Need help with a Routed Site to Site Install

[Naldinho]

I am pretty new to this. So if someone could help me it would be greatly appreciated. My goal is to have two LANs at separate locations behave as one.

The LAN that is going to have the server is 10.1.1.x and the LAN that is going to have the client is 192.168.2.x

I have a tunnel established.

I can ping the server and client from each other.

I can't ping the server from computers on the client side despite adding a route to the computer's routing table. Likewise I can't ping the client from the computers on the server side either.

I also can't ping any server side computers from the client and I can't ping any client side computers from the server.

server.conf

Code: Select all

local 10.1.1.3
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.1.1.0 255.255.255.0"
client-config-dir /etc/openvpn/client-configs
route 192.168.2.0 255.255.255.0
keepalive 10 120
cipher BF-CBC
max-clients 5
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 5
daemon

Client-Configs

Code: Select all

iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"

client.conf

Code: Select all

client
dev tun
remote xx.xxx.xxx.xxx  1194 
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
cipher BF-CBC
port 1194
proto udp
log /var/log/openvpn.log
verb 4
;user nobody
;group nobody
daemon
persist-tun
persist-key

Server

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.1.1.1        0.0.0.0         UG        0 0          0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.168.2.0     10.8.0.2        255.255.255.0   UG        0 0          0 tun0

Client

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 eth1
10.1.1.0        10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.8.0.1         10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
10.8.0.5         0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

[maikcat]

did you enabled ip forwarding on both ends?

also what is the name of your ccd file?

to ensure that ccd is parsed correcty add to it:

Code: Select all

ifconfig-push 10.8.0.22 10.8.0.21

reconnect your client,he should get 10.8.0.22 ip addr
if not ,you have CN issue..

Michael.

[Naldinho]

Thank you so much. That almost got me there.

The computers on the client side can ping and access the computers on the server side.

The computers on the server side can only ping the client machine but none of the other computers on the client's LAN.

did you enabled ip forwarding on both ends?

No. I had not. I edited /etc/sysctl.conf and now I have both the server and client with IP forwarding.

Do I need to enable IP forwarding only for the server and client machines or all the computers attached to the the two LANs?

I have done do for one machine and it is behaving no differently than the the machine I didn't enable IP forwarding for but I would just like to confirm.

also what is the name of your ccd file?

client - which is the name of the .key file so I believe that is correct.

to ensure that ccd is parsed correcty add to it:

I added the code you provided to the end of my CCD file so that it now is the the following

Code: Select all

iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"
ifconfig-push 10.8.0.22 10.8.0.21

The routing tables now are

Server

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         .               0.0.0.0         UG        0 0          0 eth0
10.1.1.0        *               255.255.255.0   U         0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        *               255.255.255.255 UH        0 0          0 tun0
link-local      *               255.255.0.0     U         0 0          0 eth0
192.168.2.0     10.8.0.2        255.255.255.0   UG        0 0          0 tun0

Client

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.2.1     0.0.0.0         UG        0 0          0 eth1
10.1.1.0        10.8.0.21       255.255.255.0   UG        0 0          0 tun0
10.8.0.1        10.8.0.21       255.255.255.255 UGH       0 0          0 tun0
10.8.0.21       *               255.255.255.255 UH        0 0          0 tun0
192.168.2.0     *               255.255.255.0   U         0 0          0 eth1

PS: Nice to see a fellow Amiga user.

[maikcat]

The computers on the client side can ping and access the computers on the server side.

The computers on the server side can only ping the client machine but none of the other computers on the client's LAN.

hold on a sec...

if ANY pc from client side can ping ANY pc from server side,then routing is ok...
if vice versa not working check if your openvpn client has any firewall rules that filters traffic..

Do I need to enable IP forwarding only for the server and client machines or all the computers attached to the the two LANs?

nop,just the openvpn server/client ones

PS: Nice to see a fellow Amiga user.

happy...happy days...

Michael.

[Naldinho]

Actually when I tried later it worked fine so all is good.

Thank you for all the help.

Now time to figure out how to set up a WINs server and I'm done.

[Naldinho]

I thought I had an additional issue but I think it is resolved now.

[Naldinho]

Sorry to bother your again but I do have an additional issue after all. I thought everything was working but after a reboot I have the following.

All Windows computers on either subnet can ping any computer on either subnet.

The server and the client machines can only ping each other and computers on their own subnet but not any of the computers on the other subnet.

The routing tables are the same as those I posted above.

UFW comes back as status inactive.

I suspect it has something to with me not adding a route to the two Ubuntu machines.

For all the Windows machines on the client's subnet I did a route -p Add 10.1.1.0 MASK 255.255.255.0 192.168.2.8 (client's ip) and likewise for the the sever's subnet I did a route -p ADD 198.168.2.0 MASK 255.255.255.0 10.1.1.3 (server's ip) but I didn't do anything to the client or the server but given the current issue I suspect I should have?

[maikcat]

can you add a static route to ALL your clients (both subnets)
for the openvpn network itself? (10.8.0.0/24)

i have a feeling that server/client sends packets using their tun interfaces as from ip...

Michael.

[Naldinho]

I'm sorry but I am not sure what that means.

I am going to do some searching to see if I can figure it out but if you could give me an example of what the route command would look like.

As it currently stands only the server and client can ping 10.8.0.1

[Naldinho]

On 10.1.1.5 I tried to do a tracert to 192.168.2.3 a computer on the other subnet.

The result I got was

10.1.1.5's Netbios name [10.1.1.3]
10.0.0.22
192.168.2.3's NetBios name [192.168.2.3]

When I try doing traceroute 192.168.2.3 on the ubuntu machine that is the server I get.

10.8.0.22 (10.8.0.22)
* * *
* * *
* * *

On the same machine if I do traceroute 192.168.2.8 the ip of the client machine on the other subnet I get

1 192.168.2.8 (192.168.2.8)

Returning to the 10.1.1.5 windows machine if I tracert to 192.168.2.8 the client machine on the other subnet I get.

1 Netbois name of 10.1.1.5 [10.1.1.3]
2 192.168.2.8

I don't know if any of this is relevant information but I figured it might be useful.

[maikcat]

just configure a pc to use as default gateway the openvpn server/client and
see if that works.

Michael.

[Naldinho]

That seemed to do it. Thanks.