OpenVPN Support Forum

Hi, I've been setting up roadwarior VPN's using TLS + shared key's and username/passwords for a while with great success. However I'm now trying to do a point to point network between 3 sites and having a routing issue which I can't place.

VPN subnet: 10.9.0.0/24
Server has 10.208.x.x subnet's
Client has 192.168.100.0 subnet's

I'm running VPN Server on Ubuntu 12.04. (It has 2 VPN's, one for road warrior config, and the other for point to point). The server actually has 5 subnet's I'm hoping to hook up and make available to client B.

P2P server config: Client config: Server cat /proc/sys/net/ipv4/ip_forward = 1
And I've also added these iptables (which is vanila default ACCEPT right now) has these rules added:
iptables -I FORWARD -i tun0 -s 10.9.0.0/24 -m conntrack --cstate NEW -j ACCEPT
iptables -I FORWARD -i tun1 -s 10.9.0.0/24 -m conntrack --cstate NEW -j ACCEPT
iptables -I FORWARD -s 10.9.0.0/24 -j ACCEPT

Client side I have an issue with iptables that I dont understand. (It's a build by a hosting provider who aren't being helpful)
iptables -L
gives this output:
FATAL: Error inserting ip_tables (/lib/moduels/...../iptables.ko): Operation not permitted
iptables v1.4.12: can't initialize iptables table 'filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

The VPN actually connects fine.
From client I can ping 10.208.134.12 and 10.9.0.1 (the server) but nothing else on the client subnet
From the server I can ping 192.168.100.223 and 10.9.0.4 (the client) but nothing else on the server subnet

The client subnet route is not added to the server routes despite having route, push route, and iroute (in ccd) commands in place
The server subnet's (all 5) are added to the client fine.

Can anyone help with that? I'm a bit lost trying to debug it.

OK. so iptables on one side just needed me to remeber to sudo for it. (One side requires it and one side is running as root as they were setup by 2 different providers) However ping is still not working between the sites (other than the server client machines themselves.

First of all, you need to configure different subnets for the different connections.
Now, on both tun0 and tun1 there's a subnet 10.9.0.0/24 which will cause troubles in routing, as from tun0 10.9.0.12 (as an example) is a local-interface-ip and it's not forwarded to tun1.

Are you using any kind of inbound NAT to reach the servers?
And if so, does the default gateway (usually the router which has the inbound NAT configured) know the vpn-subnet is located behind the vpn-server?
If not, the packets coming from the reply of the ping are sent to the router and cannot find the're way back to the vpn-client.

Thanks for taking the time to have a look at my issue. I really appreciate the assistance.

both the vpn server, and client are behind gateways. on the client:
eth1 has the public ip/connection and default gateway.
eth0 on the client is the network I want to be able to access from the server.
tun0 is the vpn connection 10.9.0.0/24

on the server eth0 is has the gateway, and is the network I'm trying to access on the client.
tun0 is the server side vpn connection, also on 10.9.0.0/24

tun1 was the second vpn, but I've stopped that to avoid any conflict. They were on different subnets tun1 was 10.8.0.0/24. the iptables reference in my first post was a copy paste error. The tun1 entry should have had 10.8.0.0/24. So all subnet's are different.


I believe the client ping'ing a server on the server network (but not the vpn server) is actually sending the packet's out the tun0 network interface on the client network. As I can see the packet count rising (on ifconfig command) but they are never received.

If I ping the vpn server, the packet count for both Tx and Rx. So it seems to be a routing issue of some kind (to me). I'm just not sure what the missing piece is.

No the gateway doesn't know about the VPN, I'm trying to prevent that need, by adding routes manually on each server that need them to point to the vpn server machine. That goes for both sides of my connection.

I have NAT to the vpn server (to allow the incoming connection) is that what you mean?

brianmills wrote:No the gateway doesn't know about the VPN, I'm trying to prevent that need, by adding routes manually on each server that need them to point to the vpn server machine. That goes for both sides of my connection.

I think this will work for the servers on both sides both sides but i'm afraid this doesn't work for clients in the local LAN.
See also here for more documentation

For example:
I have a DSL-line at home, with the DSL-router being my default gateway for the local lan 192.168.20.0/24
The DSL-modem have an inbound nat configured to my openvpn-server on 192.168.20.2 to be able to connect from outside
Connection to the server works fine and my vpn-ip is 10.8.0.2 (vpn-server 10.8.0.1, topology subnet)
If i setup routing and ping my HTPC on the lan (192.168.20.200), my server will send the ICMP-packet to the HTPC, but the HTPC sees a source-ip outside it's own LAN and therefore sends it to the default gateway.
The default gateway will drop the packet (10.8.0.0/24 is not routable to the internet) because it doesn't know where to send it.
If i tell the DSL-router the network 10.8.0.0/24 is behind 192.168.20.2, the packet will travel back to my vpn-client.

Therefor i need to tell the DSL-router where the vpn-network is in order to get the connection possible.

brianmills wrote:I have NAT to the vpn server (to allow the incoming connection) is that what you mean?

Yes, exactly.
And that's what i try to explain above, as i do inbound NAT myself too.

Ok. So I have nat on the server gateway. But I can't add the route to the server gateways, hopefully setting the route on each accessible server will work for that side.

Client side, I only have 1-3 servers requiring access, so I can probably setup the VPN client on each of those servers.

I'll have a detailed look through that link, and come back with how far I got with it.

Ok. So I have nat on the server gateway. But I can't add the route to the server gateways, hopefully setting the route on each accessible server will work for that side.

Client side, I only have 1-3 servers requiring access, so I can probably setup the VPN client on each of those servers.

I'll have a detailed look through that link, and come back with how far I got with it.

Ok. So I've managed to get access from both server and client subnets to the opposite subnet, without access to either router/default gateway.

The key is you need each server to know about the routes on the other end of the VPN tunnel, as well as the route to the VPN tunnel subnet.

I'd missed the later, so it new where to send packets if it was calling on the other subnet, but it didn't know how to reply to packets coming from the other subnet.

The only catch is that it doesn't work for the other subnets on my server network (as they have a router between them that I can't change the routes on, so when it tries to route from subnet d to subnet b (where the VPN server is) the router between the two replys destination unreachable. Which I think is fair enough, even with the routes on the server to point to subnet b's VPN server as the gateway.

Thanks so much for the help mwandelaar, you helped me sort out the missing piece of my puzzle. Very much appreciated.

Great it works for you now. Have fun with the setup!

The key is you need each server to know about the routes on the other end of the VPN tunnel, as well as the route to the VPN tunnel subnet.

This is what i meant with adding the route to the router/gateway. That way you set the route "global" for your local network, but adding the routes to the individual machines works too.