us=484577 69.137.88.230:32774 LZO compression initialized
Wed May 18 18:10:55 2011 us=621083 69.137.88.230:32774 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 18 18:10:55 2011 us=621157 69.137.88.230:32774 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 18 18:10:55 2011 us=640525 69.137.88.230:32774 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed May 18 18:10:55 2011 us=640586 69.137.88.230:32774 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed May 18 18:10:55 2011 us=662598 69.137.88.230:32774 Local Options hash (VER=V4): '530fdded'
Wed May 18 18:10:55 2011 us=662672 69.137.88.230:32774 Expected Remote Options hash (VER=V4): '41690919'
RWed May 18 18:10:55 2011 us=689644 69.137.88.230:32774 TLS: Initial packet from [AF_INET]69.137.88.230:32774, sid=fbdbf25c 5714c8a6
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWed May 18 18:10:58 2011 us=528586 69.137.88.230:32774 VERIFY OK: depth=1, /C=US/ST=Tennessee/L=Nashville/O=IT_Technologies/emailAddress=support@corporate.net/CN=internal-ca
Wed May 18 18:10:58 2011 us=530571 69.137.88.230:32774 VERIFY OK: depth=0, /C=US/ST=Tennessee/L=Nashville/O=IT_Technologies/emailAddress=support@corporate.net/CN=PC-OVPNR
WRWRWRWRWWWWRRRWRWWWWRWRWRWRWRWRWRRRRWRWRWed May 18 18:11:00 2011 us=891713 69.137.88.230:32774 NOTE: Options consistency check may be skewed by version differences
Wed May 18 18:11:00 2011 us=915377 69.137.88.230:32774 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Wed May 18 18:11:00 2011 us=915443 69.137.88.230:32774 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Wed May 18 18:11:00 2011 us=915473 69.137.88.230:32774 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Wed May 18 18:11:00 2011 us=915503 69.137.88.230:32774 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Wed May 18 18:11:00 2011 us=915530 69.137.88.230:32774 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Wed May 18 18:11:00 2011 us=915556 69.137.88.230:32774 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Wed May 18 18:11:00 2011 us=915582 69.137.88.230:32774 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Wed May 18 18:11:00 2011 us=915607 69.137.88.230:32774 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Wed May 18 18:11:00 2011 us=915632 69.137.88.230:32774 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Wed May 18 18:11:00 2011 us=915657 69.137.88.230:32774 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Wed May 18 18:11:00 2011 us=915683 69.137.88.230:32774 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Wed May 18 18:11:00 2011 us=935757 69.137.88.230:32774 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 18 18:11:00 2011 us=935845 69.137.88.230:32774 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 18 18:11:00 2011 us=935930 69.137.88.230:32774 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 18 18:11:00 2011 us=935961 69.137.88.230:32774 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRWed May 18 18:11:00 2011 us=969844 69.137.88.230:32774 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 18 18:11:00 2011 us=969959 69.137.88.230:32774 [PC-OVPNR] Peer Connection Initiated with [AF_INET]69.137.88.230:32774
Wed May 18 18:11:00 2011 us=970505 PC-OVPNR/69.137.88.230:32774 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/PC-OVPNR
Wed May 18 18:11:00 2011 us=971267 PC-OVPNR/69.137.88.230:32774 MULTI_sva: pool returned IPv4=10.255.255.6, IPv6=::
Wed May 18 18:11:00 2011 us=971937 PC-OVPNR/69.137.88.230:32774 MULTI: Learn: 10.255.255.6 -> PC-OVPNR/69.137.88.230:32774
Wed May 18 18:11:00 2011 us=971980 PC-OVPNR/69.137.88.230:32774 MULTI: primary virtual IP for PC-OVPNR/69.137.88.230:32774: 10.255.255.6
Wed May 18 18:11:00 2011 us=972363 PC-OVPNR/69.137.88.230:32774 MULTI: internal route 192.168.1.0/24 -> PC-OVPNR/69.137.88.230:32774
Wed May 18 18:11:00 2011 us=972894 PC-OVPNR/69.137.88.230:32774 MULTI: Learn: 192.168.1.0/24 -> PC-OVPNR/69.137.88.230:32774
RWed May 18 18:11:03 2011 us=60421 PC-OVPNR/69.137.88.230:32774 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 18 18:11:03 2011 us=60488 PC-OVPNR/69.137.88.230:32774 send_push_reply(): safe_cap=960
Wed May 18 18:11:03 2011 us=60579 PC-OVPNR/69.137.88.230:32774 SENT CONTROL [PC-OVPNR]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.255.255.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.255.255.6 10.255.255.5' (status=1)
WWWWRRRRWWed May 18 18:11:19 2011 us=10804 MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
Wed May 18 18:11:19 2011 us=208620 MANAGEMENT: CMD 'status 2'
Wed May 18 18:11:19 2011 us=412438 MANAGEMENT: CMD 'quit'
Wed May 18 18:11:19 2011 us=412527 MANAGEMENT: Client disconnected

