Routing Issue

[tpow00]

Hello,

So my OpenVPN server seems to be receiving the traffic that I'm sending it, but not returning anything. I tried fixing this by adding a route from the client to the server's LAN, but now it's throwing an error:

Code: Select all

Sun Aug 28 22:20:34 2011 us=927375 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Sun Aug 28 22:20:34 2011 us=927521 /sbin/route add -net 192.168.1.1 netmask 255.255.255.0 gw 192.168.2.101
route: netmask doesn't match route address
Usage: route [-nNvee] [-FC] [<AF>]           List kernel routing tables
       route [-v] [-FC] {add|del|flush} ...  Modify routing table for AF.

       route {-h|--help} [<AF>]              Detailed usage syntax for specified AF.
       route {-V|--version}                  Display version/author and exit.

        -v, --verbose            be verbose
        -n, --numeric            don't resolve names
        -e, --extend             display other/more information
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB

  <AF>=Use '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
    x25 (CCITT X.25) 
Sun Aug 28 22:20:34 2011 us=930289 ERROR: Linux route add command failed: external program exited with error status: 4

My server config file is:

Code: Select all

port 1194
proto udp
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
script-security 2
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.2.101 255.255.255.0 192.168.2.105 192.168.2.200
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.1.1 255.255.255.0"
push "redirect-gateway local def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo
max-clients 50
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20

the client:

Code: Select all

client
dev tap
proto udp
remote 71.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
cipher BF-CBC
comp-lzo
verb 5

I have been debugging it with both firewalls turned off and both the routers have been configured to allow udp connections through port 1194.

Help is much appreciated.

[Mimiko]

You are bridging, so local and remote interfaces (and LAN) has to be the same IP pool, like 192.168.2/24.
Where did 192.168.1/24 came from?

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.1.1 255.255.255.0"

You don't need the second line, because the first line already includes the other one.

[tpow00]

I have removed the second line as per your suggestion.

The ip pool 192.168.1/24 is the clients current local ip. The server is assigning the ip pool 192.168.2.105-200. I added in the additional route in an attempt to give the data a way back to the client. But since I'm not guaranteed to have a local address on the same subnet every time I use the vpn, I now see that it won't work.

[Mimiko]

The main reason for bridging setup is to all LANs on server and clients have the same IP mask. If clients have to have different IP masks on their LANs, is better to use routing method.

[tpow00]

Right, and when I connect, the clients will all be on the same subnet. That is my goal. My issue arises when I connect and am assigned a new local ip address from the server, and the traffic isn't being rerouted back to the client as the sample server.conf file specifies:

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool back to the OpenVPN server.

[Mimiko]

The quote you mentionded is mainly used for routing method of OpenVPN, when clients have different IP masks behind them. In bridged mode, the interfaces is set in promisc mode, sofor every computer, other computers are as they are locally, but all packets are going thru tunnel, i.e. computers ARP will have multiple records with the same MAC (of the OpenVPN computer) and different IPs.

[tpow00]

Ok. You said that they are mainly used for the routing method. What are the uses for a bridged setup?

[Mimiko]

What are the uses for a bridged setup?

It's mainly used to archive LAN type connection, where therea are need to transmitt legacy protocol type packets, like IPX, or use old games where connection between clients are made by broadcast packets.