Unable to access hosts behind openvpn

[suba.shalini]

Hi,

I need help with OpenVPN. I am a newbie to this. OpenVPN client is able to connect to the VPN server and RDP, access the shared drives on the OpenVPN server but then not able to access any hosts behind it. Here are the configuration:

OpenVPN IP pool: 192.168.200.0/24
Server side Private IP: 192.168.100.0/24

Client side private IP: 192.168.10.0/24

Server conf:
-------------------
;local 192.168.100.38
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS x.x.x.x"
push "route 192.168.200.0 255.255.255.0"
dev tun
ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\tagsdps01n01.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\tagsdps01n01.key" # This file should be kept secret-
dh "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
push "redirect-gateway def1"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
route-delay 5

Routing table from the server:
-------------------------------

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.38 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.229.155 276
169.254.229.155 255.255.255.255 On-link 169.254.229.155 276
169.254.255.255 255.255.255.255 On-link 169.254.229.155 276
192.168.100.0 255.255.255.0 On-link 192.168.100.38 276
192.168.100.38 255.255.255.255 On-link 192.168.100.38 276
192.168.100.255 255.255.255.255 On-link 192.168.100.38 276
192.168.200.0 255.255.255.0 192.168.200.2 192.168.200.1 30
192.168.200.0 255.255.255.252 On-link 192.168.200.1 286
192.168.200.1 255.255.255.255 On-link 192.168.200.1 286
192.168.200.1 255.255.255.255 On-link 192.168.100.38 21
192.168.200.3 255.255.255.255 On-link 192.168.200.1 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.38 276
224.0.0.0 240.0.0.0 On-link 169.254.229.155 276
224.0.0.0 240.0.0.0 On-link 192.168.200.1 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.38 276
255.255.255.255 255.255.255.255 On-link 169.254.229.155 276
255.255.255.255 255.255.255.255 On-link 192.168.200.1 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.100.1 Default
0.0.0.0 0.0.0.0 10.235.74.192 Default
10.235.235.0 255.255.255.0 10.235.74.193 Default
192.168.200.1 255.255.255.0 192.168.100.38 1
192.168.100.0 255.255.255.0 192.168.100.38 1
192.168.200.1 255.255.255.255 192.168.100.38 1
===========================================================================


Client conf:
--------------
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\infmca1161.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\infmca1161.key"
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3

Searched through lot of articles and forum but could not find a solution. Any help would be greatly appreciated. Thanks in Advance

Thanks,
Suba

[maikcat]

did you enabled ip forwarding on openvpn server?
did you setup openvpn server firewall accordingly?

Michael.

[suba.shalini]

Hi,

Thank you for your reply. I enabled IP forwarding but then how do I setup Openvpn firewall rules?

Thanks,
Suba

[maikcat]

i can see you are using 64bit windows but
i am not sure which version...

you can always disable the firewall for testing & configure the firewall later.

Michael.

[suba.shalini]

The windows firewall is disabled and the version of windows is 2008 Standard with SP 2.

Thanks,
Suba

[suba.shalini]

Hi,

May I know if you have any update for me?

Thanks,
Suba

[maikcat]

some tips,

lets say you are trying to access a pc inside your lan with ip 192.168.100.10

did you disable firewall on 192.168.100.10 pc?
what default gateway the 192.168.100.10 has?

Michael.

[suba.shalini]

The Default gateway is the same on both servers - the host on which the openvpn is running and also the machine I am trying to connect to behind the vpn.

Default gateway: 192.168.100.1

And windows firewall is disabled on all the machines.
One more issue, this might help - I am not able to ping the private IP's behind the vpn server for example 192.68.100.10 but then I am able to ping the public IP of the same machine.

Thanks,
Suba

[maikcat]

can you try setting to the pc you want to acces inside your lan
as default gateway the lan ip of openvpn server?

Michael.

[suba.shalini]

Not sure I can do that. Because, I have very critical applications running on the hosts behind vpn which are being accessed by the outside world. So changing its default gateway might affect.

Is there any other solution?

thanks for your quick response.

[maikcat]

add a static route for 192.168.200.0/24 network on the pc you want
to access inside your lan pointing to the openvpn server

f.e

route add 192.168.200.0 mask 255.255.255.0 192.168.100.38

Michael.

[suba.shalini]

Great!!!

Thanks a lot! that fixed the issue. I would need one more help. I am able to RDP with the IP address of the hosts behind vpn but not the hostnames. Would you have any idea why this happens?

[maikcat]

keep in mind that broadcasts DOESNT pass through tun interfaces,

if you want your name resolving to work use dns/wins/hosts.

Michael.

[suba.shalini]

Thank you Michael!

You have been great help.

Thanks,
Suba