Client startup command:

Code: Select all

openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh

up/down scripts (I've disabled these)

Code: Select all

root@DD-WRT:~# cat /tmp/openvpncl/route-up.sh
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
root@DD-WRT:~# cat /tmp/openvpncl/route-down.sh
iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE

Clinet Config File:

Code: Select all

client
dev tun
proto udp
remote 111.222.111.69 1195
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
verb 5
comp-lzo
pull
tls-client

Clint Routes after connection:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.255.255.1    10.255.255.5    255.255.255.255 UGH       0 0          0 tun0
10.255.255.5    *               255.255.255.255 UH        0 0          0 tun0
10.0.0.0        10.255.255.5    255.255.255.0   UG        0 0          0 tun0
192.168.1.0     *               255.255.255.0   U         0 0          0 br0
169.254.0.0     *               255.255.0.0     U         0 0          0 br0
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         DD-WRT          0.0.0.0         UG        0 0          0 br0

Client log after connect

Code: Select all

 openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh
Thu May 19 01:10:55 2011 us=454520 OpenVPN 2.1.1 i386-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug  7 2010
Thu May 19 01:10:55 2011 us=454671 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 19 01:10:55 2011 us=455150 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Thu May 19 01:10:55 2011 us=455493 LZO compression initialized
Thu May 19 01:10:55 2011 us=455810 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu May 19 01:10:55 2011 us=455892 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu May 19 01:10:55 2011 us=455926 Socket Buffers: R=[113664->131072] S=[113664->131072]
Thu May 19 01:10:55 2011 us=455955 UDPv4 link local: [undef]
Thu May 19 01:10:55 2011 us=455981 UDPv4 link remote: 111.222.11.69:1195
WRThu May 19 01:10:55 2011 us=710836 TLS: Initial packet from 111.222.11.69:1195, sid=e3d32403 260e7de9
WWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRThu May 19 01:10:56 2011 us=142021 VERIFY OK: depth=1, /C=US/ST=Tennessee/L=Nashville/O=IT_Technologies/emailAddress=support@corporate.net/CN=internal-ca
Thu May 19 01:10:56 2011 us=142944 VERIFY OK: depth=0, /C=US/ST=Tennessee/L=Nashville/O=IT_Technologies/emailAddress=support@corporate.net/CN=PC-OVPNR
WRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRRRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWRRRWRWRThu May 19 01:11:00 2011 us=967525 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 19 01:11:00 2011 us=967576 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 19 01:11:00 2011 us=967636 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 19 01:11:00 2011 us=967659 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WThu May 19 01:11:00 2011 us=967803 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu May 19 01:11:00 2011 us=967846 [PC-OVPNR] Peer Connection Initiated with 111.222.11.69:1195
Thu May 19 01:11:03 2011 us=61528 SENT CONTROL [PC-OVPNR]: 'PUSH_REQUEST' (status=1)
WRRWRWRThu May 19 01:11:03 2011 us=93348 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.255.255.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.255.255.6 10.255.255.5'
Thu May 19 01:11:03 2011 us=93348 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 19 01:11:03 2011 us=93348 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 19 01:11:03 2011 us=93348 OPTIONS IMPORT: route options modified
Thu May 19 01:11:03 2011 us=94298 TUN/TAP device tun0 opened
Thu May 19 01:11:03 2011 us=94381 TUN/TAP TX queue length set to 100
Thu May 19 01:11:03 2011 us=94596 /sbin/ifconfig tun0 10.255.255.6 pointopoint 10.255.255.5 mtu 1500
Thu May 19 01:11:03 2011 us=96745 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.255.255.5
Thu May 19 01:11:03 2011 us=98975 /sbin/route add -net 10.255.255.0 netmask 255.255.255.0 gw 10.255.255.5
Thu May 19 01:11:03 2011 us=106927 Initialization Sequence Completed

