New Site-to-Site Tunnel With Partial Connectivity

[Roamer]

This is a new configuration (I'm new to using OpenVPN). I am using OpenVPN 2.2.2 on both sides. I am able to connect the two sites and can ping devices, but that's as far as I'm getting; I cannot connect to any network printers (I'd like to connect to Windows shares, too, but remote printing is top priority).

Client LAN 192.168.2.0/24 -- OpenVPN Network 10.8.0.0/24 -- Server LAN 192.168.1.0/24

Linksys WRT54GS 192.168.2.1 (firmware v4.71.1, Hyperwrt 2.1b1 + Thibor15c) -- Comcast Internet -- Linksys BEFSR41 192.168.1.1 (stock Linksys firmware)

Client (Windows Vista SP2) LAN IP 192.168.2.65 -- Client VPN IP 10.8.0.6 -- Server VPN IP 10.8.0.1 -- Server (Windows XP Pro SP3) LAN IP 192.168.1.105

The client's Vista firewall is disabled, the server's XP firewall is disabled, the IPEnableRouter TCPIP parameter is set to 1 on the server, and the server-side router has a static route added (Destination IP Address: 10.8.0.0, Subnet Mask: 255.255.255.0, Gateway: 192.168.1.105, Hop Count: 3, Interface: LAN).

The OpenVPN client can successfully connect to the OpenVPN server.

The client can ping the server's VPN IP (10.8.0.1) and its local IP (192.168.1.105).

The client can also ping devices beyond the server (192.168.1.1 (Linksys router), 192.168.1.3 (HP JetDirect print server), 192.168.1.100 (Windows 7 PC)).

The remote Windows 7 PC can ping the client's VPN IP (10.8.0.6).

The client can connect and logon to the remote Linksys router on port 80 (i.e. 192.168.2.65 --> http://192.168.1.1/ = OK).


Now for the problem...

I cannot actually connect to either of the remote HP LaserJet printers' JetDirect cards, so I can't print, which was the main reason I wanted to setup this house-to-house VPN connection.


Server Config:

Code: Select all

port 1194
proto udp
dev tun
ca ../easy-rsa/keys/ca.crt
cert ../easy-rsa/keys/server.crt
key ../easy-rsa/keys/server.key
dh ../easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.log
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.2.0 255.255.255.0
push "dhcp-option DOMAIN domain.local"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4

Client Config:

Code: Select all

client
dev tun
proto udp
remote 111.222.333.444 1194  <-- obviously, actual Internet IP is here
resolv-retry infinite
nobind
persist-key
persist-tun
ca ../easy-rsa/keys/ca.crt
cert ../easy-rsa/keys/client1.crt
key ../easy-rsa/keys/client1.key
ns-cert-type server
comp-lzo
verb 4

Server Routing Table:

Code: Select all

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff c9 10 3a 65 ...... TAP-Win32 Adapter V9 - Wireless Intermediate Driver
0x10004 ...00 08 74 e3 41 79 ...... 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Jumpstart Wi
reless Intermediate Driver
0x10005 ...30 46 9a 26 d5 3d ...... NETGEAR WNA1100 Wireless-N 150 USB Adapter - Wireless Intermediate Driver
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.105       25
         10.8.0.0  255.255.255.252         10.8.0.1        10.8.0.1       30
         10.8.0.0    255.255.255.0         10.8.0.2        10.8.0.1       1
         10.8.0.1  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255         10.8.0.1        10.8.0.1       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.105   192.168.1.105       25
    192.168.1.105  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255    192.168.1.105   192.168.1.105       25
      192.168.2.0    255.255.255.0         10.8.0.2        10.8.0.1       1
        224.0.0.0        240.0.0.0         10.8.0.1        10.8.0.1       30
        224.0.0.0        240.0.0.0    192.168.1.105   192.168.1.105       25
  255.255.255.255  255.255.255.255         10.8.0.1        10.8.0.1       1
  255.255.255.255  255.255.255.255    192.168.1.105           10004       1
  255.255.255.255  255.255.255.255    192.168.1.105   192.168.1.105       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\>

Client Routing Table:

Code: Select all

C:\>route print
===========================================================================
Interface List
 16 ...00 ff bd 26 a0 94 ...... TAP-Win32 Adapter V9
  9 ...00 1e c9 4a e8 f3 ...... Intel(R) 82566DC-2 Gigabit Network Connection
  1 ........................... Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.65    266
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     30
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    286
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    286
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    286
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         10.8.0.5         10.8.0.6     30
      192.168.2.0    255.255.255.0         On-link      192.168.2.65    266
     192.168.2.65  255.255.255.255         On-link      192.168.2.65    266
    192.168.2.255  255.255.255.255         On-link      192.168.2.65    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.2.65    266
        224.0.0.0        240.0.0.0         On-link          10.8.0.6    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.2.65    266
  255.255.255.255  255.255.255.255         On-link          10.8.0.6    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.2.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\>

