Routes problem, ping not into LAN

[dgm127]

Good afternoon, I try to explain my problem.

The scenary is:

LAN1: 192.168.0.0
OPENVPN SERVER IP: 192.168.0.12
WINDOWS 2003 SERVER with OpenVPN Server GUI installed and server.ovpn with the next configuration:

local 192.168.0.12
port 1194
proto udp
mssfix 1400
dev tun
ca "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Archivos de programa (x86)\\OpenVPN\\config\\hall9000.tcsc.local.crt"
key "C:\\Archivos de programa (x86)\\OpenVPN\\config\\hall9000.tcsc.local.key" # Este archivo debe mantenerse en secreto
dh "C:\\Archivos de programa (x86)\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option WINS 192.168.0.12"
push "dhcp-option DNS 192.168.0.12"
push "dhcp-option DOMAIN tcsc.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3

LAN 1 ROUTE PRINT:
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.12 20
10.8.0.0 255.255.255.252 10.8.0.1 10.8.0.1 30
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.1 1
10.8.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.12 192.168.0.12 20
192.168.0.12 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.12 192.168.0.12 20
224.0.0.0 240.0.0.0 10.8.0.1 10.8.0.1 30
224.0.0.0 240.0.0.0 192.168.0.12 192.168.0.12 20
255.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 1
255.255.255.255 255.255.255.255 192.168.0.12 192.168.0.12 1
Puerta de enlace predeterminada: 192.168.0.1
===========================================================================
Rutas persistentes:
Ninguno

LAN2: 192.168.1.0
OPENVPN CLIENT 192.168.1.34
WINDOWS XP SP3 with OpenVPN Server GUI installed and client.ovpn with the next configuration:

client
proto udp
dev tun
remote 77.XXX.XXX.XXX 1194 #Dirección IP Pública del servidor OpenVPN
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Archivos de programa\\OpenVPN\\config\\ca.crt"
cert "C:\\Archivos de programa\\OpenVPN\\config\\rpc806020.crt"
key "C:\\Archivos de programa\\OpenVPN\\config\\rpc806020.key"
comp-lzo
verb 3

LAN2 ROUTE PRINT:
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.34 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.34 192.168.1.34 20
192.168.1.0 255.255.255.0 192.168.1.34 192.168.1.34 20
192.168.1.34 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.34 192.168.1.34 20
224.0.0.0 240.0.0.0 192.168.1.34 192.168.1.34 20
255.255.255.255 255.255.255.255 192.168.1.34 2 1
255.255.255.255 255.255.255.255 192.168.1.34 192.168.1.34 1
255.255.255.255 255.255.255.255 192.168.1.34 4 1
Puerta de enlace predeterminada: 192.168.1.1
===========================================================================
Rutas persistentes:
ninguno

Both PC's connect ok, and the result of the pings are:

PING SERVER (LAN1) ------> PC (LAN2-10.8.0.6) : OK
PING PC(LAN2) ------> SERVER (LAN1- 10.8.0.1): OK
PING PC(LAN2) ------> SERVER (LAN1-192.168.0.12):OK
PING SERVER(LAN1) ------> PC (LAN2 - 192.168.1.34): NOT OK
PING PC(LAN2) ------> ANY PC INSIDE LAN1 (192.168.0.XX): NOT OK
PING SERVER(LAN1) ------> ANY PC INSIDE LAN2 (192.168.1.XX): NOT OK

THE WINDOWS FIREWALL IN BOTH MACHINES ARE OFF

I need help with NOT OK cases!

Why can't do ping from any machine to inside the other lan???

Thanks for any response.

[maikcat]

you must enable ip forwarding on BOTH server/client.

also

you NEED to tell openvpn server about the other subnet,
simply put into your server config

route 192.168.1.0 255.255.255.0


also you MUST create a ccd file named rpc806020 with the following contents

iroute 192.168.1.0 255.255.255.0

Michael.

