access to server but not to lan

[seveillard]

Hi

I've successfully installed my server and one client
Server is using CentOS 6.4 with openvpn server 2.3.2
Client is using Win 7 with openvpn client 2.2.2

I manage to get to the server but Lan is unreachable

Vpn subnet is 192.168.5.0
Lan subnet is 10.1.1.0
VPN server IP is 10.1.1.125

I add a route for 10.1.1.0 network on the server "route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.1.1.125"
and when trying to reach a computer on the lan from the win client, I got

"answer from 192.168.5.1 : host is unreachable"

any help will be welcome

[seveillard]

sorry I can't edit the post

server config :

Code: Select all

local 10.1.1.125
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/cerbere.sbsr.crt
key /etc/openvpn/easy-rsa/keys/cerbere.sbsr.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.5.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 5

client config :

Code: Select all

client
dev tun
proto udp
remote 193.248.157.241 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert stephane.crt
key stephane.key
cipher AES-128-CBC
comp-lzo
verb 5

[seveillard]

client log

Code: Select all

Wed Oct 02 10:42:11 2013 us=616000 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Oct 02 10:42:11 2013 us=616000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 02 10:42:11 2013 us=616000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Oct 02 10:42:11 2013 us=710000 LZO compression initialized
Wed Oct 02 10:42:11 2013 us=710000 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 02 10:42:11 2013 us=710000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Oct 02 10:42:11 2013 us=710000 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 02 10:42:11 2013 us=710000 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Oct 02 10:42:11 2013 us=710000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Oct 02 10:42:11 2013 us=710000 Local Options hash (VER=V4): '66096c33'
Wed Oct 02 10:42:11 2013 us=710000 Expected Remote Options hash (VER=V4): '691e95c7'
Wed Oct 02 10:42:11 2013 us=710000 UDPv4 link local: [undef]
Wed Oct 02 10:42:11 2013 us=710000 UDPv4 link remote: 193.248.157.241:1194
Wed Oct 02 10:42:11 2013 us=804000 TLS: Initial packet from 193.248.157.241:1194, sid=fe120484 34abd8dc
Wed Oct 02 10:42:12 2013 us=365000 VERIFY OK: depth=1, /C=FR/ST=FR/L=Agen/O=IBS_Network/OU=INFO/CN=cerbere.sbsr/name=EVEILLARD/emailAddress=stephane.eveillard@ibsnetwork.fr
Wed Oct 02 10:42:12 2013 us=365000 VERIFY OK: depth=0, /C=FR/ST=FR/L=Agen/O=IBS_Network/OU=INFO/CN=cerbere.sbsr/name=EVEILLARD/emailAddress=stephane.eveillard@ibsnetwork.fr
Wed Oct 02 10:42:13 2013 us=473000 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Oct 02 10:42:13 2013 us=473000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 02 10:42:13 2013 us=473000 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Oct 02 10:42:13 2013 us=473000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 02 10:42:13 2013 us=473000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 02 10:42:13 2013 us=473000 [cerbere.sbsr] Peer Connection Initiated with 193.248.157.241:1194
Wed Oct 02 10:42:15 2013 us=470000 SENT CONTROL [cerbere.sbsr]: 'PUSH_REQUEST' (status=1)
Wed Oct 02 10:42:15 2013 us=579000 PUSH: Received control message: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,route 192.168.5.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.5.6 192.168.5.5'
Wed Oct 02 10:42:15 2013 us=579000 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 02 10:42:15 2013 us=579000 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 02 10:42:15 2013 us=579000 OPTIONS IMPORT: route options modified
Wed Oct 02 10:42:15 2013 us=579000 ROUTE default_gateway=192.168.1.254
Wed Oct 02 10:42:15 2013 us=579000 TAP-WIN32 device [Connexion au réseau local 6] opened: \\.\Global\{6763C387-62EB-4DAE-97A7-7A6DCF0AE679}.tap
Wed Oct 02 10:42:15 2013 us=579000 TAP-Win32 Driver Version 9.9 
Wed Oct 02 10:42:15 2013 us=579000 TAP-Win32 MTU=1500
Wed Oct 02 10:42:15 2013 us=579000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.5.6/255.255.255.252 on interface {6763C387-62EB-4DAE-97A7-7A6DCF0AE679} [DHCP-serv: 192.168.5.5, lease-time: 31536000]
Wed Oct 02 10:42:15 2013 us=579000 Successful ARP Flush on interface [29] {6763C387-62EB-4DAE-97A7-7A6DCF0AE679}
Wed Oct 02 10:42:20 2013 us=789000 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 02 10:42:20 2013 us=789000 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 02 10:42:25 2013 us=79000 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Oct 02 10:42:25 2013 us=79000 C:\WINDOWS\system32\route.exe ADD 10.1.1.0 MASK 255.255.255.0 192.168.5.5
Wed Oct 02 10:42:25 2013 us=79000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Oct 02 10:42:25 2013 us=79000 Route addition via IPAPI succeeded [adaptive]
Wed Oct 02 10:42:25 2013 us=79000 C:\WINDOWS\system32\route.exe ADD 192.168.5.1 MASK 255.255.255.255 192.168.5.5
Wed Oct 02 10:42:25 2013 us=79000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Oct 02 10:42:25 2013 us=79000 Route addition via IPAPI succeeded [adaptive]
Wed Oct 02 10:42:25 2013 us=79000 Initialization Sequence Completed
Wed Oct 02 10:44:31 2013 us=877000 TCP/UDP: Closing socket
Wed Oct 02 10:44:31 2013 us=877000 C:\WINDOWS\system32\route.exe DELETE 192.168.5.1 MASK 255.255.255.255 192.168.5.5
Wed Oct 02 10:44:31 2013 us=877000 Route deletion via IPAPI succeeded [adaptive]
Wed Oct 02 10:44:31 2013 us=877000 C:\WINDOWS\system32\route.exe DELETE 10.1.1.0 MASK 255.255.255.0 192.168.5.5
Wed Oct 02 10:44:31 2013 us=877000 Route deletion via IPAPI succeeded [adaptive]
Wed Oct 02 10:44:31 2013 us=877000 Closing TUN/TAP interface
Wed Oct 02 10:44:31 2013 us=877000 SIGTERM[hard,] received, process exiting

[seveillard]

It's nice for you to try to help me but
I don't understand what you mean with this link

[seveillard]

ok I read it

I mentionned the push rute for the server subnet 10.1.1.0 in the server.conf

Code: Select all

...
push "route 10.1.1.0 255.255.255.0"
...

and use Masquerade with iptables to translate IP adress from the vpn subnet to the server subnet
so pcs on the lan shoud only see requests coming from the vpn server

IP Forwarding is enabled on the server