My comments in-line below. ----- Original Message ----- From: "Mathias Jeschke" <openvpn-us...@0xaffe.de> To: <openvpn-users@lists.sourceforge.net> Cc: "Jeff Boyce" <jbo...@meridianenv.com> Sent: Wednesday, November 05, 2014 2:04 PM Subject: Re: [Openvpn-users] Classic case of can't reach machine behind OpenVPN server from the connected client
> Hi Jeff, > > Jeff Boyce wrote: > >> When the VPN is established, from the client I can ping both the 10.4.0.1 >> and the 192.168.123.2 addresses of the server. When I try to ping the >> Vista >> box behind the server from the client I get the following: >> >> C:\Users\jeffb>ping 192.168.123.111 >> Pinging 192.168.123.111 with 32 bytes of data: >> Reply from 10.4.0.1: Destination host unreachable. > > This sounds like you haven't adjusted the firewall config of your OpenWrt > router, thus the messages are rejected by netfilter/iptables. > > I guess you need at least something like this: > > $ cat /etc/config/network > ... > config interface 'vpn' > option ifname 'tun0' > option defaultroute '0' > option peerdns '0' > option proto 'none' > I had everything here in my network config file, except the defaultroute and peerdns options. After reviewing what those options are, I am not sure that they are necessary, but I have included them in my config now. > > $ cat /etc/config/firewall > ... > config zone > option name 'vpn' > option input 'ACCEPT' > option output 'ACCEPT' > option forward 'ACCEPT' > option network 'vpn' > I had Option Forward REJECT on this. I have changed this to ACCEPT on the VPN zone, and also changed it to ACCEPT on the LAN zone (which was also REJECT). > config forwarding > option src 'vpn' > option dest 'lan' > I had the above forwarding setup in my configuration already. > config forwarding > option src 'lan' > option dest 'vpn' > I did NOT have this forwarding setup originally, but have now added it. > > See also http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tun > Yep, I have seen and read that one. Have read all the Openwrt.org wikis. > The "lan side" of the server is reachable as this doesn't pass the FORWARD > chain of the netfilter. Thanks for the info, that is what I suspected. > > HTH, > Mathias. > Sorry for taking a while to respond to these suggestions, as I was also trying to get a Wireshark log on the Vista box of what was occurring per Jan Just's suggestion. Since I am remote to the Vista box when testing it takes a little bit of back and forth time, especially when Wireshark seems to fail logging before I get the test run. Working on another set of logging today, and will check it tonight. So after all these changes, and restarting services, and even rebooting the router, the result was the same. In summary, trying to ping the Vista box behind the Server would result in the response: Reply from 10.4.0.1: Destination host unreachable. Address 10.4.0.1 is the tunnel address at the server end of the VPN tunnel. So it seems to me that the server end of the tunnel doesn't know what the LAN network is behind it. @David - thanks for the decision diagram. I kind of had that pictured in my head as I was going through this, but it is nice to see that someone has it clearly diagramed. In my issue I am at this point in the diagram. 1. Can you ping another machine in the LAN? No. 2. Do you have access to the router? Yes, I control the router. (I also have access to the target machine on the LAN). 3. Add a route to the router so it knows how to reach the VPN subnet. This is where my routing knowledge (or the lack thereof) shows, as I am not exactly sure what to put here. It also doesn't help that I am working with OpenWRT which is a little bit different in networking and firewalling configuration than I am used to. So if any one can educate me, or help me educate myself I would appreciate it. I made one change on the Vista box last night, and testing the connection again this morning I get a slightly different result to a ping test. The change I made on the Vista Box was to add a persistent route: Destination 10.4.0.0 Netmask 255.255.255.0 and Gateway 10.4.0.1. Sorry, but I forgot to get a printout of the routing table after that change before leaving the house this morning. The new result of the ping test is Request Timed Out, rather than Destination Host Unreachable. Don't know if that helps any. Following David's diagram, I would rather have a solution that makes a change at the router rather than an individual box on the LAN behind the router, for when I do replace a box in a few months. Jeff ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
