OpenVPN Support Forum

Hi there,

I'm having some issues using my OpenVPN configuration.

Here is the configuration (which is the tricky part) :

User@home => Firewall/Router A => OpenVPN Server => Firewall/Router A => Company networks.

To access the company networks, I have to use the Firewall A Ip address which is 192.168.150.254.

I'm pushing to my clients the 192.168.150.0 network, hoping that would give them access to my network.

I tried using the ethernet bridging, the tap and tun connections, I checked the /proc/sys/net/ipv4/conf/*/forwarding settings, and lately I tried putting my openvpn server IP address to the same subnet, without success.

The best configuration I had was being able to ping the two addresses on the server from the client, his real one which was 192.168.100.x and the virtual one : 192.168.150.1

I also tried using topology subnet and not using it, and pushing a route to the gateway/32.

I don't wanna push a default gateway, I only want my VPN to be used to access my company networks, nothing else.

Help :'(

server.conf wrote:

Code: Select all

port 1194
proto udp
dev tun0
ca ca.crt
cert openvpn.crt
key openvpn.key  # This file should be kept secret
dh dh1024.pem
server 192.168.150.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
push "route 192.168.133.0 255.255.255.0"
push "dhcp-option DNS 192.168.2.2"
push "dhcp-option DNS 192.168.100.4"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 6

client.conf wrote:

Code: Select all

client
dev tun
proto tcp
remote mycompany.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mycertificate.crt
key mykey.key
ns-cert-type server
comp-lzo
verb 3

hi there,

first you MUST use the same protocol on server/client
(your server config has udp and client has tcp)

>User@home => Firewall/Router A => OpenVPN Server => Firewall/Router A => Company networks.

didnt quite understand that...

can you please post lan ips of vpn server and client?
are you trying to test the above with both pcs in the same subnet?

your configs looks ok..

michael.

I posted an old config file for the client. Of course they both use the same protocol

So let's be more precise :

My User@home has his own lan (let's say 192.168.200.0/24).

My OpenVPN server is in a DMZ which network is : 192.168.120.0/24
I'm providing users the subnet 192.168.150.0/24

I have multiple networks in the enterprise :
192.168.0.0/24
192.168.0.100/24
192.168.0.2/24

My public IP address is on a Nettask Firewall, which redirects the 1194 port requests to my OpenVPN Server (which is 192.168.120.7 for example).

Once my clients are connected, as my OpenVPN server has no network direct connection to my networks (192.168.{1,2,100}.0/24), I need my users to use the Nettask gateway/route (which is the firewall at the same time), that has the IP address 192.168.everynetwork.254.

That's why I tried pushing like this :

push "route 192.168.0.0 255.255.255.0 192.168.150.254"

But I never managed to ping the nettask gateway

your openvpn server must be capable of reaching the internal networks or this is never going to work. Can you reach your internal LAN from the openvpn server? what happens if you try pinging a LAN host from the server? Please make sure that is working before proceeding.

Also, make sure IP forwarding is enabled on the openvpn server (e.g. for testing purposes).

Hi,

Forwarding is enabled on all my interfaces.

I can reach the networks, but using the gateway. I can't afford to have a DMZ server having a network connection in all my networks !

what do you mean "I can reach the network, but using the gateway" ? either you can ping a host on your server side LAN from the openvpn server or not.
If not, then how do you envisage packets flowing from an openvpn client to the openvpn server , then onto the GW and finally to your company LAN? There must a path from the server via the GW to the company LAN or this is never going to work .

Yes there is a path.

I mean my OpenVPN server does not have a physical connection, i.e an eth1 with an 192.168.2.x IP address, but I can reach the 192.168.2.0/24 network without any trouble, using the default route that points to the Nettask gateway.

But when I connect to the VPN from an external connection, I can't reach anything, even the gateway IP address in the same LAN.

try adding a route to the Nettask firewall similar to
route add -net 192.168.150.0/24 gw 192.168.120.X
(where X is the IP address of the VPN server).

Most likely the Nettask does not know yet that replies for packets originating from the VPN network (with source IP 192.168.150.0/24) need to be sent back to the OpenVPN server.

I'll try that and let you know if it changes anything

Ok it partially worked ! We're moving forward !

So now, let me recap :

When I add this route, the configuration is working on a Mac OS X Computer, but not on the Windows clients.
I know this is because of the "topology subnet" configuration.

So I tried removing it. And now it is not working anymore on the Mac :

The new configuration pushes a /30 subnet (which is normal behaviour), here are my pushed routes :

192.168.0.0 255.255.255.0 192.168.120.254
192.168.2.0 255.255.255.0 192.168.120.254
192.168.100.0 255.255.255.0 192.168.120.254
192.168.120.254 255.255.255.0 192.168.150.1
192.168.150.0 255.255.255.0 192.168.150.5
192.168.150.5 255.255.255.0 192.168.150.6 (192.168.150.6 being my distributed automatic IP address).

I can ping 192.168.150.1, but not 192.168.120.254, but when using topology subnet, I can and everything works.

Any idea ?

And I just saw something interesting :

When I remove the topology subnet, all the routes except the 192.168.150.0 (the VPN subnet) are pushed to my eth0 instead of the tun0, whereas when in topology subnet, all the routes are used with tun0.

so you're pushing out something like ? why not push out this should use the VPN server address as the first gateway (which is correct). The VPN server can then forward it to the company LAN.

I think you've run into the subtle differences in routing with 'topology subnet' . I'm not sure what the best way forward is, however, except for my suggestion above.

The problem for the topology subnet is that the routes are not pushed on a Windows client...

When I push the routes your way without the topology subnet, it adds the route with 192.168.150.5 gateway, which is not at all related to these networks. I'm gonna try adding 192.168.150.1 as a gateway, instead of 192.168.120.254.

Not working either.

I'm a bit desperate :'(