| View previous topic :: View next topic |
| Author |
Message |
antares2001
Guru
Joined: 02 Mar 2004
Posts: 339
Location: Germany
|
 Posted: Sun Mar 05, 2006 2:09 pm Post subject: Howto OpenVPN? |
 |
|
Hello!
I have already read through the Howto on gentoo-wiki, but I did not manage to connect to the network behind my OpenVPN server.
Here at first my configuration:
Server:
| Code: | dev tun
ifconfig 172.16.1.1 172.16.1.2 // IP of the local tun device and its peer
secret /etc/openvpn/lan/key.txt
comp-lzo
user nobody
group nobody
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
|
And here the Client config:
| Code: | remote myserver.dyndns.org
dev tun
ifconfig 172.16.1.2 172.16.1.1 // IP of the local tun device and its peer
secret /etc/openvpn/lan/key.txt
comp-lzo
user nobody
group nobody
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
route 192.168.1.0 255.255.255.0
|
So far so good... my infrastructure is the following:
Server: two ethernet cards; eth0 with IP 192.168.0.99 connected to an ADSL modem establishing the internet connection and eth1 with IP 192.168.1.1 connected to the LAN with 192.168.1.x/255.255.255.0
Client: one ethernet card, connected to LAN 192.168.10.x and DSL router 192.168.10.250 (so no IP conflict)
With the above configuration files, I am able to establish a connection to the server and get access over the IP 192.168.1.1 for example on the samba shares on it. Unfortunately I cannot connect to a computer in the server's LAN with the IP 192.168.1.120. I am sure it is just another small hop, but I do not get it.
The routes on the server are:
| Quote: | Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
bos01.ip.t-com. * 255.255.255.255 UH 0 0 0 ppp0
172.16.1.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
172.16.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default bos01.ip.t-com. 0.0.0.0 UG 0 0 0 ppp0
|
Client:
| Quote: | Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
172.16.1.1 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 172.16.1.1 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.10.250 0.0.0.0 UG 0 0 0 eth0
|
Could somebody help me on this last step? I do not use bridge interfaces.
Thanks a lot in advance.
_________________
* Toshiba SM30X Notebook, Pentium-M 725 CPU, ATI Radeon 9700, 512MB RAM, 80GB
* Pentium D 820 2,8 GHz (EM64T), Geforce6, 200GB + 40GB ATA, 250GB SATA2, WinFastTV 2000XP, 1,5GB RAM
Gentoo Linux 2006.1 |
|
| Back to top |
|
 |
JRV
Apprentice
Joined: 10 Jan 2004
Posts: 291
|
| Posted: Mon Mar 06, 2006 12:52 am Post subject: Re: Howto OpenVPN? |
|
|
Check two things:
1) Do you have ip_forward enabled on your server?
| Code: | | $ echo 1 > /proc/sys/net/ipv4/ip_forward |
2) Do the hosts on your server's LAN have a route back to your client (for example if your server is the default gw of those hosts, they would already have the necessary route back)?
JRV |
|
| Back to top |
|
|
antares2001
Guru
Joined: 02 Mar 2004
Posts: 339
Location: Germany
|
| Posted: Mon Mar 06, 2006 8:54 am Post subject: |
|
|
Hello! Thank you for your answer.
Yes, I forgot that the server is the internet gateway for the clients. They are connected to the 192.168.1.1 interface, which forwards to 192.168.0.99 and thus to the internet...
The client computers are windows clients I need to administrate via VNC.
This is done on the server:
| Code: | iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
|
What do you exactly mean by "Do the hosts on your server's LAN have a route back to your client?" I mean they enter the internet via the server. The dhcpcd.conf is this:
| Code: |
option domain-name "internal";
option domain-name-servers 192.168.1.251;
option routers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.148;
}
ddns-update-style none;
|
So any (other) idea?
_________________
* Toshiba SM30X Notebook, Pentium-M 725 CPU, ATI Radeon 9700, 512MB RAM, 80GB
* Pentium D 820 2,8 GHz (EM64T), Geforce6, 200GB + 40GB ATA, 250GB SATA2, WinFastTV 2000XP, 1,5GB RAM
Gentoo Linux 2006.1 |
|
| Back to top |
|
|
JRV
Apprentice
Joined: 10 Jan 2004
Posts: 291
|
| Posted: Thu Mar 09, 2006 12:52 am Post subject: |
|
|
| antares2001 wrote: | | So any (other) idea? |
Hm, not really 
The obvious thing to do now would be to see how far your packets get on their round trip to see where they are dropped. Do they arrive at the hosts behind the VPN server (sniff it with ethereal)? Do the hosts send out return packets? |
|
| Back to top |
|
|
pteppic
l33t
Joined: 28 Nov 2005
Posts: 781
|
| Posted: Thu Mar 09, 2006 1:53 am Post subject: |
|
|
Do you have rules in the servers firewall to allow/block forwarding of tun0 traffic?
You obviously don't have any blocking it on input/output but..... |
|
| Back to top |
|
|
antares2001
Guru
Joined: 02 Mar 2004
Posts: 339
Location: Germany
|
| Posted: Thu Mar 09, 2006 2:30 am Post subject: |
|
|
Hi!
No I tried with no firewall. Just the rules I described above. Perhaps some config files can help you!? Just tell me which you would need.
Again: eth0: 192.168.0.99 -> ppp0 -> connected to internet
eth1: 192.168.1.1 -> connected to local lan
forward rules just as above.
_________________
* Toshiba SM30X Notebook, Pentium-M 725 CPU, ATI Radeon 9700, 512MB RAM, 80GB
* Pentium D 820 2,8 GHz (EM64T), Geforce6, 200GB + 40GB ATA, 250GB SATA2, WinFastTV 2000XP, 1,5GB RAM
Gentoo Linux 2006.1 |
|
| Back to top |
|
|
pteppic
l33t
Joined: 28 Nov 2005
Posts: 781
|
| Posted: Thu Mar 09, 2006 9:32 am Post subject: |
|
|
I may be barking up the wrong tree, but all your routing tables look correct, and if there are no DROP or MASQUERADE rules affecting the tun0 interaface....
I digress, with ipsec tunnels you have to turn off masquerading on the public output interface for the desination network at the other end of the tunnel, or obviously iptables changes the source address and the replies get sent out into the internet looking for your public ip instead of being routed through the tunnel, and dropped at your firewall as they are effectively unsolicited.
Now I originally thought this was a special case for ipsec as no one made any mention of it with pptp tunnels etc, but the symptoms you are describing do lead me to think this is what is happening. Try being more explicit with the MASQUERADE rules on the severs end | Code: | | iptables -t nat -R POSTROUTING 1 -o eth0 -d ! 172.16.1.0 -j MASQUERADE |
or if you can afford the downtime flush the POSTROUTING rules alltogether, then re-establish the tunnel and try again.
After that fails it's down to tcpdump and watching the packets fly about, trying to work out when they are being altered or not... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
