No TCP/UDP traffic routed to client from servers LAN

[markus.scharitzer]

Hello,

My Problem is that i can't route TCP/UPD traffic through the openVPN server, but I receive the DHCP information from the DHCP server which is located on an other machine on the same subnet as the Client and the openVPN server.

Network-Topology:
home (192.168.0.*) ->
-> work-gw(public ip) ->
-> -> openVPNServer (10.0.1.54)
-> -> dhcpServer (10.0.1.1)
-> -> work-net 10.0.1.*

I can establish a connection to the openVPN server, I receive an IP adress and all other information from the DHCP servers IPrange but from there on I can't connect access anything on the same subnet.

Where is the problem I am running into?

The server is bridging between one physical interface and a tap device.
Server: Gentoo
Client: Windows

client conf:

Code: Select all

client
dev tap
proto tcp
remote W.X.Y.Z 41337
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

server conf:

Code: Select all

port 41337
dev tap0
proto tcp
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh1024.pem
server-bridge
push "route 10.0.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

iptables config (server):
iptables -S

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s W.X.Y.Z/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i tap0 -j ACCEPT
-A FORWARD -s 123.123.123.40/32 -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT

forwarding in kernel:

Code: Select all

net.ipv4.ip_forward = 1

brigde is forwarding:

Code: Select all

br0
 bridge id              8000.000c29a2d457
 designated root        8000.000c29a2d457
 root port                 0                    path cost                  0
 max age                  19.99                 bridge max age            19.99
 hello time                1.99                 bridge hello time          1.99
 forward delay            14.99                 bridge forward delay      14.99
 ageing time             299.98
 hello timer               0.46                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                   5.48
 flags


eth0 (1)
 port id                8001                    state                forwarding
 designated root        8000.000c29a2d457       path cost                  2
 designated bridge      8000.000c29a2d457       message age timer          0.00
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags

tap0 (2)
 port id                8002                    state                forwarding
 designated root        8000.000c29a2d457       path cost                100
 designated bridge      8000.000c29a2d457       message age timer          0.00
 designated port        8002                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00

ipconfig

Code: Select all

Verbindungsspezifisches DNS-Suffix: xyz
Beschreibung. . . . . . . . . . . : TAP-Win32 Adapter V9
Physikalische Adresse . . . . . . : 00-FF-DB-C8-B2-67
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse  . : 
IPv4-Adresse  . . . . . . . . . . : 10.0.1.90(Bevorzugt)
Subnetzmaske  . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Donnerstag, 27. September 2012 13:19:53
Lease läuft ab. . . . . . . . . . : Dienstag, 09. Oktober 2012 15:44:13
Standardgateway . . . . . . . . . :
DHCP-Server . . . . . . . . . . . : 10.0.1.1
DNS-Server  . . . . . . . . . . . : 10.0.1.1
                                    10.0.1.5
NetBIOS über TCP/IP . . . . . . . : Aktiviert

[Mimiko]

What is the routing table on the client? Can you ping from client the OpenVPN server (10.0.1.54)? Can you ping from server the client?

[markus.scharitzer]

Routing table on the client is:

Code: Select all

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    276
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    276
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    276
         10.0.1.0    255.255.255.0         On-link         10.0.1.96    286
        10.0.1.96  255.255.255.255         On-link         10.0.1.96    286
       10.0.1.255  255.255.255.255         On-link         10.0.1.96    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    276
        224.0.0.0        240.0.0.0         On-link         10.0.1.96    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    276
  255.255.255.255  255.255.255.255         On-link         10.0.1.96    286

I can ping client -> server
but not server -> client (on a quick guess, here starts my problem)

[Mimiko]

Verify firewall on client, especially on the tap adapter.

[markus.scharitzer]

Thanks for the quick reply.

After configuring the firewall on the client right, i can now ping from server -> client

still no connectivity to the rest of the subnet.

kind regards,
markus

[Mimiko]

As the OpenVPN server is not default gateway on the lan, then read this: topic9465.html

[markus.scharitzer]

Hi,

sry for not replying, i had some days off:

We are using the same Subnet for the OpenVPN clients as we are using for the LAN, so there shouldn't be a routing issue. TAP and bridging do send Ethernetframes and therefore there should be ARP-Requests. Your post refers to using different IP-Subnets for LAN and openVPN, but we are bridging.

As described in my first post I get the IP from the dhcp-Server which is on an other machine as the openVPN-server, so broadcasting does work. But why are no ARP-Requests send? normally on the DHCP-lease our router should learn the route to the openVPN-client, as all other machine through ARP-requests?


best regards,

markus

[Mimiko]

Yes, I see its a bridge setup, so the link is not relevant.

Depends on client how its wins setup is configured. If it has some wins ip set, then the client only send aknoledgment about itself to that wins server. If wins is not set, then client sends aknoledgemnt about itself to the master browser to wich it belongs. So not only the bridging is need, but also belong to the same workgroup. Or use wins ip on client.

[markus.scharitzer]

Thanks for the reply.

But I'm not sure how to handle this information. Our DHCP server also has SAMBA(PDC with WINS enabled) running, the DHCP broadcast contains the address of the WINS server and I am getting this one the oVPN-client.

I also see ARP-Requests incoming from the client, on our server, but they don't reach back. (tcpdump on server-NIC)

cheers,

markus