OpenVPN Support Forum • [Solved]Server LAN <-> Client LAN

Page 1 of 2

[Solved]Server LAN <-> Client LAN

Posted: Thu May 14, 2015 8:16 am

by jamyz

Hi everybody. This is my first post and i need help.

I have a synology Ds1511+ with openvpn.

In this network is under 192.168.1.0
Router = 192.168.1.1
Synology = 192.168.1.111
OpenVpn Server = 10.8.0.1
Windows 8.1 = 192.168.1.12

Now i have my client on network 192.168.0.0
Router ASUS RT-AC66U (Merlin Build) = 192.168.0.1
Router OpenVpn client = 10.8.0.2
Client Macbook = 192.168.0.20

This is my openvpn.conf in my Synology/OpenVPN 192.168.1.111/10.8.0.1

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
#MACONFIG
client-to-client
topology subnet
ccd-exclusive
client-config-dir ccd
route 192.168.0.0 255.255.255.0
#MACONFIG

dev tun
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.c
client-cert-not-required
username-as-common-name
duplicate-cn
status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6
port 1194

This my client on my Router Client Asus RT-AC66U 192.168.0.1 / 10.8.0.2

Code: Select all

dev tun
tls-client
remote my-ip.dyndns.org 1194
pull
proto udp
script-security 2

ca [inline]
<ca>
-----BEGIN CERTIFICATE-----
MY CERTIFICATE CRYPTED
-----END CERTIFICATE-----
</ca>

comp-lzo

reneg-sec 0

auth-user-pass

I create a ccd folder in the openvpn of my Synology for an IP STATIC for my ASUS ROUTER CLIENT. Is named admin.

admin

Code: Select all

ifconfig-push 10.8.0.2 255.255.255.0
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0

Ok. The client is connected.

Now from network client (192.168.0.0) since my macbook 192.168.0.20,
I can ping my synology 192.168.1.111, the router 192.168.1.1, and others devices connected

From my synology in SSH logged, i can ping all network client, the router ASUS CLIENT 192.168.0.1, the MACBOOK 192.168.0.20, and all devices connected.

Now i can't ping from any devices connected in the network 192.168.1.0.

I try to ping since my router 192.168.1.1 to the openvpn server 10.8.0.1 = Fail
I try to ping since my Windows 8.1 192.168.1.12 to the openvpn server 10.8.0.1 = Fail
I try to ping since my router 192.168.1.1 to the Asus client 10.8.0.2 = Fail
I try to ping since my Windows 8.1 192.168.1.12 to the Asus client 10.8.0.2 = Fail
I try to ping since my router 192.168.1.1 to the MACBOOK client 192.168.0.20 = Fail
I try to ping since my Windows 8.1 192.168.1.12 to the MACBOOK client 192.168.0.20 = Fail

I try to ping since my Synology 192.168.1.111 to the MACBOOK client 192.168.0.20 = WIN
I try to ping since my Synology 192.168.1.111 to the ASUS CLIENT client 192.168.0.1 = WIN
I try to ping since my Synology 192.168.1.111 to the ASUS CLIENT client 10.8.0.2 = WIN

What is wrong to the side of the network 192.168.1.1 ?

Can you help me?

Sorry for my english, only speak french or spanish.

Re: Server LAN <-> Client LAN

Posted: Thu May 14, 2015 9:11 am

by maikcat

your config is a little messed up...

you need to assign your ccd per cert meaning that these

Code: Select all

client-cert-not-required
username-as-common-name
duplicate-cn

must be removed...
else openvpn wouldnt know where to route packets for client network.

Michael.

Re: Server LAN <-> Client LAN

Posted: Thu May 14, 2015 9:59 am

by jamyz

Thanks for reply.

maikcat wrote:
else openvpn wouldnt know where to route packets for client network.

Michael.

How do I route ??

In the Synology i have that

Destination| Gateway | Mask | M | Interface |
0.0.0.0 | 192.168.1.1 | 0.0.0.0 | 0 | Bond 1 |
10.8.0.0 | 0.0.0.0 | 255.255.255.0 | 0 | (unknow) tun0 |
192.168.0.0 | 10.8.0.2 | 255.255.255.0 | 0 | (unknow) tun0 |
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | 0 | Bond 1 |

Re: Server LAN <-> Client LAN

Posted: Thu May 14, 2015 12:57 pm

by maikcat

did you removed the directives i wrote earlier?