[dgm127]

Hi Michael,

The ip forwarding are enable in BOTH server/client

I add a new line in server.ovpn:

push "route 192.168.1.0 255.255.255.0"

I create a file rpc806020.ccd with only the contents:

iroute 192.168.1.0 255.255.255.0

And the results are the same:

PING SERVER (LAN1) ------> PC (LAN2-10.8.0.6) : OK
PING PC(LAN2) ------> SERVER (LAN1- 10.8.0.1): OK
PING PC(LAN2) ------> SERVER (LAN1-192.168.0.12):OK
PING SERVER(LAN1) ------> PC (LAN2 - 192.168.1.34): NOT OK
PING PC(LAN2) ------> ANY PC INSIDE LAN1 (192.168.0.XX): NOT OK
PING SERVER(LAN1) ------> ANY PC INSIDE LAN2 (192.168.1.XX): NOT OK

More help please!!!

Thanks a lot for your time!

[maikcat]

i didnt wrote

push "route 192.168.1.0 255.255.255.0"

i did

route 192.168.1.0 255.255.255.0


there is a difference...


also remove the ccd extention from your ccd file

Michael.

[dgm127]

Without "push" doesn't work, the results are the same...

Sorry, but I don't understand CCD file?? which is the extension of CCD file?

How can I create a ccd file??

Thanks.

[maikcat]

add to your server config

client-config-dir ccd

create a ccd folder and there place the file *without* extention
you create a ccd file with notepad (simple text)


>Without "push" doesn't work, the results are the same...

you dont have to push a route to a client that he belongs to this subnet,
"pushing" routes means you tell the client to forward traffic for this subnet
*through* the openvpn tunnel.

also to verify that your ccd is being read add to it
ifconfig-push 10.8.0.10 10.8.0.9

when your client connects it should get 10.8.0.10 ip instead of 10.8.0.6,
then you should be ok.

Michael.

[dgm127]

Hi Michael,

I put the CCD like you say.

I try in the route /OpenVPN/ccd/rpc806020 and doesn't work
I try in the route /OpenVPN/config/ccd/rpc806020 and doesn't work.

The content of the archive is:

iroute 192.168.1.0 255.255.255.0
ifconfig-push 10.8.0.10 10.8.0.9

But when the client connect to the server the ip is 10.8.0.6, i don't know what is the problem.

Thanks.

[maikcat]

try using absolute path name for the ccd folder

can you post the server log using verb 3?

Michael.

[dgm127]

SERVER LOG:

Wed Jan 11 13:26:33 2012 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Wed Jan 11 13:26:33 2012 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Jan 11 13:26:33 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 11 13:26:33 2012 Diffie-Hellman initialized with 1024 bit key
Wed Jan 11 13:26:33 2012 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 13:26:33 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jan 11 13:26:33 2012 ROUTE default_gateway=192.168.0.1
Wed Jan 11 13:26:33 2012 TAP-WIN32 device [TAP] opened: \\.\Global\{820236EF-CD61-4064-AF66-FB93DD0E3D89}.tap
Wed Jan 11 13:26:33 2012 TAP-Win32 Driver Version 9.7
Wed Jan 11 13:26:33 2012 TAP-Win32 MTU=1500
Wed Jan 11 13:26:33 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {820236EF-CD61-4064-AF66-FB93DD0E3D89} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Wed Jan 11 13:26:33 2012 Sleeping for 10 seconds...
Wed Jan 11 13:26:43 2012 Successful ARP Flush on interface [2] {820236EF-CD61-4064-AF66-FB93DD0E3D89}
Wed Jan 11 13:26:43 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.2
Wed Jan 11 13:26:43 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:26:43 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Wed Jan 11 13:26:43 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:26:43 2012 Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 13:26:43 2012 UDPv4 link local (bound): 192.168.0.12:1194
Wed Jan 11 13:26:43 2012 UDPv4 link remote: [undef]
Wed Jan 11 13:26:43 2012 MULTI: multi_init called, r=256 v=256
Wed Jan 11 13:26:43 2012 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Jan 11 13:26:43 2012 IFCONFIG POOL LIST
Wed Jan 11 13:26:43 2012 rpc806020,10.8.0.4
Wed Jan 11 13:26:43 2012 casa-pc,10.8.0.8
Wed Jan 11 13:26:43 2012 Initialization Sequence Completed
Wed Jan 11 13:27:23 2012 MULTI: multi_create_instance called
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 Re-using SSL/TLS context
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 LZO compression initialized
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 Local Options hash (VER=V4): '530fdded'
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 Expected Remote Options hash (VER=V4): '41690919'
Wed Jan 11 13:27:23 2012 83.39.133.100:23843 TLS: Initial packet from 83.39.133.100:23843, sid=b7288a04 dd933319
Wed Jan 11 13:27:28 2012 83.39.133.100:23843 VERIFY OK: depth=1, /C=SP/ST=XXXXXXXX/L=YYYYYYYYYYY/O=ZZZZZZZZZZZZ/OU=AAAAAAA/CN=BBBBBB/emailAddress=CCC@SSSSSS.SS
Wed Jan 11 13:27:28 2012 83.39.133.100:23843 VERIFY OK: depth=0, /C=SP/ST=XXXXXXXX/O=YYYYYYYYYYY/OU=ZZZZZZZZZZZZ/CN=AAAAAAA/emailAddress=CCC@SSSSSS.SS
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jan 11 13:27:30 2012 83.39.133.100:23843 [rpc806020] Peer Connection Initiated with 83.39.133.100:23843
Wed Jan 11 13:27:30 2012 rpc806020/83.39.133.100:23843 MULTI: Learn: 10.8.0.6 -> rpc806020/83.39.133.100:23843
Wed Jan 11 13:27:30 2012 rpc806020/83.39.133.100:23843 MULTI: primary virtual IP for rpc806020/83.39.133.100:23843: 10.8.0.6
Wed Jan 11 13:27:33 2012 rpc806020/83.39.133.100:23843 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jan 11 13:27:33 2012 rpc806020/83.39.133.100:23843 SENT CONTROL [rpc806020]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option WINS 192.168.0.12,dhcp-option DNS 192.168.0.12,dhcp-option DOMAIN tcsc.local,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

CLIENT LOG:

