WIndows client conntected to Ubuntu server, but doesn't work

[ScottChapman]

I setup my ubuntu server per this: https://help.ubuntu.com/community/OpenVPN

I can get my windows client to connect, but I cannot get to any machine on my home network.

Routing table on client looks like:

Code: Select all

C:\Documents and Settings\schapman>netstat -rn

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 b8 3e 36 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 ff 9e 10 75 20 ...... TAP-Win32 Adapter V9
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       9.32.139.1     9.32.139.89       10
       9.32.139.0    255.255.255.0      9.32.139.89     9.32.139.89       10
      9.32.139.89  255.255.255.255        127.0.0.1       127.0.0.1       10
    9.255.255.255  255.255.255.255      9.32.139.89     9.32.139.89       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.190   192.168.1.190       30
    192.168.1.190  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.1.255  255.255.255.255    192.168.1.190   192.168.1.190       30
        224.0.0.0        240.0.0.0      9.32.139.89     9.32.139.89       10
        224.0.0.0        240.0.0.0    192.168.1.190   192.168.1.190       30
  255.255.255.255  255.255.255.255      9.32.139.89     9.32.139.89       1
  255.255.255.255  255.255.255.255    192.168.1.190   192.168.1.190       1
Default Gateway:        9.32.139.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\schapman>

[Mimiko]

The routing table does not show anything.

Check the iptables rules on ubuntu. Show OpenVPN server config file and interfaces IP.

[ScottChapman]

Code: Select all

root@OpenVPN:~# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0c:29:39:87:b8
          inet addr:192.168.1.80  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe39:87b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:308163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:242910 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:91731505 (91.7 MB)  TX bytes:38822934 (38.8 MB)

eth0      Link encap:Ethernet  HWaddr 00:0c:29:39:87:b8
          inet6 addr: fe80::20c:29ff:fe39:87b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:352425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:245062 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:111872271 (111.8 MB)  TX bytes:39036701 (39.0 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tap0      Link encap:Ethernet  HWaddr fa:f0:01:b2:f8:84
          inet6 addr: fe80::f8f0:1ff:feb2:f884/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1239 errors:0 dropped:0 overruns:0 frame:0
          TX packets:211040 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:152970 (152.9 KB)  TX bytes:23211538 (23.2 MB)

and server.conf

Code: Select all

root@OpenVPN:/etc/openvpn# cat server.conf
mode server
tls-server

local 192.168.1.80 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp

#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.80 255.255.255.0 192.168.1.190 192.168.1.199
push "dhcp-option DNS 71.250.0.12"
push "dhcp-option DOMAIN local.lan"
push "dhcp-option GATEWAY 192.168.1.1"
max-clients 10 ## set this to the max number of clients that should be connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Code: Select all

root@OpenVPN:/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[Mimiko]

When connected can you ping 192.168.1.80? Can you ping 192.168.1.1?

[ScottChapman]

Nope, neither one work.

Code: Select all

C:\Documents and Settings\schapman>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\schapman>ping 192.18.1.80

Pinging 192.18.1.80 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.18.1.80:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\schapman>

[Mimiko]

Nope, neither one work.

Then, the Ubutu just does not permit traffic.

Read this: http://www.openvpn.net/index.php/open-s ... dging.html
On Ubuntu add:

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

push "dhcp-option GATEWAY 192.168.1.1"

There is no such option "GATEWAY". Even in the tutorial you linked, there is not using such option. If you want to redirect all traffic for client to internet thru tunnel, use "redirect-gateway".

[ScottChapman]

no difference.

[Mimiko]

Could you disable firewall on tap adapter on Windows? And try:

Code: Select all

tracert 192.168.1.80
tracert 192.168.1.1

[ScottChapman]

Interesting. For reasons I can't explain, I can now get to the host which is running the OpenVPN server. I can ping it and SSH to it like a champ.

But cannot get to other stuff on the network:

Code: Select all

C:\Documents and Settings\schapman>tracert 192.168.1.1

Tracing route to 192.168.1.1 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.

[ScottChapman]

Well, I guess I can explain why 192.18.1.80 didn't work. But I would be OK with you not asking why...

Still, can't seem to get to other systems on the network.

