-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/11/14 00:09, Jeff Boyce wrote: > ----- Original Message ----- From: "Jan Just Keijser" > <janj...@nikhef.nl> To: "Jeff Boyce" <jbo...@meridianenv.com>; > <openvpn-users@lists.sourceforge.net> Sent: Wednesday, November 05, > 2014 2:48 PM Subject: Re: [Openvpn-users] Classic case of can't > reach machine behind OpenVPN server from the connected client > > >> Hi Jeff, >> >> On 05/11/14 21:38, Jeff Boyce wrote: >>> Greetings - >>> >>> I have a routed vpn setup and I can ping back and forth from >>> the client to the server. Now I want to expand the >>> configuration so that I can reach a Windows Vista box behind >>> the server from the client. My network diagram is as follows: >>> >>> Client LAN address 192.168.112.125 Client VPN address 10.4.0.6 >>> >>> Server VPN address 10.4.0.1 Server LAN address 192.168.123.2 >>> Server LAN network 192.168.123.0/24 >>> >>> Vista Box behind Server address 192.168.123.111 >>> >>> The OpenVPN server is running on a OpenWRT router. This router >>> is the WAN/LAN access point and firewall to my network, and is >>> my LAN network router. >>> >>> When the VPN is established, from the client I can ping both >>> the 10.4.0.1 and the 192.168.123.2 addresses of the server. >>> When I try to ping the Vista box behind the server from the >>> client I get the following: >>> >>> C:\Users\jeffb>ping 192.168.123.111 Pinging 192.168.123.111 >>> with 32 bytes of data: Reply from 10.4.0.1: Destination host >>> unreachable. >>> >>> I have read the How-To that explains connecting to additional >>> machines behind the server, and know I have followed some of >>> the steps properly, but my routing knowledge is a little fuzzy, >>> and since I still can't connect I must not be doing something >>> to complete the steps or doing something wrong. >>> >>> Step 1. First, you must advertise the LAN (192.168.123.0/24) >>> subnet to VPN clients as being accessible through the VPN. This >>> can easily be done with the following server-side config file >>> directive: push "route 192.168.123.0 255.255.255.0"Result of >>> Step 1 - DONE, see server config below. >>> >>> Step 2. Next, you must set up a route on the server-side LAN >>> gateway to route the VPN client subnet (10.4.0.0/24) to the >>> OpenVPN server (this is only necessary if the OpenVPN server >>> and the LAN gateway are different machines). >>> >>> Result of Step 2. My OpenVPN server and my LAN gateway are on >>> the same OpenWRT box. But I am not sure whether this still may >>> apply based on my network configuration. >>> >>> Step 3. Make sure that you've enabled IP and TUN/TAP >>> forwarding on the OpenVPN server machine. >>> >>> Result of Step 3. IP forwarding is enabled. root@gateway:~# >>> cat /proc/sys/net/ipv4/ip_forward 1 >>> >>> I am not sure about TUN/TAP forwarding, as I am not sure of the >>> description of this and the link in the how-to just went back >>> to the FAQ list. >>> >>> Below is my pertinent configs (both server and client) and the >>> routing tables for the client, server, and the Vista Box I am >>> trying to connect to. >>> >>> CLIENT CONFIG client dev tun proto udp remote <dynamicdns> >>> 1194 pull nobind persist-key persist-tun tls-client ca >>> "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program >>> Files\\OpenVPN\\config\\JABopti-755.crt" key "C:\\Program >>> Files\\OpenVPN\\config\\JABopti-755.key" ns-cert-type server >>> resolv-retry infinite comp-lzo route-method exe route-delay 2 >>> verb 4 >>> >>> SERVER CONFIG port 1194 >>> >>> proto udp >>> >>> dev tun >>> >>> tls-server >>> >>> ca /etc/easy-rsa/keys/ca.crt >>> >>> cert /etc/easy-rsa/keys/GatewayVPNServer.crt >>> >>> key /etc/easy-rsa/keys/GatewayVPNServer.key >>> >>> dh /etc/easy-rsa/keys/dh2048.pem >>> >>> server 10.4.0.0 255.255.255.0 >>> >>> float >>> >>> ifconfig-pool-persist /etc/openvpn/ipp.txt 120 >>> >>> push "route 192.168.123.0 255.255.255.0" >>> >>> keepalive 10 120 >>> >>> comp-lzo >>> >>> persist-key >>> >>> persist-tun >>> >>> status /etc/openvpn-status.log >>> >>> log-append /home/openvpn.log >>> >>> verb 6 >>> >>> >>> CLIENT ROUTING TABLE C:\Users\jeffb>route print >>> >>> IPv4 Route Table >>> =========================================================================== >>> >>> Active Routes: >>> Network Destination Netmask Gateway >>> Interface Metric 0.0.0.0 0.0.0.0 192.168.112.11 >>> 192.168.112.125 10 10.4.0.1 255.255.255.255 10.4.0.5 >>> 10.4.0.6 31 10.4.0.4 255.255.255.252 On-link >>> 10.4.0.6 286 10.4.0.6 255.255.255.255 On-link >>> 10.4.0.6 286 10.4.0.7 255.255.255.255 On-link >>> 10.4.0.6 286 127.0.0.0 255.0.0.0 On-link >>> 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link >>> 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link >>> 127.0.0.1 306 192.168.112.0 255.255.255.0 On-link >>> 192.168.112.125 266 192.168.112.125 255.255.255.255 >>> On-link 192.168.112.125 266 192.168.112.255 255.255.255.255 >>> On-link 192.168.112.125 266 192.168.123.0 255.255.255.0 >>> 10.4.0.5 10.4.0.6 31 224.0.0.0 240.0.0.0 >>> On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 >>> On-link 10.4.0.6 286 224.0.0.0 240.0.0.0 >>> On-link 192.168.112.125 266 255.255.255.255 255.255.255.255 >>> On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 >>> On-link 10.4.0.6 286 255.255.255.255 255.255.255.255 >>> On-link 192.168.112.125 266 >>> =========================================================================== >>> >>> Persistent Routes: >>> None >>> >>> SERVER ROUTING TABLE root@gateway:~# route -n Kernel IP routing >>> table Destination Gateway Genmask Flags >>> Metric Ref Use Iface 0.0.0.0 98.125.178.1 0.0.0.0 >>> UG 0 0 0 pppoe-wan 10.4.0.0 10.4.0.2 >>> 255.255.255.0 UG 0 0 0 tun0 10.4.0.2 >>> 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 >>> 98.125.178.1 0.0.0.0 255.255.255.255 UH 0 0 >>> 0 pppoe-wan 192.168.123.0 0.0.0.0 255.255.255.0 U >>> 0 0 0 br-lan >>> >>> >>> VISTA BOX ROUTING TABLE Well I can't get to that one right now >>> as I am remote to the box. But last evening I did add a static >>> route to its routing table using the command below and verified >>> that it was persistent across a reboot. If this is needed for >>> diagnosis, I can get it tonight. >>> >>> C:\Users\jeffheidi>route -p add 10.4.0.0 mask 255.255.255.0 >>> 192.168.123.2 >>> >>> Thanks for the assistance anyone can provide. If I have left >>> out any important details, or if additional information is >>> needed please let me know. >>> >>> >> nice and extensive post , but what exactly is not working? have >> you tried pinging the machine on the server-side LAN? can you >> ping the LAN IP of the VPN server from the client? is there a >> firewall blocking access (typically FORWARDing rules) ? >> > Jan - Yea, the problem sometimes with providing good detailed posts > is that it may not be so easy to identify the issue. So in a brief > summary, my issue is that I am unable to access the Vista box > behind the server (which my goal is to be able to access it > remotely). The Vista box is 192.168.123.111, and when I try to > ping it from the client connected to the OpenVPN server I get the > following reply. > > C:\Users\jeffb>ping 192.168.123.111 Pinging 192.168.123.111 with 32 > bytes of data: Reply from 10.4.0.1: Destination host unreachable. > > I can ping the LAN side of the OpenVPN server (192.168.123.2), and > can even ping it by name.
Maybe this can help: <http://pekster.sdf.org/misc/serverlan.png> (We use that one quite frequently on #openvpn @ FreeNode) - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRbQPYACgkQDC186MBRfrreRQCgk4vywQgKhKDoLacMYfpllPK1 GEcAn1tgSBbNY+Uwn/01I9uuGNmRvZ3H =x+fQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