Michael.

Re: Server LAN <-> Client LAN

Posted: Thu May 14, 2015 1:19 pm

by jamyz

maikcat wrote:did you removed the directives i wrote earlier?

Michael.

Sorry but my english is bad, and i have difficulty to undertsand you.

in the folder ccd i have the file admin. In the file admin i have

Code: Select all

ifconfig-push 10.8.0.2 255.255.255.0
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0

I delete all this ?

And i put this ?

Code: Select all

client-cert-not-required
username-as-common-name
duplicate-cn

Right ????

Re: Server LAN <-> Client LAN

Posted: Fri May 15, 2015 5:30 am

by maikcat

I delete all this ?

no

Right ????

please DONT change anything in your ccd file,

remove the directives i wrote from your SERVER config,

you need to change the way your vpn works meaning that:

for your ccd files to work there MUST be a common name present while your clients connect
this can be achieved in 2 ways,

1)use certificates in your clients
2)use their login name as common name

pick one of the 2 approaches and we talk back...

Michael.

Re: Server LAN <-> Client LAN

Posted: Fri May 15, 2015 7:23 am

by jamyz

please DONT change anything in your ccd file,

OK

remove the directives i wrote from your SERVER config

Sorry, i don´t see the lines...

Code: Select all

1)use certificates in your clients

I use that and now the client don't connect, log of client....

Code: Select all

May 15 09:13:44 rc_service: httpd 773:notify_rc start_vpnclient1
May 15 09:13:44 kernel: tun: Universal TUN/TAP device driver, 1.6
May 15 09:13:44 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 15 09:13:44 openvpn[4038]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2015
May 15 09:13:44 openvpn[4038]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 15 09:13:44 openvpn[4038]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May 15 09:13:44 openvpn[4038]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 15 09:13:45 openvpn[4038]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 15 09:13:45 openvpn[4042]: UDPv4 link local: [undef]
May 15 09:13:45 openvpn[4042]: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
May 15 09:13:45 openvpn[4042]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=4316d3c5 73f3dc18
May 15 09:13:45 openvpn[4042]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 15 09:13:45 openvpn[4042]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 15 09:13:45 openvpn[4042]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 15 09:13:45 openvpn[4042]: VERIFY OK: depth=0, C=ES, CN=nas.fake.com, emailAddress=hostmaster@fake.com
May 15 09:14:45 openvpn[4042]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 15 09:14:45 openvpn[4042]: TLS Error: TLS handshake failed
May 15 09:14:45 openvpn[4042]: SIGUSR1[soft,tls-error] received, process restarting
May 15 09:14:45 openvpn[4042]: Restart pause, 2 second(s)

2)use their login name as common name

Why not. What i do ???

Thanks you.....

Re: Server LAN <-> Client LAN

Posted: Fri May 15, 2015 10:22 am

by Traffic

Also:

NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Re: Server LAN <-> Client LAN

Posted: Fri May 15, 2015 7:54 pm

by jamyz

Ok. now i have in openvpn.conf

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
#MACONFIG
client-to-client
topology subnet
ccd-exclusive
client-config-dir ccd
route 192.168.0.0 255.255.255.0
#MACONFIG

dev tun
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.c
client-cert-not-required
username-as-common-name
duplicate-cn
status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6
port 1194

In log of asus client i have

Code: Select all

May 15 21:49:55 kernel: tun: Universal TUN/TAP device driver, 1.6
May 15 21:49:55 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 15 21:49:55 openvpn[9208]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2015
May 15 21:49:55 openvpn[9208]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 15 21:49:55 openvpn[9208]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May 15 21:49:55 openvpn[9208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 15 21:49:55 openvpn[9208]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 15 21:49:55 openvpn[9210]: UDPv4 link local: [undef]
May 15 21:49:55 openvpn[9210]: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
May 15 21:49:55 openvpn[9210]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=846bc360 709d130b
May 15 21:49:55 openvpn[9210]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=0, C=ES, CN=nas.fake.com, emailAddress=hostmaster@fake.com

What i do now.... I don't see the client connected....

