Wrong routes set to the client

[whites11]

Hi all,

shortly my situation:

linux server (ubuntu 10.04)
2 network interfaces: eth0 with a bridge (br0, 192.168.2.190) and eth1 (192.168.101.X, dhcp)
traffic is masquerated with this rules:

Code: Select all

iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth1 -j MASQUERADE

server is behind a firewall (192.168.2.1) and has port 4911 udp (yes, not standard) forwarded correctly.

this is the server config:

Code: Select all

mode server
tls-server
local 192.168.2.190
port 4911
proto udp
dev tap0
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo                                                                                                                                                                
ifconfig-pool-persist ipp.txt                                                                                                                                                       
server-bridge 192.168.2.190 255.255.255.0 192.168.2.180 192.168.2.189                                                                                                               
push "dhcp-option DNS 192.168.2.190 8.8.8.8"                                                                                                                                        
push "dhcp-option DOMAIN my.domain.com"                                                                                                                                            
push "route 192.168.101.1 255.255.255.255"                                                                                                                                        
max-clients 9
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

connection from remote works perfectly, the (relevant) routes i get are the following:

Code: Select all

0.0.0.0         192.168.17.1    0.0.0.0         UG    0      0        0 eth0
vpn_public_ip_address   192.168.17.1    255.255.255.255 UGH   0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.17.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0
192.168.101.1   192.168.2.190   255.255.255.255 UGH   0      0        0 tap0

of course 192.168.17.0/24 is my home's local network

everythins seems good, but here's the problem:

Code: Select all

$ ping -c 1 192.168.2.190
PING 192.168.2.190 (192.168.2.190) 56(84) bytes of data.
64 bytes from 192.168.2.190: icmp_req=1 ttl=64 time=102 ms

--- 192.168.2.190 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 102.758/102.758/102.758/0.000 ms

Works, good. But:

Code: Select all

$ ping -c 1 192.168.2.140
PING 192.168.2.140 (192.168.2.140) 56(84) bytes of data.                                                                                                                            
From 192.168.2.180 icmp_seq=1 Destination Host Unreachable                                                                                                                          
                                                                                                                                                                                    
--- 192.168.2.140 ping statistics ---                                                                                                                                               
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

does not...(and the same for every other resource of that subnet).
resources on the other subnet (192.168.101.0) works quite well.

to make the traffic on the 192.168.2.0 network i need to manually push a route on the client like this:

Code: Select all

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.190

i think things should work without the above route (and i cannot ask my vpn clients to set this route manually) so i guess i'm doing something wrong but can't understand what.
can anybody explain?

[Mimiko]

You can try adding to server's config:

Code: Select all

push "route 192.168.2.0 255.255.255.0 vpn_gateway"

[whites11]

no luck, client routes are unchanged

[maikcat]

please post output of ifconfig command on server

Michael.

[whites11]

here it is

Code: Select all

br0       Link encap:Ethernet  HWaddr 00:0c:29:7a:8c:9d  
          inet addr:192.168.2.190  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:345334 errors:0 dropped:0 overruns:0 frame:0
          TX packets:326439 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:289766112 (289.7 MB)  TX bytes:289067343 (289.0 MB)

eth0      Link encap:Ethernet  HWaddr 00:0c:29:7a:8c:9d  
          inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:342729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:324339 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:294998319 (294.9 MB)  TX bytes:288586383 (288.5 MB)

eth1      Link encap:Ethernet  HWaddr 00:0c:29:7a:8c:a7  
          inet addr:192.168.101.11  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe7a:8ca7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:804 (804.0 B)  TX bytes:1152 (1.1 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4236 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:580180 (580.1 KB)  TX bytes:580180 (580.1 KB)
                                                                                                                                                                                                                                             
tap0      Link encap:Ethernet  HWaddr 0e:08:76:36:30:76
          inet6 addr: fe80::c08:76ff:fe36:3076/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:44 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4063 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:4694 (4.6 KB)  TX bytes:575445 (575.4 KB)

[maikcat]

interfaces participating the bridge MUST be in promisc mode..

please also post

brctl show

Michael.

[whites11]

ok, i edited /etc/network interfaces like this:

Code: Select all

iface eth0 inet dhcp
  up ip link set $IFACE up promisc on
  down ip link set $IFACE down promisc off

is this ok?

brctl show:

Code: Select all

bridge name     bridge id               STP enabled     interfaces
br0             8000.000c297a8c9d       no              eth0
                                                        tap0

[maikcat]

ifconfig shows promisc mode in eth0?

if yes you are ok (so far )

Michael.

[whites11]

this is my ifconfig now:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:0c:29:7a:8c:9d  
          inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:783 errors:0 dropped:0 overruns:0 frame:0
          TX packets:561 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:91920 (91.9 KB)  TX bytes:105250 (105.2 KB)

but still no luck, same problem: 192.168.2.190 is reachable, 192.168.2.* is not...

[maikcat]

remove these from server

mode server
ifconfig pool-persistipp.txt

restart service

also

did you enable ip forwarding on server?

disable ip tables for testing (i dont think you need masq anyway..)

Michael.

[whites11]

ok, i removed mode server and ifconfig pool...

i removed every iptables rule:

Code: Select all

$ iptables -L
Chain INPUT (policy ACCEPT)
target   prot opt source   destination

Chain FORWARD (policy ACCEPT)
target   prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target   prot opt source   destination

Code: Select all

$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target   prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target   prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target   prot opt source   destination

eth0 is in promisc mode, but still the same behavior

EDIT: wait, do i need to have ip_forward enabled even in this case (with no masquerading at all)?

[maikcat]

yeap enable ip forwarding on server

Michael.

[whites11]

ok i enabled it again but still not working...

thanks very much for your help, it's very appreciated!

[maikcat]

can you repost the last used server config file?

Michael.

[whites11]

Code: Select all

tls-server
local 192.168.2.190
port 4911
proto udp
dev tap0
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
server-bridge 192.168.2.190 255.255.255.0 192.168.2.180 192.168.2.189
push "dhcp-option DNS 192.168.2.190 8.8.8.8"
push "dhcp-option DOMAIN ud.enbilab.com"
push "route 192.168.101.1 255.255.255.255"
push "route 192.168.2.0 255.255.255.0 vpn_gateway"
max-clients 9
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

[maikcat]

happy new year!


remove this from your server config

>push "route 192.168.2.0 255.255.255.0 vpn_gateway"

restart service and try again

Michael.

[whites11]

thanks, happy new year you too!

i tried, but same behavior.
i guess it can be something related to my local (client) setup.
i'm going to setup a virtualbox test environment to check if everything's ok in a simpler environment.

if you have any ideas in the meantime i'll be happy to try

[whites11]

I think the answer to my problem is the following:

Note: If the server is not the default LAN gateway on the server side, you will have to do one of the following:
Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.
Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).
Use the iptables NAT feature to masquerade the IP packets..

Now, i cannot do the first nor the second one.
How can i do the third one (with iptables or ufw?)

[maikcat]

you are using bridging mode not routing..

the note you mention applies to routing based setup.

Michael.

[Mimiko]

I didn't see any full log from the OpenVPN client. So I suppose you are running OpenVPN client not as a root.