Server can't reach client's network

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
thepontifex
OpenVpn Newbie
Posts: 1
Joined: Sun Dec 19, 2010 8:12 pm

Server can't reach client's network

Post by thepontifex » Sun Dec 19, 2010 8:52 pm

Hi All,

I have the following setup:

OpenVPN Server (192.168.15.95) with DynDNS Account.
OpenVPN Client (10.8.0.6) on a Linksys dd-wrt router (192.168.17.98) which connects to OpenVPN Server.
Laptop (192.168.17.1) and IP-Cam (192.168.17.120) behind Linksys router.

Or in a graph:

Code: Select all

Server LAN           OpenVPN Server            OpenVPN Client            Client LAN
192.168.15.0/24--192.168.15.95 & 10.8.0.1 =====10.8.0.6 & 192.168.17.98--192.168.17.0/24
The router connects automatically during startup to the VPN Server. The Laptop can ping the Server:
192.168.17.1 --> 192.168.15.95: YES

But the other way around does not work. I can not reach the laptop or webcam from the server. I checked back routes and other stuff but I can't figure it out. Does I need something like NAT?

My config:

OpenVPN Server:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.15.0 255.255.255.0"
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
management localhost 7705
OpenVPN client:

Code: Select all

client
dev tun
proto udp
remote xxx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
comp-lzo
Default gateway in the server's network got a back route:
10.8.0.0/24 -> 192.168.15.95

After adding the following iptables rules I am now at least able to ping the tun0 IP-address of the linksys router but still not the laptop behind it.

Code: Select all

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
Your help is really appreciated!
Frank
Top
User avatar
gladiatr72
Forum Team
Posts: 194
Joined: Mon Dec 13, 2010 3:51 pm
Location: Lawrence, KS

Re: Server can't reach client's network

Post by gladiatr72 » Wed Dec 22, 2010 6:54 pm

Hey there,

I think You're 90% there.

I'd like to see the output of the following commands from the DDWRT device:

netstat -rn
ifconfig -a
brctl show

I would also like to see the routing table on your openvpn server (post connection).

Hopefully DDWRT is not actually trying to do any kind of NAT business on your tun device, but we shall see.

__
Edit:

I'm going to go ahead and suggest that you check to be sure you've got a route on the 192.168.15.0/24 network that actually will bounce packets to the 192.168.17.0/24 network via your VPN end-point on the DDWRT device. It's something that's easy to forget as the client-side route statement is generally pushed by way of the openvpn server configuration. The key is here is that the device running the VPN client isn't the actual client device but a gateway for your home(?) network.

Regards,
Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
Top
Post Reply

Return to “Server Administration”