Re: Server LAN <-> Client LAN

Posted: Sun May 17, 2015 10:14 am

by Traffic

Do you only have one client .. the Merlin router ?

jamyz wrote:I create a ccd folder in the openvpn of my Synology for an IP STATIC for my ASUS ROUTER CLIENT. Is named admin.

The name of the file (admin) must match the common-name field of the client certificate ..

When you create your client certificate many people name the cert file the same as the common name. So for example: if you create a client01.crt/client01.key with easyrsa the common-name could be client01 and the CCD file on the server would be called client01 also.

The underlines indicate the common-name:

jamyz wrote:May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 15 21:49:55 openvpn[9210]: VERIFY OK: depth=0, C=ES, CN=nas.fake.com, emailAddress=hostmaster@fake.com

Did you create your client cert with easyrsa ?

Re: Server LAN <-> Client LAN

Posted: Sun May 17, 2015 10:44 am

by jamyz

Yes, i have the latest Merlin build for RT-AC66U.
And i create the ssl certificate with startssl for don't a certificate error when i login in my synology with https access.

Re: Server LAN <-> Client LAN

Posted: Sun May 17, 2015 10:57 am

by jamyz

Sorry, but, that's is for what i can't ping from any devices with 192.168.1.X to 10.8.0.2 or any clients with 192.168.0.X (only the synology with the server openvpn 10.8.0.1 and ip 192.168.1.111 can ping?) Because i can ping from any client 192.168.0.X to any devices with 192.168.1.X ?

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 10:45 am

by jamyz

Ok, i try again to solve this, maybe better explain.....

That is my map:

In server openvpn.conf

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

#MACONFIG
client-to-client
topology subnet
route 192.168.0.0 255.255.255.0
#MACONFIG



dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/open
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6
port 1194

in ccd/admin

Code: Select all

ifconfig-push 10.8.0.2 255.255.255.0
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0

route in Synology/OpenVpn Server 192.168.1.111

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 bond0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
192.168.0.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 bond0

ip route show

Code: Select all

default via 192.168.1.1 dev bond0
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.0.0/24 via 10.8.0.2 dev tun0
192.168.1.0/24 dev bond0  scope link  src 192.168.1.111

The Server Synology Setup

admin client connected

Route

Now in Asus Client:

The Setup

The Log

all Log

Code: Select all

May 18 11:23:52 rc_service: httpd 2972:notify_rc start_vpnclient1
May 18 11:23:52 kernel: tun: Universal TUN/TAP device driver, 1.6
May 18 11:23:52 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 18 11:23:52 openvpn[5998]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2015
May 18 11:23:52 openvpn[5998]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 18 11:23:52 openvpn[5998]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May 18 11:23:52 openvpn[5998]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 18 11:23:52 openvpn[5998]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 18 11:23:53 openvpn[6002]: UDPv4 link local: [undef]
May 18 11:23:53 openvpn[6002]: UDPv4 link remote: [AF_INET]213.xxx.xxx.xxx:1194
May 18 11:23:53 openvpn[6002]: TLS: Initial packet from [AF_INET]213.xxx.xxx.xxx:1194, sid=f5e951a9 cd1a34eb
May 18 11:23:53 openvpn[6002]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 18 11:23:53 openvpn[6002]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 18 11:23:53 openvpn[6002]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 18 11:23:53 openvpn[6002]: VERIFY OK: depth=0, C=ES, CN=xxx.com, emailAddress=hostmaster@xxx.com
May 18 11:23:54 openvpn[6002]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 11:23:54 openvpn[6002]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 11:23:54 openvpn[6002]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 11:23:54 openvpn[6002]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 11:23:54 openvpn[6002]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
May 18 11:23:54 openvpn[6002]: [xxx.xxx.com] Peer Connection Initiated with [AF_INET]213.xxx.xxx.xxx:1194
May 18 11:23:56 openvpn[6002]: SENT CONTROL [xxx.xxx.com]: 'PUSH_REQUEST' (status=1)
May 18 11:23:56 openvpn[6002]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.3 255.255.255.0'
May 18 11:23:56 openvpn[6002]: OPTIONS IMPORT: timers and/or timeouts modified
May 18 11:23:56 openvpn[6002]: OPTIONS IMPORT: --ifconfig/up options modified
May 18 11:23:56 openvpn[6002]: OPTIONS IMPORT: route options modified
May 18 11:23:56 openvpn[6002]: OPTIONS IMPORT: route-related options modified
May 18 11:23:56 openvpn[6002]: TUN/TAP device tun11 opened
May 18 11:23:56 openvpn[6002]: TUN/TAP TX queue length set to 100
May 18 11:23:56 openvpn[6002]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 18 11:23:56 openvpn[6002]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 18 11:23:56 openvpn[6002]: /usr/sbin/ip addr add dev tun11 10.8.0.3/24 broadcast 10.8.0.255
May 18 11:23:59 openvpn[6002]: /usr/sbin/ip route add 192.168.1.0/24 via 10.8.0.1
May 18 11:23:59 openvpn[6002]: Ignore conflicted routing rule: 10.8.0.0 255.255.255.0
May 18 11:23:59 openvpn-routing: Skipping, not in routing policy mode
May 18 11:23:59 openvpn[6002]: Initialization Sequence Completed

