Routing problem with OpenVPN.
Hi guys,
I Wonder if I could pick your minds for a moment with a routing problem
I am having.
I've been asked to setup a VPN for a client to so they can log into
their linux server from home.
That part of things I was able to handle no problems. Now he wants to be
able to use VNCviewer to take over his work desktop over the VPN, and it
is here that I am having routing problems.
The work network is a 192.168.0.0/24 network, with the VPN/samba server
on 192.168.0.22 and the internet gateway router on 192.168.0.21
The VPN is using OpenVPN in a TUN routed mode. (meaning the network it
is connecting to must have a different subnet from the home network.)
I'm using my laptop and home network to test this before setting it up
at his end.
The network looks like this:
Internal machine on work network.
X (this machine can ping the remote laptop,
X but the remote laptop cannot ping it.)
X 192.168.0.27
X
X
OpenVPN/Samba server (192.168.0.22 local interface )
| (Tun VPN interface 10.254.0.1)
|
|
|
Internet gateway router. (192.168.0.21 local interface)
| (Router port forwards port 5000 traffic to VPN server: 192.168.0.22)
|
|INTERNET
|
|
|
Home network router. (192.168.1.4)
| (NAT provided to local clients)
|
|
Laptop 192.168.1.16 (Tun 10.254.0.2)
Running VPN client, connecting to VPN server perfectly, able to ping vpn
servers local network connection as well as vpn IP's
(pinging both 192.168.0.22 and 10.254.0.1 works fine from here.)
But this machine cannot ping any address's past the VPN server and that
is what I need to solve.
The route on the client laptop is:
ROUTE ADD 192.168.0.0 MASK 255.255.255.0 10.254.0.2
Which correctly directs all traffic for a 192.168.0.0/24 network over
the VPN to the server.
The route on the server is:
route add 192.168.1.0 netmask 255.255.255.0 gw 10.254.0.1
Which correctly directs traffic for 192.168.1.x to the TUN VPN.
(since the server already has an interface on the 192.168.0.x network,
it has a default route for those packets in its routing table as well.)
- The VPN server can ping everyone, internal clients behind it, the
router itself, and my remote 192.168.1.16 address.
- The remote laptop can ping all of the vpn servers interfaces.
- The remote laptop can NOT ping any other machine on that remote work
network other then the servers interfaces
and that is what I need to fix.
It seems like the VPN server will not accept any packets for IP's that
it doesn't have an exact interface match for, even though it has a route
statement in place that is supposed to route any 192.168.0.x packets out
of it's own local interface to that network. (eth0)
I've been pulling my hair out all weekend trying to work this out.
If it helps, here is the routing table from the VPN server.
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.254.0.2 * 255.255.255.255 UH 0 0 0
tun0
192.168.1.0 10.254.0.1 255.255.255.0 UG 0 0 0
tun0
192.168.0.0 * 255.255.255.0 U 0 0 0
eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default vpn.eze-grou 0.0.0.0 UG 0 0 0 eth0
As you can see, it has default route for 192.168.0.x because it has a
local interface on that network.
I've added the "192.168.1.0 10.254.0.1 255.255.255.0 UG 0 0
0 tun0" to route traffic for 192.168.1.x to the VPN which is
working perfectly.
but the VPN server will not accept a ping from the remote laptop and
route it to a machine on it's local network and I can't figure out why.
I even tried at one stage adding an explicite route like so:
192.168.0.27 192.168.0.22 255.255.255.255 UGH 0 0 0
eth0
To see if I could get it to accept the ping to 192.168.0.27 and route it
to it's local eth0 interface (192.168.0.22)
but that hasn't worked either.
There are no firewalls blocking anything, so it's not a case of filtering.
Please please PLEASE, anyone with any knowledge of routing have a look
at this and see what I'm missing.. :-)
rgds
Franki
Reply to: