Hi Jeff, On 05/11/14 21:38, Jeff Boyce wrote: > Greetings - > > I have a routed vpn setup and I can ping back and forth from the client to > the server. Now I want to expand the configuration so that I can reach a > Windows Vista box behind the server from the client. My network diagram is > as follows: > > Client LAN address 192.168.112.125 > Client VPN address 10.4.0.6 > > Server VPN address 10.4.0.1 > Server LAN address 192.168.123.2 > Server LAN network 192.168.123.0/24 > > Vista Box behind Server address 192.168.123.111 > > The OpenVPN server is running on a OpenWRT router. This router is the > WAN/LAN access point and firewall to my network, and is my LAN network > router. > > When the VPN is established, from the client I can ping both the 10.4.0.1 > and the 192.168.123.2 addresses of the server. When I try to ping the Vista > box behind the server from the client I get the following: > > C:\Users\jeffb>ping 192.168.123.111 > Pinging 192.168.123.111 with 32 bytes of data: > Reply from 10.4.0.1: Destination host unreachable. > > I have read the How-To that explains connecting to additional machines > behind the server, and know I have followed some of the steps properly, but > my routing knowledge is a little fuzzy, and since I still can't connect I > must not be doing something to complete the steps or doing something wrong. > > Step 1. First, you must advertise the LAN (192.168.123.0/24) subnet to VPN > clients as being accessible through the VPN. This can easily be done with > the following server-side config file directive: > push "route 192.168.123.0 255.255.255.0"Result of Step 1 - DONE, see server > config below. > > Step 2. Next, you must set up a route on the server-side LAN gateway to > route the VPN client subnet (10.4.0.0/24) to the OpenVPN server (this is > only necessary if the OpenVPN server and the LAN gateway are different > machines). > > Result of Step 2. My OpenVPN server and my LAN gateway are on the same > OpenWRT box. But I am not sure whether this still may apply based on my > network configuration. > > Step 3. Make sure that you've enabled IP and TUN/TAP forwarding on the > OpenVPN server machine. > > Result of Step 3. IP forwarding is enabled. > root@gateway:~# cat /proc/sys/net/ipv4/ip_forward > 1 > > I am not sure about TUN/TAP forwarding, as I am not sure of the description > of this and the link in the how-to just went back to the FAQ list. > > Below is my pertinent configs (both server and client) and the routing > tables for the client, server, and the Vista Box I am trying to connect to. > > CLIENT CONFIG > client > dev tun > proto udp > remote <dynamicdns> 1194 > pull > nobind > persist-key > persist-tun > tls-client > ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" > cert "C:\\Program Files\\OpenVPN\\config\\JABopti-755.crt" > key "C:\\Program Files\\OpenVPN\\config\\JABopti-755.key" > ns-cert-type server > resolv-retry infinite > comp-lzo > route-method exe > route-delay 2 > verb 4 > > SERVER CONFIG > port 1194 > > proto udp > > dev tun > > tls-server > > ca /etc/easy-rsa/keys/ca.crt > > cert /etc/easy-rsa/keys/GatewayVPNServer.crt > > key /etc/easy-rsa/keys/GatewayVPNServer.key > > dh /etc/easy-rsa/keys/dh2048.pem > > server 10.4.0.0 255.255.255.0 > > float > > ifconfig-pool-persist /etc/openvpn/ipp.txt 120 > > push "route 192.168.123.0 255.255.255.0" > > keepalive 10 120 > > comp-lzo > > persist-key > > persist-tun > > status /etc/openvpn-status.log > > log-append /home/openvpn.log > > verb 6 > > > CLIENT ROUTING TABLE > C:\Users\jeffb>route print > > IPv4 Route Table > =========================================================================== > Active Routes: > Network Destination Netmask Gateway Interface Metric > 0.0.0.0 0.0.0.0 192.168.112.11 192.168.112.125 10 > 10.4.0.1 255.255.255.255 10.4.0.5 10.4.0.6 31 > 10.4.0.4 255.255.255.252 On-link 10.4.0.6 286 > 10.4.0.6 255.255.255.255 On-link 10.4.0.6 286 > 10.4.0.7 255.255.255.255 On-link 10.4.0.6 286 > 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 > 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 > 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 > 192.168.112.0 255.255.255.0 On-link 192.168.112.125 266 > 192.168.112.125 255.255.255.255 On-link 192.168.112.125 266 > 192.168.112.255 255.255.255.255 On-link 192.168.112.125 266 > 192.168.123.0 255.255.255.0 10.4.0.5 10.4.0.6 31 > 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 > 224.0.0.0 240.0.0.0 On-link 10.4.0.6 286 > 224.0.0.0 240.0.0.0 On-link 192.168.112.125 266 > 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 > 255.255.255.255 255.255.255.255 On-link 10.4.0.6 286 > 255.255.255.255 255.255.255.255 On-link 192.168.112.125 266 > =========================================================================== > Persistent Routes: > None > > SERVER ROUTING TABLE > root@gateway:~# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 0.0.0.0 98.125.178.1 0.0.0.0 UG 0 0 0 > pppoe-wan > 10.4.0.0 10.4.0.2 255.255.255.0 UG 0 0 0 tun0 > 10.4.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 98.125.178.1 0.0.0.0 255.255.255.255 UH 0 0 0 > pppoe-wan > 192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 > br-lan > > > VISTA BOX ROUTING TABLE > Well I can't get to that one right now as I am remote to the box. But last > evening I did add a static route to its routing table using the command > below and verified that it was persistent across a reboot. If this is > needed for diagnosis, I can get it tonight. > > C:\Users\jeffheidi>route -p add 10.4.0.0 mask 255.255.255.0 192.168.123.2 > > Thanks for the assistance anyone can provide. If I have left out any > important details, or if additional information is needed please let me > know. > > nice and extensive post , but what exactly is not working? have you tried pinging the machine on the server-side LAN? can you ping the LAN IP of the VPN server from the client? is there a firewall blocking access (typically FORWARDing rules) ?
------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
