I have been involved with this problem for a number of days now. I have been converting my tap server-bridge so that machines attached to any VPN client routers can also be accessed. I have multiple router clients as well as PC clients connecting. I have gotten so far that a connection is established, however I can only get one way communication to the server. It will not talk back to the clients. This leads me to believe I have a routing or firewall issue. For the IP assignment, my aim is to have connecting clients get a dynamic IP from the Ifconfig pool. Any connecting routers are configured to assign IPs within the 172.18.0.0 range. The clients should use the VPN server as an internet gateway, primarily, but be able to communicate with each other, even if behind routers.
Server Config - removed unnecessary parts
Code: Select all
port 1194
dev tun0
dev-type tun
client-to-client
push "redirect-gateway"
mode server
client-config-dir /tmp/etc/ccd
push "topology subnet"
push "route-gateway 172.18.219.220"
up /tmp/etc/up.sh
push "route 172.18.219.208 255.255.255.240"
push "route 172.18.21.64 255.255.255.224"
down /tmp/etc/down.sh
ifconfig-pool-persist /tmp/etc/persistip
ifconfig-pool 172.18.219.209 172.18.219.212 255.255.255.240
I have one router configured to connect for testing, so in ccd/client1
Code: Select all
iroute 172.18.21.64 255.255.255.224
It then has a DHCP server assigning in this range, obviously.
Client config
Code: Select all
dev tun0
proto udp
remote ..... 1194
redirect-gateway
pull
I have separately configured a PC (client2) to connect to the VPN remotely, in an effort to dodge potential client router issues. Again, authentication is successful and the server sees the client and receives pings, but no pong is received by the client. ifconfig tun0 in both the router client and PC client shows 0kB data received but plenty of data sent - the pings. The tun interface on the VPN server similar. Note however that VPN clients can ping each other - (but not the server, and they cant go online) in the off chance i have access to them both at the same time. This is the only thing that works.
The following is observed on the VPN server when the client server connects remotely (through my phone).
Code: Select all
Wed Dec 21 02:43:31 2011 212.183.128.88:17905 [client1] Peer Connection Initiated with 212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 OPTIONS IMPORT: reading client specific options from: /tmp/etc/ccd/client1
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.219.209 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: primary virtual IP for client1/212.183.128.88:17905: 172.18.219.209
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: internal route 172.18.21.64/27 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.21.64/27 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 REMOVE PUSH ROUTE: 'route 172.18.21.64 255.255.255.224'
Wed Dec 21 02:43:33 2011 client1/212.183.128.88:17905 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 21 02:43:33 2011 client1/212.183.128.88:17905 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route-gateway 172.18.219.220,route 172.18.219.208 255.255.255.240,ping 10,ping-restart 30,ifconfig 172.18.219.209 255.255.255.240' (status=1)
Wed Dec 21 02:43:43 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.21.84 -> client1/212.183.128.88:17905
Here is the routing table of the vpn server. br0 contains the tun interface.
Code: Select all
172.18.219.208 * 255.255.255.240 U 0 0 0 br0
172.18.219.208 * 255.255.255.240 U 0 0 0 tun0
172.18.21.64 172.18.219.220 255.255.255.224 UG 0 0 0 br0
remotenet * 255.255.255.0 U 0 0 0 nas0
239.0.0.0 * 255.0.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default remotegw 0.0.0.0 UG 0 0 0 nas0
Now for the VPN client router. Here is its routing table - I have to use route -n.
Code: Select all
remote ip 192.168.0.1 255.255.255.255 UGH 0 0 0 vlan1
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 vlan1
172.18.219.208 172.18.219.220 255.255.255.240 UG 0 0 0 tun0
172.18.219.208 0.0.0.0 255.255.255.240 U 0 0 0 tun0
172.18.21.64 0.0.0.0 255.255.255.224 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.18.219.220 0.0.0.0 UG 0 0 0 tun0
If I use redirect-gateway DEF1 I receive no warning, but I prefer to completely redirect. Either way it doesnt work.
Code: Select all
Wed Dec 21 03:49:39 2011 us=849079 [server] Peer Connection Initiated with IP:1194
Wed Dec 21 03:49:41 2011 us=945653 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRRWRWRWRWed Dec 21 03:49:42 2011 us=881480 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route-gateway 172.18.219.220,route 172.18.219.208 255.255.255.240,ping 10,ping-restart 30,ifconfig 172.18.219.209 255.255.255.240'
Wed Dec 21 03:49:42 2011 us=882832 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 21 03:49:42 2011 us=883074 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 21 03:49:42 2011 us=883263 OPTIONS IMPORT: route options modified
Wed Dec 21 03:49:42 2011 us=883448 OPTIONS IMPORT: route-related options modified
Wed Dec 21 03:49:42 2011 us=883627 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec 21 03:49:42 2011 us=905619 TUN/TAP device tun0 opened
Wed Dec 21 03:49:42 2011 us=905952 TUN/TAP TX queue length set to 100
Wed Dec 21 03:49:42 2011 us=906603 /sbin/ifconfig tun0 172.18.219.209 netmask 255.255.255.240 mtu 1500 broadcast 172.18.219.223
Wed Dec 21 03:49:42 2011 us=926136 /sbin/route add -net IP netmask 255.255.255.255 gw 192.168.0.1
Wed Dec 21 03:49:42 2011 us=933598 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Wed Dec 21 03:49:42 2011 us=941355 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.18.219.220
Wed Dec 21 03:49:42 2011 us=950055 WARNING: potential route subnet conflict between local LAN [172.18.219.0/255.255.255.0] and remote VPN [172.18.219.208/255.255.255.240]
Wed Dec 21 03:49:42 2011 us=950573 /sbin/route add -net 172.18.219.208 netmask 255.255.255.240 gw 172.18.219.220
Wed Dec 21 03:49:43 2011 us=19134 Initialization Sequence Completed
Code: Select all
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Finally, is there any overhaul of the configuration I should make? Optimally, I would like the client configuration to be simple, as it is here, and for IPs to be assigned dynamically. Is using topology subnet correct?
Thanks in advance for any help. And please let me know if there is more info you need.