OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Server can't reach client's network

https://forums.openvpn.net/viewtopic.php?t=7412

Page 1 of 1

Server can't reach client's network

Posted: Sun Dec 19, 2010 8:52 pm
by thepontifex
Hi All,

I have the following setup:

OpenVPN Server (192.168.15.95) with DynDNS Account.
OpenVPN Client (10.8.0.6) on a Linksys dd-wrt router (192.168.17.98) which connects to OpenVPN Server.
Laptop (192.168.17.1) and IP-Cam (192.168.17.120) behind Linksys router.

Or in a graph:

Code: Select all

Server LAN           OpenVPN Server            OpenVPN Client            Client LAN
192.168.15.0/24--192.168.15.95 & 10.8.0.1 =====10.8.0.6 & 192.168.17.98--192.168.17.0/24
The router connects automatically during startup to the VPN Server. The Laptop can ping the Server:
192.168.17.1 --> 192.168.15.95: YES

But the other way around does not work. I can not reach the laptop or webcam from the server. I checked back routes and other stuff but I can't figure it out. Does I need something like NAT?

My config:

OpenVPN Server:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.15.0 255.255.255.0"
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
management localhost 7705
OpenVPN client:

Code: Select all

client
dev tun
proto udp
remote xxx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
comp-lzo
Default gateway in the server's network got a back route:
10.8.0.0/24 -> 192.168.15.95

After adding the following iptables rules I am now at least able to ping the tun0 IP-address of the linksys router but still not the laptop behind it.

Code: Select all

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
Your help is really appreciated!
Frank

Re: Server can't reach client's network

Posted: Wed Dec 22, 2010 6:54 pm
by gladiatr72
Hey there,

I think You're 90% there.

I'd like to see the output of the following commands from the DDWRT device:

netstat -rn
ifconfig -a
brctl show

I would also like to see the routing table on your openvpn server (post connection).

Hopefully DDWRT is not actually trying to do any kind of NAT business on your tun device, but we shall see.

__
Edit:

I'm going to go ahead and suggest that you check to be sure you've got a route on the 192.168.15.0/24 network that actually will bounce packets to the 192.168.17.0/24 network via your VPN end-point on the DDWRT device. It's something that's easy to forget as the client-side route statement is generally pushed by way of the openvpn server configuration. The key is here is that the device running the VPN client isn't the actual client device but a gateway for your home(?) network.

Regards,
Stephen
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/