Greetings -
I have a routed vpn setup and I can ping back and forth from the client to
the server. Now I want to expand the configuration so that I can reach a
Windows Vista box behind the server from the client. My network diagram is
as follows:
Client LAN address 192.168.112.125
Client VPN address 10.4.0.6
Server VPN address 10.4.0.1
Server LAN address 192.168.123.2
Server LAN network 192.168.123.0/24
Vista Box behind Server address 192.168.123.111
The OpenVPN server is running on a OpenWRT router. This router is the
WAN/LAN access point and firewall to my network, and is my LAN network
router.
When the VPN is established, from the client I can ping both the 10.4.0.1
and the 192.168.123.2 addresses of the server. When I try to ping the Vista
box behind the server from the client I get the following:
C:\Users\jeffb>ping 192.168.123.111
Pinging 192.168.123.111 with 32 bytes of data:
Reply from 10.4.0.1: Destination host unreachable.
I have read the How-To that explains connecting to additional machines
behind the server, and know I have followed some of the steps properly, but
my routing knowledge is a little fuzzy, and since I still can't connect I
must not be doing something to complete the steps or doing something wrong.
Step 1. First, you must advertise the LAN (192.168.123.0/24) subnet to VPN
clients as being accessible through the VPN. This can easily be done with
the following server-side config file directive:
push "route 192.168.123.0 255.255.255.0"Result of Step 1 - DONE, see server
config below.
Step 2. Next, you must set up a route on the server-side LAN gateway to
route the VPN client subnet (10.4.0.0/24) to the OpenVPN server (this is
only necessary if the OpenVPN server and the LAN gateway are different
machines).
Result of Step 2. My OpenVPN server and my LAN gateway are on the same
OpenWRT box. But I am not sure whether this still may apply based on my
network configuration.
Step 3. Make sure that you've enabled IP and TUN/TAP forwarding on the
OpenVPN server machine.
Result of Step 3. IP forwarding is enabled.
root@gateway:~# cat /proc/sys/net/ipv4/ip_forward
1
I am not sure about TUN/TAP forwarding, as I am not sure of the description
of this and the link in the how-to just went back to the FAQ list.
Below is my pertinent configs (both server and client) and the routing
tables for the client, server, and the Vista Box I am trying to connect to.
CLIENT CONFIG
client
dev tun
proto udp
remote <dynamicdns> 1194
pull
nobind
persist-key
persist-tun
tls-client
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\JABopti-755.crt"
key "C:\\Program Files\\OpenVPN\\config\\JABopti-755.key"
ns-cert-type server
resolv-retry infinite
comp-lzo
route-method exe
route-delay 2
verb 4
SERVER CONFIG
port 1194
proto udp
dev tun
tls-server
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/GatewayVPNServer.crt
key /etc/easy-rsa/keys/GatewayVPNServer.key
dh /etc/easy-rsa/keys/dh2048.pem
server 10.4.0.0 255.255.255.0
float
ifconfig-pool-persist /etc/openvpn/ipp.txt 120
push "route 192.168.123.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/openvpn-status.log
log-append /home/openvpn.log
verb 6
CLIENT ROUTING TABLE
C:\Users\jeffb>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.112.11 192.168.112.125 10
10.4.0.1 255.255.255.255 10.4.0.5 10.4.0.6 31
10.4.0.4 255.255.255.252 On-link 10.4.0.6 286
10.4.0.6 255.255.255.255 On-link 10.4.0.6 286
10.4.0.7 255.255.255.255 On-link 10.4.0.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.112.0 255.255.255.0 On-link 192.168.112.125 266
192.168.112.125 255.255.255.255 On-link 192.168.112.125 266
192.168.112.255 255.255.255.255 On-link 192.168.112.125 266
192.168.123.0 255.255.255.0 10.4.0.5 10.4.0.6 31
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.4.0.6 286
224.0.0.0 240.0.0.0 On-link 192.168.112.125 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.4.0.6 286
255.255.255.255 255.255.255.255 On-link 192.168.112.125 266
===========================================================================
Persistent Routes:
None
SERVER ROUTING TABLE
root@gateway:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 98.125.178.1 0.0.0.0 UG 0 0 0
pppoe-wan
10.4.0.0 10.4.0.2 255.255.255.0 UG 0 0 0 tun0
10.4.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
98.125.178.1 0.0.0.0 255.255.255.255 UH 0 0 0
pppoe-wan
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0
br-lan
VISTA BOX ROUTING TABLE
Well I can't get to that one right now as I am remote to the box. But last
evening I did add a static route to its routing table using the command
below and verified that it was persistent across a reboot. If this is
needed for diagnosis, I can get it tonight.
C:\Users\jeffheidi>route -p add 10.4.0.0 mask 255.255.255.0 192.168.123.2
Thanks for the assistance anyone can provide. If I have left out any
important details, or if additional information is needed please let me
know.
Jeff Boyce
Meridian Environmental
www.meridianenv.com
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