[Mnemic]

Traceroutes

Workstation in Corp Network.

Code: Select all

C:\Documents and Settings\Administrator>tracert 192.168.1.3

Tracing route to 192.168.1.3 over a maximum of 30 hops

  1     2 ms    <1 ms    <1 ms  10.0.0.254
  2    20 ms    21 ms    20 ms  192.168.1.3

Trace complete.
C:\Documents and Settings\Administrator>tracert 192.168.1.1

Tracing route to 192.168.1.1 over a maximum of 30 hops

  1     2 ms    <1 ms    <1 ms  10.0.0.254
  2    55 ms    38 ms    20 ms  10.255.255.6
  3    21 ms    23 ms    20 ms  192.168.1.1

Trace complete.

Workstation in Remote network

Code: Select all

C:\Windows\system32>tracert -d 10.0.0.254

Tracing route to 10.0.0.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.3
  2    27 ms    19 ms    20 ms  10.0.0.254

Trace complete.

C:\Windows\system32>tracert -d 10.0.0.1

Tracing route to 10.0.0.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.3
  2    23 ms    23 ms    20 ms  10.255.255.1
  3     *        *        *     Request timed out.
  4  ^C

[janjust]

these warnings

Wed May 18 18:11:00 2011 us=915377 69.137.88.230:32774 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Wed May 18 18:11:00 2011 us=915443 69.137.88.230:32774 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Wed May 18 18:11:00 2011 us=915473 69.137.88.230:32774 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Wed May 18 18:11:00 2011 us=915503 69.137.88.230:32774 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Wed May 18 18:11:00 2011 us=915530 69.137.88.230:32774 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Wed May 18 18:11:00 2011 us=915556 69.137.88.230:32774 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Wed May 18 18:11:00 2011 us=915582 69.137.88.230:32774 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Wed May 18 18:11:00 2011 us=915607 69.137.88.230:32774 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Wed May 18 18:11:00 2011 us=915632 69.137.88.230:32774 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Wed May 18 18:11:00 2011 us=915657 69.137.88.230:32774 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Wed May 18 18:11:00 2011 us=915683 69.137.88.230:32774 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'

are worrisome - looks like traffic is getting corrupted between client and server? it is odd that the connection succeeds despite this.

if pinging in one direction works but not the other then you're looking at a firewalling/NATting issue - check your iptables rules on the server and on the client itself ; a Windows Vista/7 client does not allow incoming ICMP pings by default.

To troubleshoot this further, run wireshark on the VPN server and watch the flow of packets when a client on the server-side LAN tries to reach the client (or machine on the client-side LAN).

[Mnemic]

Looks like I do have it working, just like you said ICMP wasn't enabled for the windows 7 pcs.

I was pinging another firewall serverside, which I assumed would reply to other networks, but does not.

I'm able to access web sites with no problem from the client-side to servers behind the server-side.

So I have a working config!

[janjust]

Excellent!
closing topic