Route

SHH Route

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
213.xxx.xxx.xxx   *               255.255.255.255 UH    0      0        0 eth0
213.xxx.xxx.xxx    *               255.255.255.255 UH    0      0        0 eth0
192.168.1.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun11
10.8.0.0        *               255.255.255.0   U     0      0        0 tun11
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
213.xxx.xxx.xxx    *               255.255.252.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         xxx.xxx.xxx.213.dy 0.0.0.0         UG    0      0        0 eth0

SSH ip route show

Code: Select all

213.xxx.xxx.xxx dev eth0  scope link
213.xxx.xxx.xxx dev eth0  scope link
192.168.1.0/24 via 10.8.0.1 dev tun11
10.8.0.0/24 dev tun11  proto kernel  scope link  src 10.8.0.3
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
213.xxx.xxx.xxx/22 dev eth0  proto kernel  scope link  src 213.xxx.xxx.xxx
127.0.0.0/8 dev lo  scope link
default via 213.xxx.xxx.xxx dev eth0

With both setup since the client router.
All machines with ips 192.168.0.0 can ping all machines with ips 192.168.1.0.
Only Server Synology(192.168.1.111)/OpenVpn(10.8.0.1) can ping machines with ips 192.168.0.0 & 192.168.1.0.
All machines with ips 192.168.1.0 (like 192.168.1.12) can ping only ping machines with ips 192.168.1.0.

Exemple for machine 192.168.1.12.
Ping to 192.168.1.111 = OK
Ping to 192.168.1.1 = OK
Ping to 192.168.1.222 (Macbook) = OK
Ping to 10.8.0.1 = Fail
Ping to 10.8.0.2 = Fail
Ping any machines with ips 192.168.0.0 = Fail.

The previous setup to delete in openvpn.conf this 3 lignes

Code: Select all

client-cert-not-required
username-as-common-name
duplicate-cn

The client router can´t connect.

I need help.... My head explose nearly. A long week of setup´s with lots of fail.
Thanks you.......

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 11:02 am

by Traffic

Your server config has no --client-config-dir ..

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 11:25 am

by jamyz

Traffic wrote:Your server config has no --client-config-dir ..

Right, but now the client can't connect

Change that

Code: Select all

#MACONFIG
client-to-client
topology subnet
route 192.168.0.0 255.255.255.0
#MACONFIG

for that in openvpn.conf

Code: Select all

#MACONFIG
client-to-client
client-config-dir ccd
topology subnet
route 192.168.0.0 255.255.255.0
#MACONFIG