Client Ipconfig, Ping, and Telnet Output:

Code: Select all

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : client1
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter OpenVPN Connection:

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-BD-26-A0-94
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Sunday, January 01, 2012 08:49:03 PM
   Lease Expires . . . . . . . . . . : Monday, December 31, 2012 08:49:24 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82566DC-2 Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1E-C9-4A-E8-F3
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.2.65(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\>ping -n 2 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=22ms TTL=128
Reply from 10.8.0.1: bytes=32 time=15ms TTL=128

Ping statistics for 10.8.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 22ms, Average = 18ms

C:\>ping -n 2 192.168.1.105

Pinging 192.168.1.105 with 32 bytes of data:
Reply from 192.168.1.105: bytes=32 time=12ms TTL=128
Reply from 192.168.1.105: bytes=32 time=16ms TTL=128

Ping statistics for 192.168.1.105:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 16ms, Average = 14ms

C:\>ping -n 2 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=24ms TTL=149
Reply from 192.168.1.1: bytes=32 time=19ms TTL=149

Ping statistics for 192.168.1.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 24ms, Average = 21ms

C:\>ping -n 2 192.168.1.3

Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=36ms TTL=58
Reply from 192.168.1.3: bytes=32 time=31ms TTL=58

Ping statistics for 192.168.1.3:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 31ms, Maximum = 36ms, Average = 33ms

C:\>ping -n 2 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time=23ms TTL=126
Reply from 192.168.1.100: bytes=32 time=20ms TTL=126

Ping statistics for 192.168.1.100:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 23ms, Average = 21ms


C:\>telnet 192.168.1.1 80
Connecting To 192.168.1.1...

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'


Microsoft Telnet>

Connection to host lost.
quit

C:\>telnet 192.168.1.3 80
Connecting To 192.168.1.3...Could not open connection to the host, on port 80: Connect failed

C:\>telnet 192.168.1.3 9100
Connecting To 192.168.1.3...Could not open connection to the host, on port 9100: Connect failed

C:\>

Server Log (verb 6):
Your message contains 111740 characters. The maximum number of allowed characters is 60000.

Code: Select all

Size: 54,564 bytes
Can be posted, if needed - including it in this post made the post too big.

Client Log (verb 6):
Your message contains 111740 characters. The maximum number of allowed characters is 60000.

Code: Select all

Size: 46,848 bytes
Can be posted, if needed - including it in this post made the post too big.

So....any ideas on why I can ping the remote devices, but cannot connect to their ports (e.g. JetDirect web server (80) and printer port (9100))? These ports are open and available locally.

Thanks for any help and/or suggestions!

-Jeff

[maikcat]

did you used ccd files with iroute statement?

Michael.

[Roamer]

Michael,

I've tried with and without the ccd file. At first I left the related server config options remarked out.

Initial Server Config:

Code: Select all

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

Then I uncommented the options, changed the route option to match the client's network, created the ccd directory, and created the client1 file with the iroute option.

Current Server Config:

Code: Select all

client-config-dir ccd
route 192.168.2.0 255.255.255.0

ccd\client1 Config:

Code: Select all

iroute 192.168.2.0 255.255.255.0

With each config change, I have killed and restarted the OpenVPN process, to put the changes into effect.

-Jeff

[maikcat]

can you test a service except those on jetdirects? (ssh on a linux pc f.e)

if also this doesnt work try to use ping with larger size packets and see
if they come through.

Michael.

[Roamer]

Michael,

I did a lot of testing and logical review of the topology and determined the problem was a routing issue. I found that even though a static route for 10.8.0.0/24 was set to use the OpenVPN server's local IP for the gateway, the router was not actually using that route for incoming traffic from clients; it was only using it for itself. That explains why I could hit the web interface of the router, but not the web interface of the JetDirect cards. The JetDirect cards were returning traffic from 10.8.0.6 via 192.168.1.1 and the router was passing it out to the Internet, which doesn't work very well.

A friend suggested this was happening because the Linksys is in gateway mode vs. router mode. I'm going to look into that as a solution. Otherwise, my option is to manually configure persistent routes on the Windows devices and make the OpenVPN server's IP the default gateway for the JetDirect cards (these are older, lower end cards that do not support routing tables), which should be okay as they only talk to the Windows workstations on their local subnet (other than the new workstations across the VPN tunnel).

-Jeff