OpenVPN Support Forum

Hi,

Trying to get Windows 7 64 VPN'd into a remote network. Need access to the LAN (servers, shares). Server is running CentOS 5.7 on XenServer. This is the first time I've tried to set up an OpenVPN server, and I've tried reading through the docs but I'm missing something...

Currently, I can connect the W7-64 box to CentOS 5.7 and it connects just fine. I'm able to ping back and forth between the two - however, I can't access anything else on the network.

The router is a Netgear FVX538. I have a feeling that my problem is simple and either a setting in my configs or on the Netgear router - I've always had trouble with this thing.


- LAN is 192.168.1.* (was set up before I got here, and there's too much riding on it to do a smooth change...)
- Remote computer's LAN is 192.168.4.*
- 192.168.1.30 is primary DNS srv (on w2k3)
- IP forwarding is enabled - "net.ipv4.ip_forward = 1" in /etc/sysctl.conf

I have a route set up in the router:
Active
Destination IP Address: 10.8.0.0
IP Subnet Mask: 255.255.255.0
Interface: LAN
Gateway IP Address: 192.168.1.126 (CentOS IP - VPN here)
Metric: 2

server.conf:
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
log /etc/openvpn/openvpn.log
verb 3
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.30"
push "dhcp-option WINS 192.168.1.30"

client.conf:
remote (host ip)
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key


Any thoughts? Thanks so much.




EDIT: By adding route 192.168.1.0 255.255.255.0 to the client's config I can now ping the router (192.168.1.6) and the OpenVPN server (either by 10.8.0.1 or 192.168.1.126) - but NO other PC/server on the network. Does this mean my "push" commands aren't working, since that's already in the server conf under push?

is ip forwarding enabled on centos?

does your client gets its route from server?

what is the selinux status on centos?

is iptables disabled?

Michael.

maikcat wrote:is ip forwarding enabled on centos?

It is - /etc/sysctl.conf has net.ipv4.ip_forward = 1

maikcat wrote:does your client gets its route from server?

This I'm not sure about, first time setting up. I can tell you that tracert 8.8.8.8 does not attempt to use the VPN, just the local network (and succeeds) so I don't think so.

maikcat wrote:what is the selinux status on centos?

maikcat wrote:is iptables disabled?

Yes -

Edit: I just disabled SELinux to test it, the box is restarting.
Edit #2: Disabling SELinux didn't change anything.

A definite step in the right direction!

I can now ping and connect to the router the VPN is behind, but that's it.

Client Network: 192.168.4.0
Client PC: 192.168.4.2 / 10.8.0.2

LAN Network: 192.168.1.0
LAN Router: 192.168.1.6
LAN DNS Server: 192.168.1.30
LAN VPN Server: 192.168.1.126 / 10.8.0.1


The only change I made from my last post was to add "route 192.168.1.0 255.255.255.0" to my client's config. Now I'm curious as to why I can ONLY connect to the router (192.168.1.6) and the VPN server via 10.8.0.1 or 192.168.1.126. I assume it's something to do with the static route I have set up on the router.


Edit: Pic of static route config -

The only change I made from my last post was to add "route 192.168.1.0 255.255.255.0" to my client's config. Now I'm curious as to why I can ONLY connect to the router (192.168.1.6) and the VPN server via 10.8.0.1 or 192.168.1.126. I assume it's something to do with the static route I have set up on the router.

It's a tipical problem when OpenVPN is not on the same IP as the lan router. On every hos on the lan 192.168.1.0 add a route like:

Mimiko wrote:

The only change I made from my last post was to add "route 192.168.1.0 255.255.255.0" to my client's config. Now I'm curious as to why I can ONLY connect to the router (192.168.1.6) and the VPN server via 10.8.0.1 or 192.168.1.126. I assume it's something to do with the static route I have set up on the router.

It's a tipical problem when OpenVPN is not on the same IP as the lan router. On every hos on the lan 192.168.1.0 add a route like:

Code: Select all

route add 10.8.0.0 mask 255.255.255.0 gw 192.168.1.126

That did it. Thank you so much! Thankfully I only need this client to have access to a few file and web servers, so this will definitely suffice.

For reference to anybody who finds this later while searching - Windows 2003 servers go to start/run/cmd and remove the GW like below - just sub in your own IPs.
Curious though - the only alternative is to actually run the OpenVPN server as a router?

normally the static route on netgear itself would do the work...

if you disable firewall on netgear,is it change anything?

keep as default gateway on your pc the netgear for the testing..

Michael.

maikcat wrote:normally the static route on netgear itself would do the work...

if you disable firewall on netgear,is it change anything?

keep as default gateway on your pc the netgear for the testing..

Michael.

I'll have to wait for a maint window to test disabling the firewall, and even then I'm not terribly comfortable with it.

As for changing the gateway, I change the gw from 192.168.1.126 (the OpenVPN server) to 192.168.1.6 (router address).
Unfortunately it hasn't appeared to change anything. One of the PCs that we need a connection to is running Windows XP Embedded (for a DVR Camera system) and adding a route there manually doesn't appear to be working at all. Another is a Red Hat box that isn't mine, and I'm hesitant to ask the owner to add a route - he's not very experienced with Linux, just the software that runs on it (a Pick database).

The screenshot I posted above showing the Netgear settings is correct?


Edit: I just removed the static route on the Netgear and nothing at all changed, so I don't think it's doing anything... heh.

Edit #2: I just tried to add a new static route and it's giving me an error saying "Command Returned Error" with no information. Nothing to do with OpenVPN, I'm just so sick of this router - it's such a PITA.

Routers tend to do trouble on adding redirecting routers. Post the issue to Netgear support.