Page 1 of 1
Wrong routes set to the client
Posted: Wed Dec 28, 2011 9:14 pm
by whites11
Hi all,
shortly my situation:
linux server (ubuntu 10.04)
2 network interfaces: eth0 with a bridge (br0, 192.168.2.190) and eth1 (192.168.101.X, dhcp)
traffic is masquerated with this rules:
Code: Select all
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth1 -j MASQUERADE
server is behind a firewall (192.168.2.1) and has port 4911 udp (yes, not standard) forwarded correctly.
this is the server config:
Code: Select all
mode server
tls-server
local 192.168.2.190
port 4911
proto udp
dev tap0
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
ifconfig-pool-persist ipp.txt
server-bridge 192.168.2.190 255.255.255.0 192.168.2.180 192.168.2.189
push "dhcp-option DNS 192.168.2.190 8.8.8.8"
push "dhcp-option DOMAIN my.domain.com"
push "route 192.168.101.1 255.255.255.255"
max-clients 9
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
connection from remote works perfectly, the (relevant) routes i get are the following:
Code: Select all
0.0.0.0 192.168.17.1 0.0.0.0 UG 0 0 0 eth0
vpn_public_ip_address 192.168.17.1 255.255.255.255 UGH 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.17.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.101.1 192.168.2.190 255.255.255.255 UGH 0 0 0 tap0
of course 192.168.17.0/24 is my home's local network
everythins seems good, but here's the problem:
Code: Select all
$ ping -c 1 192.168.2.190
PING 192.168.2.190 (192.168.2.190) 56(84) bytes of data.
64 bytes from 192.168.2.190: icmp_req=1 ttl=64 time=102 ms
--- 192.168.2.190 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 102.758/102.758/102.758/0.000 ms
Works, good. But:
Code: Select all
$ ping -c 1 192.168.2.140
PING 192.168.2.140 (192.168.2.140) 56(84) bytes of data.
From 192.168.2.180 icmp_seq=1 Destination Host Unreachable
--- 192.168.2.140 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
does not...(and the same for every other resource of that subnet).
resources on the other subnet (192.168.101.0) works quite well.
to make the traffic on the 192.168.2.0 network i need to manually push a route on the client like this:
Code: Select all
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.190
i think things should work without the above route (and i cannot ask my vpn clients to set this route manually) so i guess i'm doing something wrong but can't understand what.
can anybody explain?
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 6:20 am
by Mimiko
You can try adding to server's config:
Code: Select all
push "route 192.168.2.0 255.255.255.0 vpn_gateway"
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 9:44 am
by whites11
no luck, client routes are unchanged
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:18 am
by maikcat
please post output of ifconfig command on server
Michael.
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:21 am
by whites11
here it is
Code: Select all
br0 Link encap:Ethernet HWaddr 00:0c:29:7a:8c:9d
inet addr:192.168.2.190 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:345334 errors:0 dropped:0 overruns:0 frame:0
TX packets:326439 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:289766112 (289.7 MB) TX bytes:289067343 (289.0 MB)
eth0 Link encap:Ethernet HWaddr 00:0c:29:7a:8c:9d
inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:342729 errors:0 dropped:0 overruns:0 frame:0
TX packets:324339 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:294998319 (294.9 MB) TX bytes:288586383 (288.5 MB)
eth1 Link encap:Ethernet HWaddr 00:0c:29:7a:8c:a7
inet addr:192.168.101.11 Bcast:192.168.101.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:8ca7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:804 (804.0 B) TX bytes:1152 (1.1 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4236 errors:0 dropped:0 overruns:0 frame:0
TX packets:4236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:580180 (580.1 KB) TX bytes:580180 (580.1 KB)
tap0 Link encap:Ethernet HWaddr 0e:08:76:36:30:76
inet6 addr: fe80::c08:76ff:fe36:3076/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:44 errors:0 dropped:0 overruns:0 frame:0
TX packets:4063 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4694 (4.6 KB) TX bytes:575445 (575.4 KB)
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:24 am
by maikcat
interfaces participating the bridge MUST be in promisc mode..
please also post
brctl show
Michael.
