route tap0 to eth0 [solved]

julmust · Posted: Tue Jul 04, 2006 11:57 pm Post subject: route tap0 to eth0 [solved]

I've set up openvpn and everything seems to work - i can reach the virtual IP of the vpn server from the clients and vice versa. From the clients also eth0 on the vpn server can be reached, however none of the other hosts in the remote subnet can be reached.

The question is of course, how do I route traffic via tap0 to go out on eth0 so other computers in the subnet can be reached?

This is the current route config of the server:

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

If you want your clients to be able to reach machines on the local network of the server, push the route from the server config file. Add a line like

julmust · Posted: Wed Jul 05, 2006 8:51 am Post subject:

I've done this already, i have

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

Yes, that tells the clients how to find a subnet on the server. To have the server find a subnet on the clients you will need to specify the route via iroute. To only use this on a client that has a subnet you are interested in use the client-config-dir option.

troymc · Guru Joined: 22 Mar 2006 Posts: 553

So far you've only mentioned the route for the VPN machines to talk into the local net.

Don't forget your reverse route so that your local machines know how to respond back to the VPN machines.

troymc

julmust · Posted: Wed Jul 05, 2006 1:25 pm Post subject:

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

If the endpoints of the vpn are the gateways for the network, the routes should work themselves out. If not, you will definitely need to deal with it.

That said, you will need to use iroute to route to a subnet on the client. I do this for one of my clients and I could not get anywhere until I did it this way.

julmust · Posted: Wed Jul 05, 2006 2:25 pm Post subject:

The VPN server is not the default gateway on the remote subnet, so I guess that needs to be taken care off. I'm not quite sure what you mean about iroute, but I don't want the computers on the remote subnet connected to the VPN to be able to reach the clients subnets.

As far as I follow I need to do this:
- Make sure computers on remote subnet 192.168.0.0/24 route traffic to the virtual ip range 192.168.100.00/24 to the VPN server (in my case 192.168.0.200). Would the VPN server then automagically forward this traffic out on tap0?
- It would also be really great if I could reach connected clients from the VPN server. Any ideas why clients can ping the virtual address of the VPN server, but not the other way around?
_________________
hm.. help me.

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

I may not be following what you are trying to do. Given the following

client subnet - client ---- internet --- server - server subnet

to allow the client or the client subnet to reach the server subnet you need to push a route. To allow the server or the server subnet to reach the client subnet you need to use iroute.

julmust · Posted: Wed Jul 05, 2006 3:01 pm Post subject:

I want to allow the clients to reach the server subnet, thus I have pushed a route. I don't want the server subnet to reach the client subnet. Won't this mean I don't need to use iroute? Clients will talk over their virtual IP to the server subnet and the server subnet will respond to the clients virtual ip address. Am I right or am I way off?
_________________
hm.. help me.

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

That is correct, you won't need iroute. Just push a route (the first answer I posted has what you need). Since your server is not the default gateway, you will need to make sure your server subnet knows how to get back to the client. Either add static routes to each machine or use a routing daemon to keep them updated.

julmust · Posted: Wed Jul 05, 2006 3:29 pm Post subject:

Okey, great.. the only thing left is to figure out why I can't ping the vpn client from the vpn server, this would be a good thing if I want the rest of the computers on the remote subnet to also do this, I guess.

Any ideas what could have screwed this up? As I said, I can ping the virtual vpn address from the client but not the other way around.
_________________
hm.. help me.

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

The things to look for are routes and firewalls. You can use tcpdump to watch traffic and see where it is going. You would need to post your config files and details about the rest of your configuration for me to be able to be more specific.

julmust · Posted: Wed Jul 05, 2006 3:52 pm Post subject:

This is my setup:

192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet

serverconf:

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

Most of that looks pretty good. The place I would expect problems would be the client firewall. Is that a separate machine or a firewall running on the client? If it is running on the client, you will want to make sure you are passing traffic from the vpn.

What does the output of route -n look like on the server and on the client with the vpn up and running?

julmust · Posted: Wed Jul 05, 2006 4:07 pm Post subject:

The firewall/gateway in front of the client is a d-link dfl-200. In my opinion it should be no problem, the firewall would allow traffic since it's the client that initiate the connection.

route -n on server:

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

I agree about the linksys.

The server side looks good, but the client side does not make much sense (not that routing on windows ever really makes sense). I will have to setup a windows client and see what things look like before I can tell if there is a problem with that side.

julmust · Posted: Wed Jul 05, 2006 4:21 pm Post subject:

Do you think it's the client? The client can ping the server, hence it redirects requests to the virtual vpn server to the right TAP interface. To me it seems like the servers ping request can't reach the client.. could it get lost because of the clients routing table?

I'll have to try some more later.. am on my way to London now.. i'll be back in a few days.
Thanks for the help so far!
_________________
hm.. help me.

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

Ahhh I missed that part. Since the client can ping, the routes are OK.

Most likely, the problem is the server is pinging with the wrong address. Do you have a net monitoring program you can use on the windows client? If so, you should see the ping request but you will probably see it from an unexpected address.

What is the output of ifconfig on the server?

julmust · Posted: Wed Jul 05, 2006 4:55 pm Post subject:

Raffi · l33t Joined: 17 Mar 2003 Posts: 731 Location: Moscow, Id.

I setup a windows client to my vpn and the route you show above looks OK. I doubt that I will ever get used to window's routing.

julmust · Posted: Mon Jul 10, 2006 12:07 am Post subject:

I analyzed the network traffic in Ethereal on the client side, and I can't say that made me any wiser...

When I try to ping the client from the server, the client receives ping requests. However, it does not respond.
The source of the ping request is reported to be the IP address of the server, 192.168.100.100 and the destination is obviously the clients IP address, 192.168.100.101. Even the MACs of the virtual adapters are right.

What can be wrong? The other way around, pinging server from client, works and looks perfectly normal in Ethereal.

EDIT:
Okey, this is just plain stupid. Turned out Windows had enabled a firewall for the OpenVPN virtual adapter, causing it to block the ping replies... ARGH!!!
Anyway, thanks again for your help Ruffi.
_________________
hm.. help me.