FWIW my Ubuntu box is a VM.

[Mimiko]

Well, I guess I can explain why 192.18.1.80 didn't work. But I would be OK with you not asking why..

Don't be shy. Everyone ake mistakes. Just explain for others how might use this to resolve their issues.

Still, can't seem to get to other systems on the network.

On ubuntu execute:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

my Ubuntu box is a VM.

Which virtualization software you are using?

[maikcat]

hi there,

eth0 on your server must also be in promisc mode.

Michael.

[ScottChapman]

On my OpenVPN server it now shows:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:0c:29:39:87:b8
          inet6 addr: fe80::20c:29ff:fe39:87b8/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:146968 errors:0 dropped:4936 overruns:0 frame:0
          TX packets:5239 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22082218 (22.0 MB)  TX bytes:502730 (502.7 KB)

I am still unable to ping anything other than the OpenVPN server from my windows client.

[maikcat]

@mimiko

he is using vmware


can you disable firewall on server side?
can you post client config?
can you please stop openvpn service and try the following:

openvpn --mktun --dev tap0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap0
ifconfig eth0 promisc 0.0.0.0 up
ifconfig tap0 promisc 0.0.0.0 up
ifconfig br0 192.168.1.80 netmask 255.255.255.0 broadcast 192.168.1.255
service openvpn start

to check bridge status use
brctl show

can you also use this as your config file: (also in server-bridge directive try use the ip of openvpn server default gateway instead of 192.168.1.80)

local 192.168.1.80 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp
dev tap0 ## If you need multiple tap devices, add them here
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
server-bridge 192.168.1.80 255.255.255.0 192.168.1.190 192.168.1.199
max-clients 10 ## set this to the max number of clients that should be connected at a time
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

ps:i assume that the vm nic is configured in bridge mode..right?

Michael

[ScottChapman]

Client config:

Code: Select all

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote <my-host-name-hidden> 1194

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule. 
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert scott.crt
key scott.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

No firewall on the server, just straight Ubuntu 11.04

When I stopped OpenVPN to run those commands I got this:

Code: Select all

root@OpenVPN:~# /etc/init.d/openvpn stop
 * Stopping virtual private network daemon(s)...                                 *   Stopping VPN 'server'                                               [ OK ]
root@OpenVPN:~# openvpn --mktun --dev tap0
Tue Aug 30 09:05:28 2011 TUN/TAP device tap0 opened
Tue Aug 30 09:05:28 2011 Persist state set to: ON
root@OpenVPN:~# brctl addbr br0
device br0 already exists; can't create bridge with the same name
root@OpenVPN:~# brctl addif br0 eth0
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
root@OpenVPN:~# brctl addif br0 tap0
root@OpenVPN:~# ifconfig eth0 promisc 0.0.0.0 up
root@OpenVPN:~# ifconfig tap0 promisc 0.0.0.0 up
root@OpenVPN:~# ifconfig br0 192.168.1.80 netmask 255.255.255.0 broadcast 192.168.1.255
root@OpenVPN:~# service openvpn start
 * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'server'                                                  device tap0 is already a member of a bridge; can't enslave it to bridge br0.
                                                                         [fail]

[maikcat]

after stopping openvpn destroy bridge as well...

brctl delbr br0
openvpn --rmtun --dev tap0

or are you using br0 besides openvpn?

what OS is your client?

Michael.

[ScottChapman]

Windows XP is the client.

I deleted the br0 and then re-ran those commands successfully. But I get the following when I try to start OpenVPN:

Code: Select all

root@OpenVPN:~# service openvpn start
 * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'server'                                                  device tap0 is already a member of a bridge; can't enslave it to bridge br0.
                                                                         [fail]
root@OpenVPN:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000c293987b8       no              eth0
                                                        tap0

[maikcat]

did you comment out the up/down script?

Michael.

[ScottChapman]

Rebooting it seemed to clear it up, OpenVPN is back running again. But still can't ping anything on my network except the OpenVPN server itself.

[Mimiko]

The ESXi virtual switch drops promiscous packets by default.

Read this http://www.jeremycole.com/blog/2010/03/ ... ware-esxi/ and may be it will help you.