Wed Jan 11 13:30:30 2012 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Wed Jan 11 13:30:30 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 11 13:30:30 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 11 13:30:31 2012 LZO compression initialized
Wed Jan 11 13:30:31 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 13:30:31 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Wed Jan 11 13:30:31 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 13:30:31 2012 Local Options hash (VER=V4): '41690919'
Wed Jan 11 13:30:31 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jan 11 13:30:31 2012 UDPv4 link local: [undef]
Wed Jan 11 13:30:31 2012 UDPv4 link remote: 77.224.102.147:1194
Wed Jan 11 13:30:31 2012 TLS: Initial packet from 77.224.102.147:1194, sid=0c769eed 45b353eb
Wed Jan 11 13:30:32 2012 VERIFY OK: depth=1, /C=SP/ST=XXXXXXXXXX/L=XXXXXXXXXXXX/O=XXXXXXXX/OU=XXXXXX/CN=XXXXXXX/emailAddress=XXX@XXXXXX.XX
Wed Jan 11 13:30:32 2012 VERIFY OK: depth=0, /C=XX/ST=XXXXXXX/O=XXXXXXXXX/OU=XXXXXX/CN=XXXXXX/emailAddress=XXX@XXXXX.XX
Wed Jan 11 13:30:38 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 13:30:38 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 13:30:38 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 13:30:38 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 13:30:38 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jan 11 13:30:38 2012 [hall9000] Peer Connection Initiated with 77.224.102.147:1194
Wed Jan 11 13:30:40 2012 SENT CONTROL [hall9000]: 'PUSH_REQUEST' (status=1)
Wed Jan 11 13:30:40 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option WINS 192.168.0.12,dhcp-option DNS 192.168.0.12,dhcp-option DOMAIN tcsc.local,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jan 11 13:30:40 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 11 13:30:40 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 11 13:30:40 2012 OPTIONS IMPORT: route options modified
Wed Jan 11 13:30:40 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 11 13:30:40 2012 ROUTE default_gateway=192.168.1.1
Wed Jan 11 13:30:40 2012 TAP-WIN32 device [Conexión de área local 4] opened: \\.\Global\{52C308EA-A12E-4653-B2E4-FAD7888D217F}.tap
Wed Jan 11 13:30:40 2012 TAP-Win32 Driver Version 9.7
Wed Jan 11 13:30:40 2012 TAP-Win32 MTU=1500
Wed Jan 11 13:30:40 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {52C308EA-A12E-4653-B2E4-FAD7888D217F} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jan 11 13:30:40 2012 Successful ARP Flush on interface [4] {52C308EA-A12E-4653-B2E4-FAD7888D217F}
Wed Jan 11 13:30:46 2012 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jan 11 13:30:46 2012 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 11 13:30:50 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jan 11 13:30:50 2012 C:\WINDOWS\system32\route.exe ADD 77.224.102.147 MASK 255.255.255.255 192.168.1.1
Wed Jan 11 13:30:50 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:30:50 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jan 11 13:30:50 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:30:50 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jan 11 13:30:50 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:30:50 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jan 11 13:30:50 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 13:30:50 2012 Initialization Sequence Completed

[dgm127]

Continue without works

I don't know where are the mistake.

Thanks...

[maikcat]

to check the certificate you are using if it has name rpc806020 do:

openssl x509 -subject -noout -in rpc806020.crt

please post the output here or check the CN is rpc806020


Michael.

[dgm127]

Any problem with the certificate, the connection is ok the problem is the ping from one side to another and into the lan, but from client to server the ping is ok.

Thanks!

[maikcat]

did your client got 10.8.0.10 ip?

if not the problem IS with the certificates CN..

if you want lan to lan connection openvpn MUST READ the CORRECT ccd file
to route traffic accordingly...
thats why you placed the iroute statement inside ccd fle AND the route statement inside server config.

enough said.

cheers,

Michael.

[dgm127]

the client have the 10.8.0.6 ip and the ccd folder is in the server in OpenVPN/config/ccd/rpc806020

these is the configuration of the server:

local 192.168.0.12
port 1194
proto udp
mssfix 1400
dev tun
ca "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Archivos de programa (x86)\\OpenVPN\\config\\hall9000.tcsc.local.crt"
key "C:\\Archivos de programa (x86)\\OpenVPN\\config\\hall9000.tcsc.local.key" # Este archivo debe mantenerse en secreto
dh "C:\\Archivos de programa (x86)\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
client-config-dir "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ccd\\rpc806020"
ifconfig-pool-persist ipp.txt
route 192.168.1.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option WINS 192.168.0.12"
push "dhcp-option DNS 192.168.0.12"
push "dhcp-option DOMAIN tcsc.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3

[maikcat]

change this

client-config-dir "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ccd\\rpc806020"

to this

client-config-dir "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ccd"

the client-config-dir directive needs to point to a directory not a file.

post the output of

openssl x509 -subject -noout -in rpc806020.crt

Michael.

[dgm127]

Hi!!!

I change client-config-dir "C:\\Archivos de programa (x86)\\OpenVPN\\config\\ccd"

and the client have the ip 10.8.0.10, ok!! the ccd works.

But from this moment I can't do ping from client lan to server lan....

....

[maikcat]

did you setup routing on pcs on both lans accordingly?

is ip forwarding enabled on both (openvpn server/client)pcs?

can you tell us what pings you are trying and which ones work?

Michael.