OpenVPN Support Forum

Posted: **Sun Nov 06, 2011 1:27 am**

I am trying to use OpenVPN to do routing thru the tunnels. (ie connect the newtork at server1, client1, and client2 such that any system on any of the different subnets could communicate)

keys, certs, and dns address are not listed as that much of the setup works correctly

Server - 64 bit Ubuntu 10.04 headless server: 192.168.117.0/24 behind a firewall/router[WNDR3700] (cable internet)
IPv4 forwarding is enabled

Code: Select all

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -i eth0 -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -i eth0 -j ACCEPT

Some of that may be unnecessary as I'm still trying to get this working as expected
CONFIG FILE

Code: Select all


port 1194
proto tcp
dev tun

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.117.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
client-to-client

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3

ccd/client1 -

Code: Select all

 iroute 192.168.1.0 255.255.255.0

client1 - 32bit Ubuntu 10.04 Headless Server: 192.168.1.0/24 behind firewall/router [old wired only netgear] hughesnet satelite internet
ipv4 forwarding is enabled
iptables match server exactly
config file points to server with tcp protocol correctly

router @ 192.168.117.1 - static routes 10.8.0.0/24 & 192.168.1.0/24 points to 192.168..117.X(server)
router @ 192.168.1.1 - static routes 10.8.0.0/24 & 192.168.117.0/24 points to 192.168.1.X(client1)

So far the VPN tunnel connects without issue. From the server I can ping/ssh/scp/wget anything in the 192.168.1.0/24 network behind the client. from the client I can also access anything in the 192.168.117.0/24 network behind the server

I have even connected my windows laptop to the server via ssh (both in the 192.168.117.0/24 space) and used tunnels to remotely access webpages in the 192.168.1.0/24 network

Code: Select all

 ssh server -L 80:192.168.1.1:80

What I have not been able to do is connect a PC in the 192.168.117.0/24 network to a pc/server in the 192.168.1.0/24 network. I have several devices on the remote network that offer SSH/HTTP access as well as a samba server.

Here are some other details which maybe of use

results of route -n on server

Code: Select all

Destination	Gateway	Genmask	Flags	Metric	Ref	Use	Iface
10.8.0.2		0.0.0.0		255.255.255.255UH	0	0	0	tun0
192.168.117.0	0.0.0.0		255.255.255.0	U	0	0	0	eth0
10.8.0.0		10.8.0.2		255.255.255.0	UG	0	0	0	tun0
192.168.1.0	10.8.0.2		255.255.255.0	UG	0	0	0	tun0
0.0.0.0		192.168.117.1	0.0.0.0		UG	100	0	0	eth0

results of traceroute 192.168.1.4 (HP Printer) from a PC in the 192.168.117.0/24 network

Code: Select all

*****@Rand:~$ traceroute 192.168.1.4
traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
1	192.168.117.1 (192.168.117.1) 0.295 ms  0.256 ms  0.295 ms
2	Server (192.168.117.XXX) 0.509 ms  0.507 ms  0.486 ms
3	10.8.0.6 (10.8.0.6)  1486.543 ms  1483.743 ms  2030.026 ms
4	192.168.1.4 (192.168.1.4) 2034.648 ms  2054.639 ms  2054.639 ms

as mentioned before I can also ping this IP address from a PC inside the 192.168.117.0/24 network

However, the problem occurs if I try to use HTTP or if I try to establish an ssh connection to client1 either at 10.8.0.6 or at 192.168.1.242(client1's ip inside of its own network). Essentially I never get a reply.

Also as mentioned before any connection from the vpn server is successful. I went a step further and connected my laptop to the internet via a usb modem and configured it as a client. I was able to connect without issue and could also access all devices in the 10.8.0.0/24, 192.168.117.0/24, and 192.168.1.0/24 networks.

so to summarize. I can connect from a vpn client to any device in any network, however the devices in the servers network cannot initiate a connection to the vpn client or any devices behind the vpn client. I have not been able to test a connection from a device in the vpn client network back to the server network, it will be later next week before I will have physical access to any of those devices.

Any help with this would be greatly appreciated.

