Re: OpenVPN problem.

[Alessandro Baggi]

Simen Stavdal wrote:
Hello Alessandro,
Can you see any of the traffic on the inside LAN on the client side 
with tcpdump?

I.e set tcpdump on $int with
tcpdump -i <nameofinternalinterface> proto icmp

and then try to ping from a server?

Silly suggestion, but....
What about client side firewalls? Do they allow to be pinged?

What is your server.conf file for openvpn and the client conf file?

Simon.

Alessandro Baggi wrote:
Johan Beisser wrote:
On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi
<alessandro.ba...@gmail.com> wrote:
 
Hi list! I'm setting up a vpn between two openbsd firewall:
This is the scenario:

FW1                                          FW2
$ext 192.168.1.33                      $ext 192.168.1.2
$int 10.1.1.1                               $int 192.168.7.1

$host 10.1.3.53                           $host2 192.168.7.2

then I've made the certificate, client can contact the server, and 
from the
client I can ping a Linux Machine behind the server, and from linux 
machine
to client.
Then I've tried to get communication with LAN clients behind the 
VPN client
gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, 
but not
viceversa.
    

Are you permitting traffic from $host through the firewall?

What's your pf.conf?

Have you verified that your firewalls pass other traffic normally?

  
Hi Johan. Thanks for the answer. I've reduced my pf.conf on client 
and server side to:

ext="rl0"
int="rl1"

nat on $ext from $int:network -> $ext:0
nat on tun0 from $int:network -> tun0:0

pass all

I can ping from client LAN of the vpn client the entire Server side 
lan, but not viceversa.



Hi simon. I've already tried this. I've putted tcpdump also on openvpn 
client on tun0 interface, and on rl0 (interlan interface) and on (tun0) 
of server openvpn side. When I try to ping from lan client side
I get from openvpn client tcpdump on tun0:

10.0.8.6 -> 10.1.3.53
10.1.3.53 -> 10.0.8.6

on internal interface nothing and on tun0 of openvpn server the previous 
result.
When I ping from this network (10.1.0.0/16) to 192.168.7.0/24 I get 
result from tcpdump only on server openvpn, with natted address:

10.0.8.1 -> 192.168.7.2: icmp: echo request
10.0.8.1 -> 192.168.7.2: icmp: echo request
10.0.8.1 -> 192.168.7.2: icmp: echo request
....and so on...

Those are my configuration file:

server.conf:
--------------------------

proto udp
port 1194
dev tun0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/192.168.1.33.crt
key /etc/openvpn/private/192.168.1.33.key
dh /etc/openvpn/dh1024.pem
server 10.0.8.0 255.255.255.0
keepalive 10 120
comp-lzo
user _openvpn
group _openvpn
daemon openvpn
persist-key
persist-tun
client-config-dir ccd
push "route 10.1.1.1 255.255.0.0"
route 192.168.7.0 255.255.255.0
status /var/openvpn/openvpn-status.log
log-append /var/openvpn/openvpn.log
verb 8

ccd/client:
-----------------

iroute 192.168.7.0 255.255.255.0



client.conf:
------------------

client
dev tun0
proto udp
remote 192.168.1.33 1194
nobind
user _openvpn
group _openvpn
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/private/client.key
comp-lzo
verb 8
mute 20
log-append /var/openvpn/openvpn.log


This is the routing table of the openvpn server:

default            192.168.1.1        UGS        2   145394     -     8 vr0
10.0.8/24          10.0.8.2           UGS        0      206     -     8 tun0
10.0.8.2           10.0.8.1           UH         3        0     -     4 tun0
10.1/16            link#1             UC         3        0     -     4 rl0
10.1/16            10.0.8.2           UGS        0        0     -     8 tun0

10.1.3.53          00:1d:60:ec:a5:14  UHLc       2    10834     -     4 rl0
192.168.7/24          10.0.8.2           UGS        0      175     -     
8 tun0
loopback           localhost          UGRS       0        0 33200     8 lo0
localhost          localhost          UH         1        0 33200     4 lo0
192.168.1/24       link#3             UC         2        0     -     4 vr0
192.168.1.1        00:13:49:cb:fa:75  UHLc       1        0     -     4 vr0
192.168.1.2        00:19:66:65:53:1c  UHLc       1     1158     -     4 vr0
BASE-ADDRESS.MCAST localhost          URS        0        0 33200     8 lo0


This is the routing table of the openvpn client:

default            192.168.1.1        UGS        1      141     -     8 re0
10.0.8.1/32        10.0.8.5           UGS        0        0     -     8 tun0
10.0.8.5           10.0.8.6           UH         2        0     -     4 tun0
10.1/16            10.0.8.5           UGS        1      105     -     8 tun0
192.168.7/24          link#2             UC         1        0     -     
4 rl0
192.168.7.2          00:1f:c6:7e:35:75  UHLc       0        2     -     
4 rl0
loopback           localhost          UGRS       0        0 33200     8 lo0
localhost          localhost          UH         1        0 33200     4 lo0
192.168.1/24       link#1             UC         2        0     -     4 re0
192.168.1.1        00:13:49:cb:fa:75  UHLc       1        0     -     4 re0
192.168.1.33       00:0b:6a:6e:14:2d  UHLc       1      792     -     4 re0
BASE-ADDRESS.MCAST localhost   

For firewall rules, I've reduce pf.conf of client and server to:


ext="rl0"
int="rl1"

nat on $ext from $int:network -> $ext:0
nat on tun0 from $int:network -> tun0:0

pass all