accessing other pcs aside from openvpn server

[angelochen]

Hi,

I follow the HOW-To to set up a openvpn server in a machine that has two NIC:
192.168.1.113 - connected to internet router 192.168.1.1
10.0.0.175 - connected to local area network 10.0.0.x

now I can connect the vpn and access 10.0.0.175, but I can't access other PC's like 10.0.0.171,
what I did wrong here?

openvpn server(10.0.0.175):

DEVICE=eth0
HWADDR=52:54:00:d3:20:e8
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
TYPE=Ethernet
IPADDR=192.168.1.113
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
IPV6INIT=no

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
TYPE=Ethernet
HWADDR=52:54:00:94:2d:8d
IPADDR=10.0.0.175
NETMASK=255.255.255.0

network setting in 10.0.0.171:
DEVICE=eth1
HWADDR=52:54:00:18:CD:A6
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
IPADDR=10.0.0.171
NETMASK=255.255.255.0
GATEWAY=10.0.0.175


and the openvpn server config:

server.conf:
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 10.0.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20

[janjust]

most likely a return route problem; do the PCs in the server side LAN know that packets coming from the VPN (10.8.0.0/24) need to go back to the VPN server?
a quick&dirty solution is to add

Code: Select all

iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

to the server setup

[angelochen]

Thanks for the reply, I put this in the openvpn server machine, but still not working:

iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

in this FAQ:http://openvpn.net/index.php/open-sourc ... html#scope, it has this:

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

How?

Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.

i enabled the ip forwarding, for TUN I have this in the iptables, enough?

-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
-A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
-A FORWARD -i tun+ -j ACCEPT

[janjust]

should be enough.
I'd run tcpdump or wireshark on the vpn server to see where the packet flow stops, i.e. first run

Code: Select all

tcpdump -nnel -i tun0 icmp

and then ping a server-side machine ; then run the same tcpdump command with '-i eth1'

you should see traffic going both ways. Look carefully at the IP addresses used by both sender and receiver.