Clients with static IP can't reach other clients' subnet

[patrickslee]

Hi there

I have setup a openvpn server on a remote server configured to allow clients to access each other's subnet.

Basic scenario like this:

Server: 192.168.120.0/24
Client1: 192.168.0.0/24
Client2: 10.78.20.0/24

I want client2 connect to the server and be able to access 192.168.0.0/24. I have added the following to server.conf:

Code: Select all

dev tun
push "route 192.168.0.0 255.255.255.0"
route 192.168.0.0 255.255.255.0 default 30 # I have to lower the metric because client1 is the LAN gateway and this route will override the LAN route on client1 and cause the LAN to break

in client1's ccd:

Code: Select all

iroute 192.168.0.0 255.255.255.0

I got this set up working fine. client2 can reach 192.168.0.0/24 and other devices in 192.168.0.0/24 can reach client2.

Then I wanted to configure static IP addresses for the clients. So I added ifconfig-push to the ccds. From that point client2 can't reach client1's subnet anymore, nor the server can.

I noticed that the samples in server.conf had the IP addresses swapped for ifconfig-push but it doesn't matter which way I put it they simply don't work. Remove ifconfig-push and everything worked as expected.

Can anyone think of any explanations?

[janjust]

what values did you use for the 'ifconfig-push' ?
If you're not using 'topology subnet' (which I guess you are not using) then you MUST push addresses from valid /30 network blocks. Each client is assigned a /30 network, which for the ifconfig-push means that

* for the first client you use 'ifconfig-push 192.168.120.6 192.168.120.5'
* for the second client you use 'ifconfig-push 192.168.120.10 192.168.120.9'
* for the third client you use 'ifconfig-push 192.168.120.14 192.168.120.13'

(i.e. +4 every time).

[patrickslee]

I am using the default which is net30. And I am doing /30 according to your example.

Would topology subnet be any good to try?

[janjust]

pick any valid /30 network which is different from what is assigned automatically, but which is still part of the original 'server x.x.x.x' range. Try

Code: Select all

ifconfig-push X.X.X.22 X.X.X.21

and reconnect the client; post the relevant part of the server log file, esp the part where it is PUSHing out the configuration to the client. The .22 address should be mentioned there.

[patrickslee]

PUSH_REPLY,route 192.168.0.0 255.255.255.0 default 30,route 192.168.120.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.120.22 192.168.120.21

[janjust]

so the right info is pushed to the client - if the client does not use this new IP address then there's something weird going on at the client (is it configured to accept DHCP?).

[patrickslee]

The client is using the specified address.

The only difference is that if I use ifconfig-push then I can't reach other client's LAN subnet.

[janjust]

aha , now I get it...
can you try replacing

route 192.168.0.0 255.255.255.0 default 30

with

Code: Select all

route 192.168.0.0 255.255.255.0 vpn_gateway 30

'default' is not a special keyword; also, after client1 has connected, what does the routing table look like (on client1) ?

[patrickslee]

Hm... I have tried that before. Basically I think I have RTFM and tried lots of different combinations. The issue is just if I use ifconfig-push then clients can't see each other's LAN. Actually nor the server can. But if I just let the server assign IPs to clients everything work as expected.

I have decided to live with dynamic IPs for now. I am just wondering if it is a known issue and have a solution.

I will go back and re-visit this if I have time later.

Thanks for your help though.

[janjust]

I have decided to live with dynamic IPs for now. I am just wondering if it is a known issue and have a solution.

it is not a known issue - I've just replicated your setup (without the "route 192.168.0.0 255.255.255.0 default 30") and it works fine : from one client I can ping hosts on the LAN behind another client, even though both clients are assigned static IPs using 'ifconfig-push' .

did you add 'client-to-client' on the server config ? or are you using other means to forward traffic between clients?

[patrickslee]

I do have client-to-client in the config.

[maikcat]

hi there,

can you post both client/server configs?

Michael.