LAN to LAN issues

[hansaplast]

Hi there,

I can't seem to get this working. For some reason I don't understand the online howto's...

Setup:
- I have a linux box behind a firewall which is the openvpn server (eth0=10.0.10.11)
- I have a firewall/gateway which is the client openvpn box (bond0=192.168.16.2).

I've punched my server-site firewall to forward port 1194 udp to 10.0.10.11.
Openvpn creates the tunnel and I can ping from 192.168.16.2 to 10.0.10.11. tcpdump on the server-site tells me that it receives "echo request" from 10.1.10.6 which is tun0 on the client-site. This is a problem since I don't want to NAT

I also want to be able to connect from a machine on the client-site (192.168.16.x) to a machine on server-site (10.0.10.x) and back. I've tried every route add ..., push "route ..." option I can think of. But for some reason I can't get it to work.

Here is my server-site setup:

Code: Select all

# ifconfig eth0
inet addr:10.0.10.11  Bcast:10.0.10.255  Mask:255.255.255.0

# ifconfig tun0
inet addr:10.1.10.1  P-t-P:10.1.10.2  Mask:255.255.255.255

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.10.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.1.10.0       10.1.10.2       255.255.255.0   UG    0      0        0 tun0
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         10.0.10.1       0.0.0.0         UG    0      0        0 eth0

# cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.vpn.crt
key keys/server.vpn.key
dh keys/dh2048.pem
server 10.1.10.0 255.255.255.0
keepalive 5 10
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status openvpn-status.log
verb 3
push "route 10.0.10.0 255.255.255.0"

And here the client site:

Code: Select all

# ifconfig bond0
inet addr:192.168.16.2  Bcast:192.168.16.255  Mask:255.255.255.0

# ifconfig eth0
inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.255  Mask:255.255.254.0  // This is a gateway to internet

# ifconfig tun0
inet addr:10.1.10.6  P-t-P:10.1.10.5  Mask:255.255.255.255

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.10.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.1.10.1       10.1.10.5       255.255.255.255 UGH   0      0        0 tun0
192.168.16.0    0.0.0.0         255.255.255.0   U     0      0        0 bond0
10.0.10.0       10.1.10.5       255.255.255.0   UG    0      0        0 tun0
87.195.226.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0
0.0.0.0         xxx.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 eth0

# cat /etc/openvpn/client.conf
client
remote yyy.yyy.yyy.yyy 1194
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
ns-cert-type server
comp-lzo
verb 3

[gladiatr72]

Hey there,

Check out this blog post regarding the 'iroute' directive. I think this is what you're looking for:

http://backreference.org/2009/11/15/openvpn-and-iroute/

-Stephen

[hansaplast]

I tried with iroute.
But it turned out that this directory needs to readable for the nobody user. Openvpn doesn't give an error or warning if client-config-dir is unreadable.
A hint to the developers to implement this. Although trivial, I spend lots of hours figuring that one out.

After "chmod 755 /etc/openvpn/ccd" it worked.

Thanks for all help.

[krzee]

Openvpn doesn't give an error or warning if client-config-dir is unreadable.
A hint to the developers to implement this. Although trivial, I spend lots of hours figuring that one out.

https://community.openvpn.net/openvpn/ticket/73
dazo asked to be assigned to this, it will exist soon
thanx for the idea