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:31 am
by whites11
ok, i edited /etc/network interfaces like this:
Code: Select all
iface eth0 inet dhcp
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
is this ok?
brctl show:
Code: Select all
bridge name bridge id STP enabled interfaces
br0 8000.000c297a8c9d no eth0
tap0
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:35 am
by maikcat
ifconfig shows promisc mode in eth0?
if yes you are ok (so far
)
Michael.
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 11:57 am
by whites11
this is my ifconfig now:
Code: Select all
eth0 Link encap:Ethernet HWaddr 00:0c:29:7a:8c:9d
inet6 addr: fe80::20c:29ff:fe7a:8c9d/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:783 errors:0 dropped:0 overruns:0 frame:0
TX packets:561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:91920 (91.9 KB) TX bytes:105250 (105.2 KB)
but still no luck, same problem: 192.168.2.190 is reachable, 192.168.2.* is not...
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 12:04 pm
by maikcat
remove these from server
mode server
ifconfig pool-persistipp.txt
restart service
also
did you enable ip forwarding on server?
disable ip tables for testing (i dont think you need masq anyway..)
Michael.
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 12:51 pm
by whites11
ok, i removed mode server and ifconfig pool...
i removed every iptables rule:
Code: Select all
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Code: Select all
$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
eth0 is in promisc mode, but still the same behavior
EDIT: wait, do i need to have ip_forward enabled even in this case (with no masquerading at all)?
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 1:48 pm
by maikcat
yeap enable ip forwarding on server
Michael.
Re: Wrong routes set to the client
Posted: Thu Dec 29, 2011 8:48 pm
by whites11
ok i enabled it again but still not working...
thanks very much for your help, it's very appreciated!
Re: Wrong routes set to the client
Posted: Fri Dec 30, 2011 8:27 am
by maikcat
can you repost the last used server config file?
Michael.
Re: Wrong routes set to the client
Posted: Fri Dec 30, 2011 10:51 pm
by whites11
Code: Select all
tls-server
local 192.168.2.190
port 4911
proto udp
dev tap0
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
server-bridge 192.168.2.190 255.255.255.0 192.168.2.180 192.168.2.189
push "dhcp-option DNS 192.168.2.190 8.8.8.8"
push "dhcp-option DOMAIN ud.enbilab.com"
push "route 192.168.101.1 255.255.255.255"
push "route 192.168.2.0 255.255.255.0 vpn_gateway"
max-clients 9
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
Re: Wrong routes set to the client
Posted: Sun Jan 01, 2012 9:58 am
by maikcat
happy new year!
remove this from your server config
>push "route 192.168.2.0 255.255.255.0 vpn_gateway"
restart service and try again
Michael.
Re: Wrong routes set to the client
Posted: Sun Jan 01, 2012 8:21 pm
by whites11
thanks, happy new year you too!
i tried, but same behavior.
i guess it can be something related to my local (client) setup.
i'm going to setup a virtualbox test environment to check if everything's ok in a simpler environment.
if you have any ideas in the meantime i'll be happy to try
Re: Wrong routes set to the client
Posted: Wed Jan 04, 2012 1:39 pm
by whites11
I think the answer to my problem is the following:
Note: If the server is not the default LAN gateway on the server side, you will have to do one of the following:
Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.
Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).
Use the iptables NAT feature to masquerade the IP packets..
Now, i cannot do the first nor the second one.
How can i do the third one (with iptables or ufw?)
Re: Wrong routes set to the client
Posted: Thu Jan 05, 2012 7:47 am
by maikcat
you are using bridging mode not routing..
the note you mention applies to routing based setup.
Michael.
Re: Wrong routes set to the client
Posted: Sat Jan 07, 2012 6:58 pm
by Mimiko
I didn't see any full log from the OpenVPN client. So I suppose you are running OpenVPN client not as a root.