OpenVPN Support Forum

I freely confess to being a newbie here.

My configuration is a Linux client connecting to a Windows XP SP2 supported server. Also,
there is a private local sub-net behind the server on a second Ethernet interface that I need
access to. Both client machine and server machine are on the same internal building LAN sub-net
10.4.0.0/16 and the private local sub-net behind the server machine is 192.168.0.0/24.

This may sound odd but this is an experimental proof of concept for remote management of
machinery we design.

My problem is that everything launches and connects fine and I can ping the private local
sub-net Ethernet card on the server machine (192.168.0.3) from the client machine session.
However, I cannot reach any of the other hosts on the private local sub-net (192.168.0.x).

It seems that the push statement for the private sub-net in the server config is doing something
otherwise I would not be able to see the access Ethernet card but thats where it all ends.

Hopefully, this is a newbie silly mistake and someone will be able to see it easily; my configuration file
contents are given below:-

Client config

client

dev tun
proto udp
remote 10.4.19.120 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert john.crt
key john.key

ns-cert-type server
comp-lzo
verb 3


Server Config

proto udp
dev tun
dev-node "Local Area Connection 2"

ca "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\kas_test.crt"
key "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\kas_test.key" # This file should be kept secret
dh "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"

keepalive 10 120

cipher BF-CBC # Blowfish (default)
comp-lzo
persist-key
persist-tun

status openvpn-status.log
verb 4

Show OpenVPN log from client and routing table on client and server when VPN is connected. Also do a tracert 192.168.0.x from client.

Mimiko, thank you for looking at my problem.

Traceroute gives no output other than periodic asterisks; presumably because it considers
the route to the remote sub-net as a single hop ?

Anyway, here are the client connection log and routing table that you asked for.

This is the log of the client connecting :-

Tue Oct 4 14:07:18 2011 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Oct 4 14:07:18 2011 WARNING: file 'john.key' is group or others accessible
Tue Oct 4 14:07:18 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Oct 4 14:07:18 2011 LZO compression initialized
Tue Oct 4 14:07:18 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Oct 4 14:07:18 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Oct 4 14:07:18 2011 Local Options hash (VER=V4): '41690919'
Tue Oct 4 14:07:18 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue Oct 4 14:07:18 2011 Socket Buffers: R=[109568->131072] S=[109568->131072]
Tue Oct 4 14:07:18 2011 UDPv4 link local: [undef]
Tue Oct 4 14:07:18 2011 UDPv4 link remote: 10.4.19.120:1194
Tue Oct 4 14:07:18 2011 TLS: Initial packet from 10.4.19.120:1194, sid=0a408745 e11f84f9
Tue Oct 4 14:07:18 2011 VERIFY OK: depth=1, /C=GB/ST=Beds/L=Dunstable/O=KAS/OU=changeme/CN=kas_test/name=changeme/emailAddress=john@kaspapersystems.com
Tue Oct 4 14:07:18 2011 VERIFY OK: nsCertType=SERVER
Tue Oct 4 14:07:18 2011 VERIFY OK: depth=0, /C=GB/ST=Beds/L=Dunstable/O=KAS/OU=changeme/CN=kas_test/name=changeme/emailAddress=john@kaspapersystems.com
Tue Oct 4 14:07:23 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 4 14:07:23 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 4 14:07:23 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 4 14:07:23 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 4 14:07:23 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Oct 4 14:07:23 2011 [kas_test] Peer Connection Initiated with 10.4.19.120:1194
Tue Oct 4 14:07:24 2011 SENT CONTROL [kas_test]: 'PUSH_REQUEST' (status=1)
Tue Oct 4 14:07:24 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Oct 4 14:07:24 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 4 14:07:24 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 4 14:07:24 2011 OPTIONS IMPORT: route options modified
Tue Oct 4 14:07:24 2011 ROUTE default_gateway=10.4.19.3
Tue Oct 4 14:07:24 2011 TUN/TAP device tun0 opened
Tue Oct 4 14:07:24 2011 TUN/TAP TX queue length set to 100
Tue Oct 4 14:07:24 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Oct 4 14:07:24 2011 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
Tue Oct 4 14:07:24 2011 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Tue Oct 4 14:07:24 2011 Initialization Sequence Completed


and this is the routing table at the client:-

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.4.19.0 * 255.255.255.0 U 0 0 0 eth0
default 10.4.19.3 0.0.0.0 UG 0 0 0 eth0

My mistake, I ran the route command after I closed the connectiobn by mistake;
here is the real routing table:-

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.4.19.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
default 10.4.19.3 0.0.0.0 UG 0 0 0 eth0

Oh, I see. Use this link http://support.microsoft.com/kb/315236 to enable forwarding in Windows XP. Restart Windows XP and try again.

I set IPEnableRouter to 1 but unfortunately this didn't work; I guess it isn't the only problem.

What was it in my information to you that made you realise that this registry entry was incorrect ?

Ah, I've just thought of something, 192.168.0.31 needs to set its gateway address to 192.168.0.3 doesn't it ?

That finally fixed it.

Thank you very much for helping me Mimiko; I appreciate you giving your time.

Ah, I've just thought of something, 192.168.0.31 needs to set its gateway address to 192.168.0.3 doesn't it ?

Kind of, but if internet gateway has another ip, then the 0.31 will lose internet. You will have to figure out setting the route on 0.31 with original gateway so that the packets for 10.8.0.x will go to 0.3.

Good point; however, it is not a problem for my application as 192.168.0.31 is a remote camera that has no requirement for the internet. The local sub-net 192.168.0.0/24 is a machine with managed devices including the camera.