OpenVPN Support Forum

Hi,
i'm a young french and hope my english will not be bad

firstly i will show u my own network (and what i want to do)

http://img156.imageshack.us/i/schmareseaux.jpg/

i have a debian server (2.6.26-2-686-bigmem)with vmware server 2.0 install in
here u can see my iface config:

http://img696.imageshack.us/i/ifconfig.jpg/

Actually i have 2 VM bridged on ETH1 who can speak with the others computer in the local area (192.168.252.0/24)

I want to test openvpn into my network. So i install it and create certificat on the server. After transferring certificat to a client computer, i m using OPENVPN UI on my client PC. That's running.
Next i put this computer outside my local area. I reconnectit and it running to.

My problem is that i can't ping the other computer of the local area (VM & physical pc) when i'm into the VPN why? Is there a routing problem? let see my route table here

http://img190.imageshack.us/i/routendf.jpg/

what can i do to see and speak with my file server, to do remote desktop into computer who's in the local area etc....
do i have to put my vpn in a other PC? bridge ETH1 with TUN0? make a route add -net into 192.168.252.0 /24 gw 10.8.0.1 ? on what iface?
I never use a solution like a vpn so i m a little confuse.

Sry about my english and thx for reading
Par avance merci

hi there,

>i'm a young french and hope my english will not be bad

well i am greek and my english is poor also...You are not alone!

first simply post your server config and client config files.

also..did you enable ip forwarding on debian?
is there any type of firewalling running on debian?

if do you ping from your client the vpn tun ip is it responds?
if you ping the lan ip of the vpn server is it responds?if not then enable forwarding...

ps:the debian has 2 NICs right? why they both have ips from same subnet?

cheers,

michael.

hi back and thx for your reply,

here i just upload server.conf

http://www.megaupload.com/?d=09CKN6U2
(sry about dl, but there is a lot of text in to copy/paste it )

here you can see client.conf

client
dev tun
proto tcp
remote [name-of-dyndns] [port]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert laurent.crt
key laurent.key
tls-auth ta.key 1
comp-lzo
verb 3

(i m modify [name-of-dyndns] & [port] only for this forum )

about ip forwarding:
i just did a "echo 1 > /proc/sys/net/ipv4/ip_forward"
and i edited /etc/sysctl.conf with "net.ipv4.conf.default.forwarding=1"

is that good?
when i make ping client (192.168.252.21/24) to tunnel (10.8.0.1/24) --> ping = OK

when i make ping tunnel (10.8.0.6/24) to debian (192.168.252.253/24) --> ping = OK

when i make ping tunnel (10.8.0.6/24) to client (192.168.252.170) -->ping = NOK (oO)
that's why i m thinking about my route table :/

About the second NICS (eth0) i just put a cable on and the NIC obtain adress from DHCP. But there is nothing who speak with her.
Only Eth1 is really running (i'm just making a "ifconfig eth0 down" )

hi there,

you can also post your server conf here as well (remove the comments first though).

copied

port 443
proto tcp
dev tun
ca ca.crt
cert novavpn.crt
key novavpn.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.252.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 1


>when i make ping client (192.168.252.21/24) to tunnel (10.8.0.1/24) --> ping = OK
>when i make ping tunnel (10.8.0.6/24) to debian (192.168.252.253/24) --> ping = OK
>when i make ping tunnel (10.8.0.6/24) to client (192.168.252.170) -->ping = NOK (oO)
>that's why i m thinking about my route table :/

your pc 192.168.252.170 does it have a static route for 10.8.0.0/24 subnet pointing to your
vpn server?
if you are trying to access 192.168.252.170 from 10.8.0.6 ,make sure that there is no firewall running on .170

michael.

Your english is just fine, I understood perfectly.

when i make ping tunnel (10.8.0.6/24) to client (192.168.252.170) -->ping = NOK (oO)
that's why i m thinking about my route table :/

LAN behind VPN?

copy server.conf-->ok

on 192.168.252.170 (SME Server )
"
route:
10.8.0.0 192.168.252.253 255.255.255.0 eth0
192.168.252.0 * 255.255.255.0 eth0
default 192.168.252.253 0.0.0.0 eth0

"

i can ping 10.8.0.1 from 192.168.252.170 but i can't ping 10.8.0.6 (client PC)

firewall on Routeur (192.168.252.240)--> disable
firewall on SME server (192.168.252.170) --> nothing
firewall on Debian (192.168.252.170) --> nothing
firewall on Client pc (10.8.0.6 on the tunnel) --> disable

Config routeur:
Debian put into a DMZ
NAT / PAT : HTTPS / 443 / 443 / TCP / 192.168.252.253

@douglas:

Yes there is a network behind VPN. And i can't contact it don't know why :/ u can see it on my first post with this link

http://img156.imageshack.us/i/schmareseaux.jpg/

please issue a

netstat -nr

and post the results
on 10.8.0.6 pc

michael.

see this link:

http://www.secure-computing.net/wiki/in ... PN/Routing

@michael:

