Ubuntu lan-to-lan configuration

[evildani]

Hello fellow openVPN users,

I need a little help. I have configured a lan-to-lan configuration using ubuntu linux on both ends, both use the same version. All were installed from the ubuntu kernel. 2.6.32-36-generic #79-Ubuntu SMP x86_64.
Any way I have two networks 192.168.50.0/24 and 192.168.40.0/24 one is server the other is client.
My problem is that the client network can see the server network, but the other way around does not work.
I can ping any machine from 192.168.50.X to 192.168.40.X, yet when done from 192.168.40.X the ICMP packet gets lost (according to traces) between internal eth0 and tun0.
I have tried many iptable configurations.
RIght now I am using as a base this:
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i tun0 -o tun0 -j ACCEPT

This works on both ends. All kernel modules load at boot. The clients navigate the internet without problems.
I have done extensive traces on both ends and the problem seems to be on the server side.
The tunnel authentication is done via PKI where the CA is located on a network appliance.

I have run out of ideas, any help? any ideas? any suggestions?

Thanks for taking the time to read my post.

Daniel

[janjust]

the client can see the machines on the server network due to masquerading:

-A POSTROUTING -o eth1 -j MASQUERADE

if you want the reverse you either need to masquerade in the other direction as well and/or you need to read the HOWTO http://openvpn.net/index.php/open-sourc ... html#scope
for details on how to do subnet-to-subnet routing.

[evildani]

Thanks for the quick replay.

The communication is working one way, from client lan to server lan. But from server lan to client lan is not working.
The same script config is applied to both "routers". Yet only one-way communication is achieved.
I did follow the subnet-to-subnet guide. My configuration includes ccd, iroute, push route.

Thanks,

Daniel

[janjust]

the most common error with ccd files is that the file is not picked up correctly; did you specify a full path for the 'client-config-dir' option? for debugging, try adding
ccd-exclusive
to the server config and then try to connect the client - if the CCD file is not picked up correctly the client will be refused access.

If the CCD file *IS* picked up correctly then check the routing tables on both machines, and check that IP forwarding is enabled

Code: Select all

cat /proc/sys/net/ipv4/ip_forward

[maikcat]

can you post your configs to simply validate them...?

Michael.

EDIT

>from client lan to server lan. But from server lan to client lan is not working.

if you ping from a client lan to a pc located on the server subnet and not the opposite
maybe there is a firewall on the client side..?

[evildani]

Here is the server.conf and client.conf also some logs.
Server config:

local 190.Z.X.Y
port 1194
proto udp
dev tun
ca root.cert
cert bog.cer
key bog.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist /etc/openvpn/ipp.txt
route 192.168.40.0 255.255.255.0
route 192.168.50.0 255.255.255.0
push "route 192.168.40.0 255.255.255.0"
push "route 192.168.50.0 255.255.255.0"
push client-to-client
client-config-dir ccd
client-to-client
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /etc/openvpn/openvpn.log
verb 6

Client config:

client
dev tun
proto udp
remote 190.Z.X.Y
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ns-root.cert
cert cur-client.cer
key cur.key
verb 3

ccd file:
iroute 192.168.50.0 255.255.255.0

openvpn.log
Wed Dec 14 09:39:47 2011 us=449743 cur.air/190....:33032 UDPv4 WRITE [53] to [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:48 2011 us=782040 cur.air/190....:33032 UDPv4 READ [53] from [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:57 2011 us=985608 cur.air/190....:33032 UDPv4 WRITE [53] to [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:59 2011 us=322807 cur.air/190....:33032 UDPv4 READ [53] from [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52

status log:
Updated,Wed Dec 14 09:40:35 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
cur.air,190....:33032,20842,22669,Wed Dec 14 08:44:02 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.50.0/24,cur.air,190.88.36.143:33032,Wed Dec 14 08:44:04 2011
10.8.0.2,cur.air,190....:33032,Wed Dec 14 08:44:04 2011
GLOBAL STATS
Max bcast/mcast queue length,0

Thanks for the help

[maikcat]

one stupid question..

what is your openvpn server lan ip?

also is ip forwarding enabled on both systems?
try adding this to your ccd file

ifconfig-push 10.8.0.10 10.8.0.9

and see if your client gets 10.8.0.10 ip on its tun interface..

Michael.

