problem w/routing over bridged vpn tunnel

[lprikockis]

I'm trying to rebuild an openvpn server originally set up by a predecessor- currently, it's set up using bridging which may or may not ultimately be necessary. For now, I'm concerned with getting the current configuration working.

here's the relevant parts of the server config (I stripped out comments and portions on keys and such):

Code: Select all

management localhost 7506
port 1194
proto udp
dev tap0
# openvpn clients get assigned ip's in the range 172.25.150.230 - 240
server-bridge 172.25.150.151 255.255.255.0 172.25.150.230 172.25.150.240
push "dhcp-option DNS 172.25.150.123"
push "dhcp-option DOMAIN blah.com"
push "route 172.25.150.0 255.255.255.0"
push "route 172.25.151.0 255.255.255.0"
client-to-client

client config is:

Code: Select all

client
dev tap0
proto udp
remote openvpn1.qcpathfinder.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
script-security 3 system
up /etc/openvpn/update-resolv-conf 
down /etc/openvpn/update-resolv-conf 

The server starts up without any problems and I can connect sucessfully from the client.
Once connected, I'm assigned an IP address of e.g., 172.25.150.230 as expected.
I can successfully ping/connect to other machines on the 172.25.150.0/24 network.

I can NOT however sucessfully connect to machines on the 172.25.151.0/24 network, despite being able to do so from the server and despite the route-push command apparently being successful.

this *used* to work with the previous server and I'm not certain what's wrong in my current configuration.
Any thoughts on what silly detail I'm missing?

btw, 'route -n' on the client when connected is:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.25.150.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
172.25.151.0 172.25.150.151 255.255.255.0 UG 0 0 0 tap0
10.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.100.0.1 0.0.0.0 UG 0 0 0 eth0

MUCH thanks in advance!!

[janjust]

sounds like a routing issue on the server side - seems like your server is running linux or a bsd variant. Can you try

Code: Select all

ping -I 172.25.150.151 172.25.151.XX

where XX is a host on that LAN? it might very well be the case that the 172.25.151.0/24 network is not aware (yet) of hte 150.0 network. Another thing to try is to run 'tcpdump' or 'wireshark' on the server while pinging a 151.0/24 address - where do the packets stop? If anything I'd suspect at the ARP level.

[lprikockis]

sounds like a routing issue on the server side - seems like your server is running linux or a bsd variant. Can you try

Code: Select all

ping -I 172.25.150.151 172.25.151.XX

yeah... should've specified- all servers involved are running Redhat Linux. The ping fails, but that's not surprising as traffic is allowed from the 150.0 -> 151.0 network on only a few specific ports (e.g., postgresql - tcp 5432).

However-- from the openvpn server, if I use 'telnet 172.25.151.243 5432' I can connect. From a client connected to the vpn, I cannot.

You're most likely right that it's a routing problem of some sort, but I'm apparently not smart enough to figure out exactly where/what

thanks for the suggestions though..

[janjust]

check that IP forwarding is enabled on the server:

Code: Select all

cat /proc/sys/net/ipv4/ip_forward

another thing to try is

Code: Select all

echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

I'd run 'tcpdump' when telnet'ting from a VPN client to the machine on the 151.0/24 network and see where stuff fails:

Code: Select all

tcpdump -nnel -i br0 host 172.25.151.243

etc