Posted: **Sun Nov 06, 2011 8:56 am**

If 192.168.1.4 has a web page, try it.
If pings are working and other not, than mostly is a iptable rule that blocks. Ckeck iptables on OpenVPN server and client:
iptables -L -v
iptables -L -v -t NAT

Posted: **Sun Nov 06, 2011 2:30 pm**

Server

Code: Select all

:~$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 174K packets, 22M bytes)
 pkts bytes target     prot opt in     out     source               destination

 137K   13M ACCEPT     all  --  eth0   any     anywhere             anywhere

 5527 4118K ACCEPT     all  --  tun+   any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 26345 packets, 2137K bytes)
 pkts bytes target     prot opt in     out     source               destination

16517 1254K ACCEPT     all  --  eth0   tun+    anywhere             anywhere

16467 1298K ACCEPT     all  --  tun+   eth0    anywhere             anywhere


Chain OUTPUT (policy ACCEPT 227K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination

Code: Select all

:~$ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 47391 packets, 3891K bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 36626 packets, 2696K bytes)
 pkts bytes target     prot opt in     out     source               destination

 1121 99269 MASQUERADE  all  --  any    eth0    anywhere             anywhere


Chain OUTPUT (policy ACCEPT 34339 packets, 2122K bytes)
 pkts bytes target     prot opt in     out     source               destination

:~$

client1

Code: Select all

:~$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 265K packets, 35M bytes)
 pkts bytes target     prot opt in     out     source               destination

 262K   51M ACCEPT     all  --  eth0   any     anywhere             anywhere

 4050  298K ACCEPT     all  --  tun+   any     anywhere             anywhere


Chain FORWARD (policy ACCEPT 31631 packets, 4276K bytes)
 pkts bytes target     prot opt in     out     source               destination

21585 1914K ACCEPT     all  --  eth0   any     anywhere             anywhere

53512 4174K ACCEPT     all  --  tun+   any     anywhere             anywhere


Chain OUTPUT (policy ACCEPT 138K packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination

:~$ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 526K packets, 155M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 1726 packets, 292K bytes)
 pkts bytes target     prot opt in     out     source               destination

36217 2813K MASQUERADE  all  --  any    eth0    anywhere             anywhere


Chain OUTPUT (policy ACCEPT 11332 packets, 1127K bytes)
 pkts bytes target     prot opt in     out     source               destination

:~$

I do not list my rules pretaining to SSH hardening here for security reasons. I have tried this setup with those rules removed and it did not alleviate my problem.

The iptables have been altered since my previous post as I continue to seek out solutions in the forums. I've used tcpdump to try and see where the packets are dissappearing at.

I am able to see the packets leave a pc on my network, come into eth0 on server, go out tun0 on server. As expected. When they return I am seeing packets of 0 length coming in tun0 and out eth0 on the server. I even see these packets enter eth0 on the pc, but I do not receive the webpage.

when running tcpdump on the server and attempting the same connection I see packets of varying length and receive the index.html file that I would epect when using the wget command.

I don't disagree with you mimiko, I'm just not seeing my problem, I'm hoping that A it will register to me or B someone will drop me a hint that helps it register, there's always C where someone points it out so that it all makes sense, but I'll take what I can get on this issue.

Posted: **Mon Nov 07, 2011 11:18 am**

hi there,

why are you perfoming nat?

Michael.

Posted: **Mon Nov 07, 2011 12:20 pm**

I've run out of other ideas about how to get it working...

I've tried this setup with and without nat and it doesn't seem to affect the outcome at all.

Posted: **Mon Nov 07, 2011 6:54 pm**

Delete the masquerading. When ypu will have the chance - test access from remote site.

Posted: **Mon Nov 07, 2011 11:32 pm**

I have removed the masquerading. I wasn't able to reach hosts in the client subnet from the server subnet.

I decided to try making a connection from the client subnet to the host server by using an HP printer. the HP 8500 Officejet series will dump files directly to windows shares so I decided to configure one matching a samba share in my server subnet. during the testing phase I received the message that the device could not connect to the remote server. It's possible that a timeout killed the connection (hughesnet has 2 second pings right now), but it still doesn't look good. I am accessing this printer via my laptop configured as a client on the VPN network 10.8.0.0/24. I can access the device webpage and successfully print to the printer over the connection.