===========================================================================
Interface List
26 ...00 ff 0f d4 e8 bf ...... TAP-Win32 Adapter V8
15 ...00 26 c6 b0 ea 17 ...... My WiFi PAN
14 ...00 26 c6 b0 ea 16 ...... WiFi STA
12 ...00 22 68 1d a0 ac ...... Intel(R) 82567LM Gigabit Network Connection
16 ...08 00 27 00 ac cb ...... VirtualBox Host-Only Ethernet Adapter
21 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
23 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
1 ........................... Software Loopback Interface 1
17 ...00 00 00 00 00 00 00 e0 isatap.{EF84B9C8-6969-4A1D-BC5A-677F9F7BE80C}
25 ...00 00 00 00 00 00 00 e0 isatap.{AAB89B8C-DFFB-4828-97D9-5A9D841EEFD5}
22 ...00 00 00 00 00 00 00 e0 isatap.{662DF80E-CBA3-430E-898D-E99BC60F3455}
30 ...00 00 00 00 00 00 00 e0 isatap.{0C8FF43E-BBD0-49EC-9E23-895555750F04}
28 ...00 00 00 00 00 00 00 e0 isatap.{0FD4E8BF-29C5-4606-8D3C-7F9FA0E1A8D2}
19 ...00 00 00 00 00 00 00 e0 isatap.{A35DBA63-20B3-4EBA-A93E-5B5418F9F418}
24 ...00 00 00 00 00 00 00 e0 isatap.{CD04A305-67F3-4D0A-8A0A-F0228E479AFF}
31 ...00 00 00 00 00 00 00 e0 isatap.home
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.252.240 192.168.252.20 25
10.8.0.0 255.255.255.0 192.168.252.253 192.168.252.20 26
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.139.91 276
169.254.139.91 255.255.255.255 On-link 169.254.139.91 276
169.254.255.255 255.255.255.255 On-link 169.254.139.91 276
192.168.85.0 255.255.255.0 On-link 192.168.85.1 276
192.168.85.1 255.255.255.255 On-link 192.168.85.1 276
192.168.85.255 255.255.255.255 On-link 192.168.85.1 276
192.168.205.0 255.255.255.0 On-link 192.168.205.1 276
192.168.205.1 255.255.255.255 On-link 192.168.205.1 276
192.168.205.255 255.255.255.255 On-link 192.168.205.1 276
192.168.252.0 255.255.255.0 On-link 192.168.252.20 281
192.168.252.20 255.255.255.255 On-link 192.168.252.20 281
192.168.252.255 255.255.255.255 On-link 192.168.252.20 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.85.1 276
224.0.0.0 240.0.0.0 On-link 192.168.205.1 276
224.0.0.0 240.0.0.0 On-link 10.8.0.6 286
224.0.0.0 240.0.0.0 On-link 169.254.139.91 276
224.0.0.0 240.0.0.0 On-link 192.168.252.20 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.85.1 276
255.255.255.255 255.255.255.255 On-link 192.168.205.1 276
255.255.255.255 255.255.255.255 On-link 10.8.0.6 286
255.255.255.255 255.255.255.255 On-link 169.254.139.91 276
255.255.255.255 255.255.255.255 On-link 192.168.252.20 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.8.0.0 255.255.255.0 192.168.252.253 1
0.0.0.0 0.0.0.0 On-link 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
21 276 fe80::/64 On-link
23 276 fe80::/64 On-link
26 286 fe80::/64 On-link
16 276 fe80::/64 On-link
14 281 fe80::/64 On-link
16 276 fe80::6490:18ef:d307:8b5b/128
On-link
23 276 fe80::a571:8bf7:7dc3:a8b7/128
On-link
14 281 fe80::dd0b:c1:c7ed:8a9f/128
On-link
21 276 fe80::f92f:9b3d:1a14:f259/128
On-link
26 286 fe80::f95b:f065:39db:8d58/128
On-link
1 306 ff00::/8 On-link
21 276 ff00::/8 On-link
23 276 ff00::/8 On-link
26 286 ff00::/8 On-link
16 276 ff00::/8 On-link
14 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None






@douglas

i read all of your link but i don't understand this thing:

"You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.

In this example lets assume the client owning the network 10.10.1.0 has a common-name of client1. In ccd/client1 He should have the following:

iroute 10.10.1.0 255.255.255.0
"

i don't understand it. Do i have to put "client-config-dir /path/to/ccd/" in server.conf and edit ccd/client-common-name with "iroute 10.8.0.0 255.255.255.0 " (according to my network)?
but i dont know where i can find /ccd/client-common-name and /path/to/ccd. is it special files?
I think iroute is what i need for my problem, i will read some topic in french to understand it more easily

shibaprod wrote: i don't understand it. Do i have to put "client-config-dir /path/to/ccd/" in server.conf and edit ccd/client-common-name with "iroute 10.8.0.0 255.255.255.0 " (according to my network)?

yes

shibaprod wrote: but i dont know where i can find /ccd/client-common-name and /path/to/ccd. is it special files?
I think iroute is what i need for my problem, i will read some topic in french to understand it more easily

if your server.conf is in "/etc/openvpn" then you can create a directory manually:
then make a new file: and edit the file edit to this code: Now your server knows the path to 10.8.0.0, and the route will be automatically pushed to other clients who connect.

Hi back, and thx for your reply.

I'm so stupid... didn't understand that i have to create ccd -_- sry

I'm going to test it and will tell you if it's running.

@michael: thx to gave me a server.conf without any comments now it's more easily to move and inderstand it

shibaprod wrote:Hi back, and thx for your reply.

I'm so stupid... didn't understand that i have to create ccd -_- sry

I'm going to test it and will tell you if it's running.

@michael: thx to gave me a server.conf without any comments now it's more easily to move and inderstand it

Let me know if the ccd thing helped ya fix it.

hi back, and sory to be late

With iroute i can see my lan behind my vpn. I had some probleme with my samba but after modify it all is running good.


Thx for helping douglas / michael!