[evildani]

Server lan ip is 192.168.40.27
Client lan ip is 192.168.50.1

[evildani]

Hello all,

I tried ccd-exclusive directive and the client can connect, but the ifconfig-push has no effect.

I have disabled the firewall on both ends until I resolve this issue.

Any ideas?

[maikcat]

remove this from your server config

>route 192.168.40.0 255.255.255.0
>push "route 192.168.50.0 255.255.255.0"
>push client-to-client
>topology subnet
>ifconfig-pool-persist /etc/openvpn/ipp.txt


restart your openvpn service and try again..

Michael.

[evildani]

Thank you very much, this solved my routing problems.

Could you please explain me what does the changes imply to make my configuration work?

Thank you very much for the help. Now I can deploy all my other sites!!!!

Daniel

[maikcat]

happy to helped you out..

this

>route 192.168.40.0 255.255.255.0

is used for the *remote* subnets only (to your server config)
basically it add a static route to the systems routing table

>push "route 192.168.50.0 255.255.255.0"
this sends the above route to your client

>push client-to-client
this is used to server config only

>topology subnet
because the ifconfig i gave you works with p2p style net,not subnet

>ifconfig-pool-persist /etc/openvpn/ipp.txt
this gives the same ip to your client as before,
because you use ccd files you dont need the above...

cheers,

Michael.

[evildani]

Sorry to bother you again,

I have some more routing problems: From the client network I can only ping gateways on the server network. For example the I need to contact a licensing server on the server network, ip 192.168.40.9, from a client 192.168.50.3 but the ping and conection fails. But if I ping the server ip on the server network 192.168.40.27 or server network gateway (40.1) it works fine.

Client route table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
190.Y.X.X * 255.255.255.192 U 0 0 0 eth0
192.168.50.0 * 255.255.255.0 U 0 0 0 eth1
192.168.50.0 * 255.255.255.0 U 0 0 0 eth2
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.40.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
default sub-736ip129.re 0.0.0.0 UG 100 0 0 eth0

Server routing table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
190.Y.W.X * 255.255.255.192 U 0 0 0 eth1
192.168.50.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
localnet * 255.255.255.0 U 0 0 0 eth0
default corporat190 0.0.0.0 UG 100 0 0 eth1


Thanks for the help again!

[Mimiko]

Fom the http://openvpn.net/index.php/open-sourc ... html#scope you have to read careffuly:

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

which applies to your case.

[evildani]

Thanks for the response, I have followed the guide. Yet I have this weird behavior:
From the client I ping a machine on the server lan.
From 192.168.50.2 to 192.168.40.9
On the trace I see the ping go to the dest machine, yet the source Ip for the ICMP request is 10.8.0.6, this IP corresponds to the internal tun0 interface on the client machine.
In other words, the ping arrives to the dest machine but with a origin IP that does not correspond to the lan, MAC addresses reveal further details:
REQUEST:
SOURCE: 46:19:a7:63:28:3f DEST: da:72:40:74:7b:ef
REPLY:
DEST: 1a:07:09:b0:c9:c3 SOURCE: da:72:40:74:7b:ef

On the reply MAC matches the MAC on that network's route interface, so the target machine is sending the reply to the default gateway.

So, I have something wrongly configured in the server, any ideas what it could be?

Thanks,

Daniel

[Mimiko]

This tutorial will help you understanding why this is happening: topic9465.html

[evildani]

Thanks for all the help. OpenVPN has proven it self, I love it:

My first network is working very well, but I have two problems.

1. Whenever the client or server restarts, ufw comes up and breaks the VPN, any guide on how to solve this?
2. I added another client, this one works but I cannot ping any server on the server network.
The client in question can ping the inside interface of the server. The other client (first one) has no problems. I used the same configurations, copied from the original client that works.

Thanks in advance for any help.

[Mimiko]

You have tipical firewall issues. Please search this forum using google about configuring firewalls.

[evildani]

One point one, yes clearly I have firewall issues, I am reading the ufw documentation to solve them and will post my rules once I have them in place.

But problem two I have no idea yet, all my firewalls on the 3 machines are disabled, the old client works, the new client can connect, but ping fails from client lan to server lan.

I could do a network trace on the client to see if something is wrong, but it has the exact same config as the old client, even the same hardware, and same hardware setup. Maybe I missed a route or something?

Thanks,

Daniel