Page 1 of 1
Need help with a Routed Site to Site Install
Posted: Tue Mar 19, 2013 1:55 am
by Naldinho
I am pretty new to this. So if someone could help me it would be greatly appreciated. My goal is to have two LANs at separate locations behave as one.
The LAN that is going to have the server is 10.1.1.x and the LAN that is going to have the client is 192.168.2.x
I have a tunnel established.
I can ping the server and client from each other.
I can't ping the server from computers on the client side despite adding a route to the computer's routing table. Likewise I can't ping the client from the computers on the server side either.
I also can't ping any server side computers from the client and I can't ping any client side computers from the server.
server.conf
Code: Select all
local 10.1.1.3
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.1.1.0 255.255.255.0"
client-config-dir /etc/openvpn/client-configs
route 192.168.2.0 255.255.255.0
keepalive 10 120
cipher BF-CBC
max-clients 5
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 5
daemon
Client-Configs
Code: Select all
iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"
client.conf
Code: Select all
client
dev tun
remote xx.xxx.xxx.xxx 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
cipher BF-CBC
port 1194
proto udp
log /var/log/openvpn.log
verb 4
;user nobody
;group nobody
daemon
persist-tun
persist-key
Server
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Client
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Re: Need help with a Routed Site to Site Install
Posted: Tue Mar 19, 2013 11:40 am
by maikcat
did you enabled ip forwarding on both ends?
also what is the name of your ccd file?
to ensure that ccd is parsed correcty add to it:
reconnect your client,he should get 10.8.0.22 ip addr
if not ,you have CN issue..
Michael.
Re: Need help with a Routed Site to Site Install
Posted: Tue Mar 19, 2013 3:57 pm
by Naldinho
Thank you so much. That almost got me there.
The computers on the client side can ping and access the computers on the server side.
The computers on the server side can only ping the client machine but none of the other computers on the client's LAN.
did you enabled ip forwarding on both ends?
No. I had not. I edited /etc/sysctl.conf and now I have both the server and client with IP forwarding.
Do I need to enable IP forwarding only for the server and client machines or all the computers attached to the the two LANs?
I have done do for one machine and it is behaving no differently than the the machine I didn't enable IP forwarding for but I would just like to confirm.
also what is the name of your ccd file?
client - which is the name of the .key file so I believe that is correct.
to ensure that ccd is parsed correcty add to it:
I added the code you provided to the end of my CCD file so that it now is the the following
Code: Select all
iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"
ifconfig-push 10.8.0.22 10.8.0.21
The routing tables now are
Server
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default . 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
link-local * 255.255.0.0 U 0 0 0 eth0
192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Client
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
10.1.1.0 10.8.0.21 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.21 255.255.255.255 UGH 0 0 0 tun0
10.8.0.21 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
PS: Nice to see a fellow Amiga user.
Re: Need help with a Routed Site to Site Install
Posted: Wed Mar 20, 2013 7:39 am
by maikcat
The computers on the client side can ping and access the computers on the server side.
The computers on the server side can only ping the client machine but none of the other computers on the client's LAN.
hold on a sec...
if ANY pc from client side can ping ANY pc from server side,then routing is ok...
if vice versa not working check if your openvpn client has any firewall rules that filters traffic..
Do I need to enable IP forwarding only for the server and client machines or all the computers attached to the the two LANs?
nop,just the openvpn server/client ones
PS: Nice to see a fellow Amiga user.
happy...happy days...
Michael.
Re: Need help with a Routed Site to Site Install
Posted: Wed Mar 20, 2013 1:53 pm
by Naldinho
Actually when I tried later it worked fine so all is good.
Thank you for all the help.
Now time to figure out how to set up a WINs server and I'm done.
Re: Need help with a Routed Site to Site Install
Posted: Wed Mar 20, 2013 2:27 pm
by Naldinho
I thought I had an additional issue but I think it is resolved now.
Re: Need help with a Routed Site to Site Install
Posted: Thu Mar 21, 2013 5:12 pm
by Naldinho
Sorry to bother your again but I do have an additional issue after all. I thought everything was working but after a reboot I have the following.
All Windows computers on either subnet can ping any computer on either subnet.
The server and the client machines can only ping each other and computers on their own subnet but not any of the computers on the other subnet.
The routing tables are the same as those I posted above.
UFW comes back as status inactive.
I suspect it has something to with me not adding a route to the two Ubuntu machines.
For all the Windows machines on the client's subnet I did a route -p Add 10.1.1.0 MASK 255.255.255.0 192.168.2.8 (client's ip) and likewise for the the sever's subnet I did a route -p ADD 198.168.2.0 MASK 255.255.255.0 10.1.1.3 (server's ip) but I didn't do anything to the client or the server but given the current issue I suspect I should have?
Re: Need help with a Routed Site to Site Install
Posted: Fri Mar 22, 2013 8:51 am
by maikcat
can you add a static route to ALL your clients (both subnets)
for the openvpn network itself? (10.8.0.0/24)
i have a feeling that server/client sends packets using their tun interfaces as from ip...
Michael.
Re: Need help with a Routed Site to Site Install
Posted: Fri Mar 22, 2013 10:38 am
by Naldinho
I'm sorry but I am not sure what that means.
I am going to do some searching to see if I can figure it out but if you could give me an example of what the route command would look like.
As it currently stands only the server and client can ping 10.8.0.1
Re: Need help with a Routed Site to Site Install
Posted: Fri Mar 22, 2013 11:14 am
by Naldinho
On 10.1.1.5 I tried to do a tracert to 192.168.2.3 a computer on the other subnet.
The result I got was
10.1.1.5's Netbios name [10.1.1.3]
10.0.0.22
192.168.2.3's NetBios name [192.168.2.3]
When I try doing traceroute 192.168.2.3 on the ubuntu machine that is the server I get.
10.8.0.22 (10.8.0.22)
* * *
* * *
* * *
On the same machine if I do traceroute 192.168.2.8 the ip of the client machine on the other subnet I get
1 192.168.2.8 (192.168.2.8)
Returning to the 10.1.1.5 windows machine if I tracert to 192.168.2.8 the client machine on the other subnet I get.
1 Netbois name of 10.1.1.5 [10.1.1.3]
2 192.168.2.8
I don't know if any of this is relevant information but I figured it might be useful.
Re: Need help with a Routed Site to Site Install
Posted: Fri Mar 22, 2013 12:54 pm
by maikcat
just configure a pc to use as default gateway the openvpn server/client and
see if that works.
Michael.
Re: Need help with a Routed Site to Site Install
Posted: Sat Mar 23, 2013 10:48 pm
by Naldinho
That seemed to do it. Thanks.