Passthrough Issue
Posted: Wed Nov 17, 2010 3:48 pm
Good day, I hope you can assist me with.
We had a running instance of OpenVPN configured on Linux which worked without a problem.
I then copied the config file to the same directory with a different name and changed the server IP range.
This second instance starts up and establishes a connection, but I am unable to browse to a machine behind the VPN server.
For example, I am trying to ping a machine behind the server with ip 192.168.0.6.
The ping request passes through the server to the machine, and the machine replies according to tcpdump.
The reply arrives at the VPN server on the internal interface as expected, but that is where it ends.
The client receives IP 10.9.0.6 from the server, the server is also not able to ping that IP.
So somehow the VPN server is not passing the packets received back onto the tunnel.
Destination Gateway Genmask Flags Metric Ref Use Iface
10.9.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun1
The routing seems correct to me and ip_forward is 1, so it should allow traffic through.
I have gone so far as to allow that traffic through the box explicitly, even though that was not needed on the other (working) instance on 10.8.0.0.
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.9.0.0/24 anywhere
ACCEPT all -- anywhere 10.9.0.0/24
Can you possibly assist in pointing out what the potential problem might be?
Server config:
############
port 1199
proto udp
dev tun
ca /etc/ssl/ca-cert.pem
cert /etc/ssl/sys-0-cert.pem
key /etc/ssl/private/sys-0-key.pem
dh /etc/ssl/dh1024.pem
server 10.9.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/rs/ipp.txt
status /var/lib/openvpn/rs/openvpn-status.log
verb 3
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option DOMAIN incubetadev.com"
push "route 192.168.0.0 255.255.255.0"
#############
Client config:
#############
client
remote ******** 1199
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca-cert.pem
cert /etc/openvpn/client-wernerm-cert.pem
key /etc/openvpn/client-wernerm-key.pem
ns-cert-type server
comp-lzo
verb 3
mssfix 1324
tun-mtu 1324
#############
We had a running instance of OpenVPN configured on Linux which worked without a problem.
I then copied the config file to the same directory with a different name and changed the server IP range.
This second instance starts up and establishes a connection, but I am unable to browse to a machine behind the VPN server.
For example, I am trying to ping a machine behind the server with ip 192.168.0.6.
The ping request passes through the server to the machine, and the machine replies according to tcpdump.
The reply arrives at the VPN server on the internal interface as expected, but that is where it ends.
The client receives IP 10.9.0.6 from the server, the server is also not able to ping that IP.
So somehow the VPN server is not passing the packets received back onto the tunnel.
Destination Gateway Genmask Flags Metric Ref Use Iface
10.9.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun1
The routing seems correct to me and ip_forward is 1, so it should allow traffic through.
I have gone so far as to allow that traffic through the box explicitly, even though that was not needed on the other (working) instance on 10.8.0.0.
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.9.0.0/24 anywhere
ACCEPT all -- anywhere 10.9.0.0/24
Can you possibly assist in pointing out what the potential problem might be?
Server config:
############
port 1199
proto udp
dev tun
ca /etc/ssl/ca-cert.pem
cert /etc/ssl/sys-0-cert.pem
key /etc/ssl/private/sys-0-key.pem
dh /etc/ssl/dh1024.pem
server 10.9.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/rs/ipp.txt
status /var/lib/openvpn/rs/openvpn-status.log
verb 3
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option DOMAIN incubetadev.com"
push "route 192.168.0.0 255.255.255.0"
#############
Client config:
#############
client
remote ******** 1199
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca-cert.pem
cert /etc/openvpn/client-wernerm-cert.pem
key /etc/openvpn/client-wernerm-key.pem
ns-cert-type server
comp-lzo
verb 3
mssfix 1324
tun-mtu 1324
#############