Page 1 of 1
Can't Access Server's in LAN
Posted: Mon Jun 04, 2012 4:50 pm
by seji
Hello,
today i set up my first OpenVPN server. The Server is running on a Windows SBS 2011 Std.
I managed to connect succesfully and to Ping the IP 10.8.0.1.
But i can't access my Servers (SMB Share (192.168.0.1) and Termial Server (192.168.0.5))
I tried various things but it won't work...
Here are my Config Files:
Server Config:
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
;mute 20
route-delay 5
route-method exe
ip-win32 netsh
script-security 3
;auth-user-pass-verify ovpn-auth-ldap.vbs via-env
auth-user-pass-verify "C:/Windows/System32/cscript.exe ovpn-auth-ldap.vbs" via-env
fragment 1300
Code: Select all
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote remote.lb.gesundheitszentrum-ludwigsburg.net 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
auth-user-pass
auth-retry interact
fragment 1300
My Router is a Cisco Device, maybe the Problem is there. But i first want to check my OpenVPN Config is correct.
Thanks in advance
Seji
PS: Sry for my bad english... :-/
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 9:17 am
by maikcat
hi there,
did you enabled ip forwarding on server?
did you disabled firewall for testing?
on your client,
if you issue netstat -nr do you see the route for 192.168.0.0/24 network?
Michael.
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 10:40 am
by seji
Hi,
thank you for your answer.
yes i enabled fowarding on the server (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\IPEnableRouter (Value 1))
With disabled FW (Server + Client) it also don't work.
netstat -nr contains the following Line:
Code: Select all
192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30
I think this correct!?
Is ist possible that there is a "conflict" with IPv6 or something like that?
Seji
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 10:52 am
by janjust
what is the output of
on the VPN server? does it show that IP forwarding is enabled?
also, do the servers on the LAN side know that packets coming from 10.8.0.x need to go back to the VPN server and not to the default LAN gw?
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 11:14 am
by seji
hi,
output of ipconfig:
Code: Select all
Windows-IP-Konfiguration
Hostname . . . . . . . . . . . . : GZLBSERVER01
Primäres DNS-Suffix . . . . . . . : gzlb.local
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : gzlb.local
Ethernet-Adapter tap-bridge:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : TAP-Win32 Adapter V9
Physikalische Adresse . . . . . . : 00-FF-F3-14-D0-26
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::25ba:1c17:332f:d6cc%18(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 10.8.0.1(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.252
Standardgateway . . . . . . . . . :
DHCPv6-IAID . . . . . . . . . . . : 302055411
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-98-81-7D-00-E0-81-45-FE-08
DNS-Server . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Ethernet-Adapter LAN-Verbindung 4:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
apter #67
Physikalische Adresse . . . . . . : 00-1F-29-EC-89-2A
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::9488:d2d3:8734:7ba%16(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.0.1(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.0.4
DHCPv6-IAID . . . . . . . . . . . : 369106729
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-98-81-7D-00-E0-81-45-FE-08
DNS-Server . . . . . . . . . . . : 192.168.0.1
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Ethernet-Adapter LAN-Verbindung 3:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
apter #65
Physikalische Adresse . . . . . . : 00-1F-29-EC-89-2C
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Tunneladapter isatap.{DEE93977-0B33-48C3-A228-382C1331F93E}:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter isatap.{F314D026-F864-44C8-9E6C-54F97205A791}:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter Teredo Tunneling Pseudo-Interface:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter isatap.{D33E22B3-ADBC-4263-919D-3F1737508E1D}:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #4
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
does it show that IP forwarding is enabled?
Where i can see that it is enabled?
also, do the servers on the LAN side know that packets coming from 10.8.0.x need to go back to the VPN server and not to the default LAN gw?
Hm no the don't know, that's right.....
So modified my Cisco Config to this:
Code: Select all
ip nat pool natVoIP 192.168.1.0 192.168.1.255 netmask 255.255.255.0
ip nat pool natNetzwerk 192.168.0.0 192.168.0.255 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static udp 192.168.0.1 1194 interface FastEthernet0 1194
ip nat inside source static tcp 192.168.0.1 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.0.1 443 interface FastEthernet0 443
ip nat inside source list 3 interface FastEthernet0 overload
!
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 10.8.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map MapVPN permit 10
match ip address 3
set ip next-hop 192.168.0.1
!
route-map MapNetzwerk permit 10
match ip address 1
set default interface FastEthernet0
!
route-map MapVoIP permit 10
match ip address 2
set interface Dialer0
But doesent't work.....
Seji
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 1:09 pm
by janjust
IP-Routing aktiviert . . . . . . : Nein
it's not enabled right now ; you will need to reboot for the registry change to take effect
also, you will need to set up either RRAS or you will need to add a return route on the cisco for your VPN - I currently don't see such a route but I can't remember what the exact cisco IOS command is to add one either
Re: Can't Access Server's in LAN
Posted: Tue Jun 05, 2012 2:23 pm
by seji
Hi,
janjust you're my Hero
I activated IP-Routing via Routing and RAS
and added to my Cisco Config the following:
Code: Select all
ip route 10.8.0.0 255.255.255.0 192.168.0.1
and now it's working
Thanks for help!
Have a nice Day, Seji
Re: Can't Access Server's in LAN
Posted: Sat Jan 25, 2014 11:40 pm
by leon111
I have same problem. I made same settings but still not working