Ok I found something that removing nat has changed. Before I could SSh from a client to a host in a remote subnet. However, now I can not. I can still access a webpage, etc, etc, but I can't access any of my linux servers over ssh by ip address from a remote client.

subnet to remote(client/server) or subnet to remote subnet still not working.

If there is any information that would be of use to help troubleshoot this I would be more than happy to provide it.

Posted: **Thu Nov 10, 2011 9:24 am**

As I though. The

router @ 192.168.117.1 - static routes 10.8.0.0/24 & 192.168.1.0/24 points to 192.168..117.X(server)
router @ 192.168.1.1 - static routes 10.8.0.0/24 & 192.168.117.0/24 points to 192.168.1.X(client1)

just does not work. Try this rule on routers with masquarading option.

Posted: **Thu Nov 10, 2011 10:41 am**

Not sure if you message was cut off or what happened mimiko, but I don't see the options you would like me to try. Though I am very interested.

I may have access to the remote site tomorrow, I'll post me findings once I can run tests from there.

Posted: **Thu Nov 10, 2011 10:52 am**

Oke. From the location where you are now, add o some computer a static route to the VPN network and remote network with the GW of OpenVPN (client or server, which one is on the LAN). And try. By this you are bypassing the router and make a direct connection.

Posted: **Thu Nov 10, 2011 11:46 pm**

I'll try that as soon as I'm able, the remote site has been taken down for various reasons... needless to say it's a very amusing situation. I'll try that as soon as I am able. Though it may be a week or more.

Thank you so very much for helping me thus far. I'll get back on this ASAP and get the results posted

Posted: **Fri Nov 11, 2011 12:43 am**

Alright, here's what I did manage to test.

To one of my linux severs at 192.168.117.X I added the route

Code: Select all

route add -net 10.8.0.0/24 gw 192.168.117.150 dev eth0

after doing this I was able to ping and access files from a client at 10.8.0.10. I was not able to do this before adding the static route.

Is there a way to do this using the router or will I need to add static routes to every system on the network...

Moving to the 10.X.X.X or the 169.254.x.x address is an option if necessary. Though I'm just confused as to why static routes aren't working on the netgear router, though I'm seriously starting to see the limitations of netgear equipment!

Posted: **Fri Nov 11, 2011 8:06 am**

Though I'm just confused as to why static routes aren't working on the netgear router, though I'm seriously starting to see the limitations of netgear equipment!

That's I thougth from some time and asked you to do the tests. The router does not route correctlly those added routes by you. I've done such a redirect on a software router and were no problem. So ask the developers of Netgear router for the redirecting issue. Also try enabling those routes on the routers with masquerading. I had some time to do this in the software router, in order the redirecting to work.

Posted: **Sat Nov 12, 2011 8:17 pm**

I made it to the remote site, mostly to disassemble the site due to bad planning on managments part. I'll be doing further testing for this today and tomorrow so hopefully I'll have something useful

I'm wondering if I could use dnsmasq to pass the additional routes to clients. Has anyone tried this before?

I have used dnsmasq to pass the next router option when testing an LTSP Ubuntu setup and have had success with that as well as doing some automated PXE installs behind this same router. I wouldn't think that passing additonal routes would be a major leap.

I'll report back when I get a chance.

Posted: **Sat Nov 12, 2011 8:39 pm**

Disable those routes on routers and try this approach: http://openvpn.net/index.php/open-sourc ... range.html

Posted: **Sun Nov 13, 2011 2:04 pm**

Alright, I have finally figured this whole thing out. It seems that my concerns regarding the WNDR3700 router were correct. I was able to drop in another router I had laying around with the same static routes configured and everything just worked. I replaced the spare router with the WNDR3700 and everything stopped working.

I was poking around netgears forums looking for more information and stumbled across this thread. http://forum1.netgear.com/showthread.ph ... post326540

It appears that this is a known issue (though not one Netgear has corrected). I'm currently debating on replacing the WNDR3700 or simply breaking it via telnet as several people in the thread suggest. To be honest I'm about to the point of rolling Open-WRT on the WNDR3700 and ust supporting openvpn directly from the device.

My attempts to use dnsmasq to push static routes to the clients isn't working so far, but I'm 99.9% sure I have the configuration wrong as I don't see it sending any options on the network just yet.

OpenVPN Support Forum

Confused by my results

Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results

Re: Confused by my results