OpenVPN Support Forum

Posted: **Mon Oct 31, 2011 5:38 pm**

Hi, could anyone help me. I've spent 2 days trying to figure out how to connect to OpenVPN server and get access to local network resources. Tons of tutorials and howtos..

OpenVPN is running on machine, that acts as router for internet access. The router has 2 physical ethernet cards:
eth0 - internet access
eth1 - local area network 192.168.2.0/255.255.255.0

I can access server via intenet address, vpn address (10.10.2.1) and local network address (192.168.2.1)
I can ssh, ping etc. but i can't comunicate any machine on local network, for example 192.168.2.50
My home network is 192.168.1.0/255.255.255.0 and my home network ip is 192.168.1.100

Here is server config

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.10.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
route 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
client-to-client
duplicate-cn
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

ccd contains

Code: Select all

iroute 192.168.1.0 255.255.255.0

trace from server to client (looks good)

$tracepath 192.168.1.100
1: 10.10.2.1 0.674ms pmtu 1500
1: 192.168.1.100 44.124ms reached
1: 192.168.1.100 43.693ms reached
Resume: pmtu 1500 hops 1 back 64

trace from client to server (looks good)

tracepath 192.168.2.1
1: 10.10.2.6 0.166ms pmtu 1500
1: 192.168.2.1 31.970ms reached
1: 192.168.2.1 31.167ms reached
Resume: pmtu 1500 hops 1 back 64

trace from client to resource on server local network. here i have some problem. have no idea why.
192.168.2.50 is pingable from server.

tracepath 192.168.2.50
1: 10.10.2.6 0.238ms pmtu 1500
1: 10.10.2.1 33.992ms
1: 10.10.2.1 33.560ms
2: no reply
3: no reply
4: no reply
5: no reply

Posted: **Mon Oct 31, 2011 6:15 pm**

Did you enabled forwarding? http://openvpn.net/index.php/open-sourc ... rding.html
Did you check iptables rules on server? Table forward must accept forwardin from tun to eth1 and viceversa.

Posted: **Mon Oct 31, 2011 7:22 pm**

Thank you for reply!
cat /proc/sys/net/ipv4/ip_forward returns 1. this is okay.

Did you check iptables rules on server? Table forward must accept forwardin from tun to eth1 and viceversa.

I've don it just now by these commands.
insert is used because i have other rules for Internet routing through this server

Code: Select all

iptables -I FORWARD 1 -i tun+ -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth1 -j ACCEPT
iptables -I FORWARD 2 -i eth1 -o tun0 -j ACCEPT

but result is the same. no access from 192.168.1.100 to 192.168.2.50

here is route -n for server. maybe problem is somewhere in routing?

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         X.X.X.X    0.0.0.0         UG    100    0        0 eth0
10.10.2.0       10.10.2.2       255.255.255.0   UG    0      0        0 tun0
10.10.2.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
92.60.88.184    0.0.0.0         255.255.255.252 U     0      0        0 eth0
192.168.1.0     10.10.2.2       255.255.255.0   UG    0      0        0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

UPDATE:
i've disabled internet routing and cleaned iptables rules. Still no luck.

Code: Select all

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

not sure it's important, but i can't ping 192.168.1.1(my homenet router) from VPN server. i feel like it's the same issue.. but from server side..

Posted: **Mon Oct 31, 2011 8:00 pm**

Show "iptables -L -v" and "iptables -L -v -t nat".
Do you have any antivirus on server, may be on 192.168.2.50 something is blocking a firewall or antivirus.

Posted: **Mon Oct 31, 2011 8:52 pm**

You are genius!!! Problem was that 192.168.2.50 device was not setup to have default gateway at all. And was not able to communicate through 192.168.2.1 with my home network. Thats it!

So you were right! All i need just three commands:

Code: Select all

iptables -I FORWARD 1 -i tun0 -j ACCEPT
iptables -I FORWARD 2 -i tun0 -o eth1 -j ACCEPT
iptables -I FORWARD 3 -i eth1 -o tun0 -j ACCEPT

It looks like it even doesn't break Internet routing that i set up before.

UPDATE: don't know why but i have to use tcp instead of udp to access local http/ssh resources. Now everything is simply brilliant!

OpenVPN Support Forum

[Resolved] Aceess local network behind OpenVPN (tun setup)

[Resolved] Aceess local network behind OpenVPN (tun setup)

Re: Aceess local network behind OpenVPN (tun setup)

Re: Aceess local network behind OpenVPN (tun setup)

Re: Aceess local network behind OpenVPN (tun setup)

Re: Aceess local network behind OpenVPN (tun setup)