Log Router Client

Code: Select all

May 18 13:18:14 rc_service: httpd 2972:notify_rc start_vpnclient1
May 18 13:18:14 kernel: tun: Universal TUN/TAP device driver, 1.6
May 18 13:18:14 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 18 13:18:14 openvpn[6506]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2015
May 18 13:18:14 openvpn[6506]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 18 13:18:14 openvpn[6506]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May 18 13:18:14 openvpn[6506]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 18 13:18:14 openvpn[6506]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 18 13:18:14 openvpn[6510]: UDPv4 link local: [undef]
May 18 13:18:14 openvpn[6510]: UDPv4 link remote: [AF_INET]213.xx.xx.xx:1194
May 18 13:18:14 openvpn[6510]: TLS: Initial packet from [AF_INET]213.xx.xx.xx:1194, sid=a064fbcd 2e9c4aff
May 18 13:18:14 openvpn[6510]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 18 13:18:15 openvpn[6510]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 18 13:18:15 openvpn[6510]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 18 13:18:15 openvpn[6510]: VERIFY OK: depth=0, C=ES, CN=xx.xx.com, emailAddress=hostmaster@xx.com
May 18 13:18:15 openvpn[6510]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 13:18:15 openvpn[6510]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 13:18:15 openvpn[6510]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 13:18:15 openvpn[6510]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 13:18:15 openvpn[6510]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
May 18 13:18:15 openvpn[6510]: [nas.jamyz.com] Peer Connection Initiated with [AF_INET]213.60.240.95:1194
May 18 13:18:18 openvpn[6510]: SENT CONTROL [xx.xx.com]: 'PUSH_REQUEST' (status=1)
May 18 13:18:18 openvpn[6510]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,route 192.168.1.0 255.255.255.0 10.8.0.1,ifconfig 10.8.0.2 255.255.255.0'
May 18 13:18:18 openvpn[6510]: OPTIONS IMPORT: timers and/or timeouts modified
May 18 13:18:18 openvpn[6510]: OPTIONS IMPORT: --ifconfig/up options modified
May 18 13:18:18 openvpn[6510]: OPTIONS IMPORT: route options modified
May 18 13:18:18 openvpn[6510]: OPTIONS IMPORT: route-related options modified
May 18 13:18:18 openvpn[6510]: TUN/TAP device tun11 opened
May 18 13:18:18 openvpn[6510]: TUN/TAP TX queue length set to 100
May 18 13:18:18 openvpn[6510]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 18 13:18:18 openvpn[6510]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 18 13:18:18 openvpn[6510]: /usr/sbin/ip addr add dev tun11 10.8.0.2/24 broadcast 10.8.0.255
May 18 13:18:20 openvpn[6510]: /usr/sbin/ip route add 192.168.1.0/24 via 10.8.0.1
May 18 13:18:20 openvpn[6510]: Ignore conflicted routing rule: 10.8.0.0 255.255.255.0
May 18 13:18:20 openvpn[6510]: Ignore conflicted routing rule: 192.168.1.0 255.255.255.0
May 18 13:18:20 openvpn-routing: Skipping, not in routing policy mode
May 18 13:18:20 openvpn[6510]: Initialization Sequence Completed

All Works but the sames.
Ping to 192.168.1.111 = OK
Ping to 192.168.1.1 = OK
Ping to 192.168.1.222 (Macbook) = OK
Ping to 10.8.0.1 = Fail
Ping to 10.8.0.2 = Fail
Ping any machines with ips 192.168.0.0 = Fail.

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 12:11 pm

by Traffic

In your server config set --verb 4

Change your ccd/admin file to:

jamyz wrote:in ccd/admin
Code:
ifconfig-push 10.8.0.102 255.255.255.0 # Change the IP address (for testing)
push "route 192.168.1.0 255.255.255.0 10.8.0.1" # delete this as it is pushed by server config
iroute 192.168.0.0 255.255.255.0 # keep this unchanged

What routing does your router (192.168.1.1) have ? post routing table please.

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 1:14 pm

by jamyz

Ok i change verb 3 to verb 4.

i change admin like this

Code: Select all

ifconfig-push 10.8.0.102 255.255.255.0
#push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0

I see correctly in the setup of VPN Server Synology the client with ip 10.8.0.102.

