Not able to ping Remote lan .

[kashyap]

My Server.conf file contains

# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1723

# TCP or UDP server?
proto tcp
;proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client

My client.conf file contains

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote x.x.x.x 1723
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert a.crt
key a.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20




Routing Table

[root@localhost openvpn]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.2.254 0.0.0.0 UG 0 0 0 eth0

Iptables off...

I am able to ping 192.168.10.1 (openvpn server) but not able to ping internal network 192.168.2.0/24 network,please help to resolve this

[maikcat]

hi there,

the half of your server config is missing...

also strip comments and repost them

Michael.

[kashyap]

reposting the server config file..

I am able to connect my vpnserver (192.168.10.1 ) via ssh from there i am able to ping local lan (192.168.2.0/24) .but not able to ping 192.168.2.0/24 network directly after successful initialization


-edited by maikcat (remove comments from config)-

local 192.168.2.61
port 1723
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 192.168.10.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
topology subnet
push "redirect-gateway def1"
push "dhcp-option DNS 121.242.190.180"
push "dhcp-options DNS 121.242.190.211"
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

[maikcat]

>i am able to ping local lan (192.168.2.0/24) .but not able to ping 192.168.2.0/24 network directly after successful initialization

directly?!??!

can you explain the above a little bit more..?

give an example pls

Michael.

[kashyap]

I am able to ping 192.168.10.1 from remote client and also i can connect my vpnserver (192.168.10.1 ) via ssh , after connecting to vpn server via ssh from there i am able to ping local lan (192.168.2.0/24) .but not able to ping 192.168.2.0/24 network directly after successful initialization ,that means without loging into vpn server via ssh ,i am not able to ping remote lan (192.168.2.0/24).
My office ofice lan :192.168.2.0/24
Vpn Server IP : 192.168.10.0/24
Client IP :192.168.10.2
Client directly not able to ping 192.168.2.0/24 network.

[maikcat]

did you enabled ip forwarding on openvpn server?

the host you are trying to reach,do you configure routing correctly on it?
did you add a static route for the vpn network pointing to your openvpn server?

Michael.

[kashyap]

enabled ip forward


#####routing on host side
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.2.254 0.0.0.0 UG 0 0 0 eth0


""did you add a static route for the vpn network pointing to your openvpn server?"" how can i check this.
if is there any routing pblm how can i add that ,can you please steps vise...???

[kashyap]

enabled ip forward


#####routing on host side
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.2.254 0.0.0.0 UG 0 0 0 eth0


""did you add a static route for the vpn network pointing to your openvpn server?"" how can i check this.
if is there any routing pblm how can i add that ,can you please steps vise...???

[maikcat]

hi there,

>if is there any routing pblm how can i add that ,can you please steps vise...???


if you do a traceroute from a server inside your lan (NOT openvpn server) to the openvpn tun ip ,where the packets go?
(tracert under win,traceroute under *nix)

Michael.

[kashyap]

is my routing is correct ?


here is the trace report

[root@localhost openvpn]# traceroute 192.168.2.61
traceroute to 192.168.2.61 (192.168.2.61), 30 hops max, 40 byte packets
1 openvpn.server.com (192.168.2.61) 0.089 ms 0.023 ms 0.017 ms
[root@localhost openvpn]# traceroute 192.168.10.1
traceroute to 192.168.10.1 (192.168.10.1), 30 hops max, 40 byte packets
1 192.168.10.1 (192.168.10.1) 0.096 ms 0.031 ms 0.032 ms
[root@localhost openvpn]# traceroute 192.168.2.254
traceroute to 192.168.2.254 (192.168.2.254), 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

[maikcat]

give traceroute commands from the server you want your vpn clients
to access ,not from openvpn server itself!.

unfortunately basic routing skills are required to configure
openvpn correctly....

dont know if i can help more.

Michael.

[kashyap]

My serverIp is 192.168.2.61 (Centos) internal network 192.168.2.0/24.....connecting it from remote machine(ubuntu).can you please let know from which machine i should do traceroute ?

1) can i do traceroute from any one of machine in 192.168.2.0/24 network to 192.168.2.61 or client to 192.168.2.61 or from client to public ip of 192.168.2.61.

how can i specify route in server ..route add 192.168.10.0/24 via 192.168.2.61 (server ip ) or 192.168.2.254 (Gw)

[maikcat]

you can do a traceroute from a openvpn client to 192.168.2.x hosts
you can do a traceroute from 192.168.2.x to openvpn client 192.168.10.x

do you want to access a specific server on 2.x network? which one? what os it has?

Michael.

[kashyap]

This traceroute from one of the 2.x host machine to vpn client 192.168.10.2

root@kashyap-desktop:/home/# traceroute 192.168.10.2
traceroute to 192.168.10.2 (192.168.10.2), 30 hops max, 60 byte packets
1 192.168.2.254 (192.168.2.254) 0.516 ms 0.847 ms 1.161 ms
2 115.119.68.97.static-Mumbai.vsnl.net.in (115.119.68.97) 4.963 ms 4.872 ms 4.841 ms
3 59.163.3.129.static.vsnl.net.in (59.163.3.129) 28.603 ms 28.692 ms 28.835 ms
4 59.163.24.122.static.vsnl.net.in (59.163.24.122) 15.948 ms 16.049 ms 16.315 ms
5 59.163.55.150.static.vsnl.net.in (59.163.55.150) 16.898 ms 17.137 ms 17.377 ms
6 172.31.1.86 (172.31.1.86) 18.012 ms 14.070 ms 17.689 ms
7 172.31.17.14 (172.31.17.14) 54.315 ms 54.326 ms 54.552 ms
8 172.25.75.22 (172.25.75.22) 55.363 ms 55.376 ms 55.523 ms
9 172.31.48.62 (172.31.48.62) 55.727 ms 172.31.48.29 (172.31.48.29) 55.868 ms 172.31.48.62 (172.31.48.62) 56.098 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *


This traceroute from 192.168.10.2 to host in 192.168.2.0/24 network


can you tell me the way how to add static route ...

[kashyap]

from any client in 192.168.10.0/24 ,i need access any host in 192.168.2.0/24

[maikcat]

basically you have 2 options

1) you add a static route to *every* pc on 192.168.2.x network or

2) you add a static to your internet router (your pcs default gateway)

Michael.

[kashyap]

Hi,

I have added static route to my Internet router now openvpn is connecting and it is working fine.Thnx for help.

Right now i am facing one more issue, to test Openvpn i have added only 5users,now its working fine so i want to ruled out it permanently,but when i am trying to add user i am getting following errer

[abc@openvpn 2.0]# ./build-key xyz
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.


how can i resolve/add users , this without disturbing the existing keys...

[maikcat]

hi there,

go to the folder you keep your keys (and openssl cnf files -vars - etc)

type

source ./vars
./build-key keyname

ready!

just remember you are not obliged to create keys on your openvpn server itself
you can copy your key structure to another server,keep ONLY on your server (ca.crt,server.crt,server.key,dhxxx.pem,ta.key) and your ccds (if any) and config file
and delete all other.

Michael.

[kashyap]

Thnq It worked !!!!

[maikcat]

glad to here that,

closing topic

Michael.