Log client router 192.168.0.1

Code: Select all

May 18 15:05:44 rc_service: httpd 2972:notify_rc start_vpnclient1
May 18 15:05:44 kernel: tun: Universal TUN/TAP device driver, 1.6
May 18 15:05:44 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 18 15:05:44 openvpn[6924]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 26 2015
May 18 15:05:44 openvpn[6924]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 18 15:05:44 openvpn[6924]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May 18 15:05:44 openvpn[6924]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 18 15:05:44 openvpn[6924]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 18 15:05:44 openvpn[6928]: UDPv4 link local: [undef]
May 18 15:05:44 openvpn[6928]: UDPv4 link remote: [AF_INET]213.xx.xx.xx:1194
May 18 15:05:44 openvpn[6928]: TLS: Initial packet from [AF_INET]213.xx.xx.xx:1194, sid=d62725ff b4f9e8cc
May 18 15:05:44 openvpn[6928]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 18 15:05:45 openvpn[6928]: VERIFY OK: depth=2, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
May 18 15:05:45 openvpn[6928]: VERIFY OK: depth=1, C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
May 18 15:05:45 openvpn[6928]: VERIFY OK: depth=0, C=ES, CN=xxxx.com, emailAddress=hostmaster@xxxx.com
May 18 15:05:45 openvpn[6928]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 15:05:45 openvpn[6928]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 15:05:45 openvpn[6928]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 18 15:05:45 openvpn[6928]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 18 15:05:45 openvpn[6928]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
May 18 15:05:45 openvpn[6928]: [xxxxx.com] Peer Connection Initiated with [AF_INET]213.xx.xx.xx:1194
May 18 15:05:47 openvpn[6928]: SENT CONTROL [nas.jamyz.com]: 'PUSH_REQUEST' (status=1)
May 18 15:05:47 openvpn[6928]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.102 255.255.255.0'
May 18 15:05:47 openvpn[6928]: OPTIONS IMPORT: timers and/or timeouts modified
May 18 15:05:47 openvpn[6928]: OPTIONS IMPORT: --ifconfig/up options modified
May 18 15:05:47 openvpn[6928]: OPTIONS IMPORT: route options modified
May 18 15:05:47 openvpn[6928]: OPTIONS IMPORT: route-related options modified
May 18 15:05:47 openvpn[6928]: TUN/TAP device tun11 opened
May 18 15:05:47 openvpn[6928]: TUN/TAP TX queue length set to 100
May 18 15:05:47 openvpn[6928]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 18 15:05:47 openvpn[6928]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 18 15:05:47 openvpn[6928]: /usr/sbin/ip addr add dev tun11 10.8.0.102/24 broadcast 10.8.0.255
May 18 15:05:50 openvpn[6928]: /usr/sbin/ip route add 192.168.1.0/24 via 10.8.0.1
May 18 15:05:50 openvpn[6928]: Ignore conflicted routing rule: 10.8.0.0 255.255.255.0
May 18 15:05:50 openvpn-routing: Skipping, not in routing policy mode
May 18 15:05:50 openvpn[6928]: Initialization Sequence Completed

What routing does your router (192.168.1.1) have ? post routing table please.

I think that is the problem.....
This device don't have possibility for routing table

Is for that's i can ping other ips machines with 192.168.0.0 ??

I can try with an old wrt54gl in the week. But in this case what is the Destination and the Gateway ??

I can create a route in the Synology ??? But in this case what is the Destination and the Gateway ??

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 1:35 pm

by jamyz

The cable modem is an Technicolor in 192.168.1.1.
Link of the router
http://descargas.mundo-r.com/sites/desc ... TC7210.pdf

I can't enter in ssh or telnet to see routes...........

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 1:43 pm

by jamyz

jamyz wrote:
I think that is the problem.....
This device don't have possibility for routing table
Is for that's i can ping other ips machines with 192.168.0.0 ??

I can try with an old wrt54gl in the week. But in this case what is the Destination and the Gateway ??

I can create a route in the Synology ??? But in this case what is the Destination and the Gateway ??

Remember, only 192.168.1.111 can ping everybody in 192.168.0.0 & 192.168.1.0.
A possibility of route from 192.168.1.111 to 192.168.1.1 ?

Re: Server LAN <-> Client LAN

Posted: Mon May 18, 2015 1:59 pm

by Traffic

jamyz wrote: think that is the problem.....
This device don't have possibility for routing table

If you cannot add routes to the network gateway then add them to the individual machines.

For windows machine in 192.168.1.x network to route the VPN IP:

Code: Select all

route add 10.8.0.0 mask 255.255.255.0 192.168.1.111

For windows machine in 192.168.1.x network to route the remote LAN:

Code: Select all

route add 192.168.0.0 mask 255.255.255.0 192.168.1.111

The NAS (192.168.1.111) has a route and --iroute for VPN 10.8/24 and remote LAN 192.168/24

Also note .. you have some NAT enabled on the client router this may complicate things ..