----- Original Message ----- From: "Jan Just Keijser" <janj...@nikhef.nl> To: "Jeff Boyce" <jbo...@meridianenv.com>; <openvpn-users@lists.sourceforge.net> Sent: Wednesday, November 05, 2014 2:48 PM Subject: Re: [Openvpn-users] Classic case of can't reach machine behind OpenVPN server from the connected client
> Hi Jeff, > > On 05/11/14 21:38, Jeff Boyce wrote: >> Greetings - >> >> I have a routed vpn setup and I can ping back and forth from the client >> to >> the server. Now I want to expand the configuration so that I can reach a >> Windows Vista box behind the server from the client. My network diagram >> is >> as follows: >> >> Client LAN address 192.168.112.125 >> Client VPN address 10.4.0.6 >> >> Server VPN address 10.4.0.1 >> Server LAN address 192.168.123.2 >> Server LAN network 192.168.123.0/24 >> >> Vista Box behind Server address 192.168.123.111 >> >> The OpenVPN server is running on a OpenWRT router. This router is the >> WAN/LAN access point and firewall to my network, and is my LAN network >> router. >> >> When the VPN is established, from the client I can ping both the 10.4.0.1 >> and the 192.168.123.2 addresses of the server. When I try to ping the >> Vista >> box behind the server from the client I get the following: >> >> C:\Users\jeffb>ping 192.168.123.111 >> Pinging 192.168.123.111 with 32 bytes of data: >> Reply from 10.4.0.1: Destination host unreachable. >> >> I have read the How-To that explains connecting to additional machines >> behind the server, and know I have followed some of the steps properly, >> but >> my routing knowledge is a little fuzzy, and since I still can't connect I >> must not be doing something to complete the steps or doing something >> wrong. >> >> Step 1. First, you must advertise the LAN (192.168.123.0/24) subnet to >> VPN >> clients as being accessible through the VPN. This can easily be done with >> the following server-side config file directive: >> push "route 192.168.123.0 255.255.255.0"Result of Step 1 - DONE, see >> server >> config below. >> >> Step 2. Next, you must set up a route on the server-side LAN gateway to >> route the VPN client subnet (10.4.0.0/24) to the OpenVPN server (this is >> only necessary if the OpenVPN server and the LAN gateway are different >> machines). >> >> Result of Step 2. My OpenVPN server and my LAN gateway are on the same >> OpenWRT box. But I am not sure whether this still may apply based on my >> network configuration. >> >> Step 3. Make sure that you've enabled IP and TUN/TAP forwarding on the >> OpenVPN server machine. >> >> Result of Step 3. IP forwarding is enabled. >> root@gateway:~# cat /proc/sys/net/ipv4/ip_forward >> 1 >> >> I am not sure about TUN/TAP forwarding, as I am not sure of the >> description >> of this and the link in the how-to just went back to the FAQ list. >> >> Below is my pertinent configs (both server and client) and the routing >> tables for the client, server, and the Vista Box I am trying to connect >> to. >> >> CLIENT CONFIG >> client >> dev tun >> proto udp >> remote <dynamicdns> 1194 >> pull >> nobind >> persist-key >> persist-tun >> tls-client >> ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" >> cert "C:\\Program Files\\OpenVPN\\config\\JABopti-755.crt" >> key "C:\\Program Files\\OpenVPN\\config\\JABopti-755.key" >> ns-cert-type server >> resolv-retry infinite >> comp-lzo >> route-method exe >> route-delay 2 >> verb 4 >> >> SERVER CONFIG >> port 1194 >> >> proto udp >> >> dev tun >> >> tls-server >> >> ca /etc/easy-rsa/keys/ca.crt >> >> cert /etc/easy-rsa/keys/GatewayVPNServer.crt >> >> key /etc/easy-rsa/keys/GatewayVPNServer.key >> >> dh /etc/easy-rsa/keys/dh2048.pem >> >> server 10.4.0.0 255.255.255.0 >> >> float >> >> ifconfig-pool-persist /etc/openvpn/ipp.txt 120 >> >> push "route 192.168.123.0 255.255.255.0" >> >> keepalive 10 120 >> >> comp-lzo >> >> persist-key >> >> persist-tun >> >> status /etc/openvpn-status.log >> >> log-append /home/openvpn.log >> >> verb 6 >> >> >> CLIENT ROUTING TABLE >> C:\Users\jeffb>route print >> >> IPv4 Route Table >> =========================================================================== >> Active Routes: >> Network Destination Netmask Gateway Interface >> Metric >> 0.0.0.0 0.0.0.0 192.168.112.11 192.168.112.125 >> 10 >> 10.4.0.1 255.255.255.255 10.4.0.5 10.4.0.6 >> 31 >> 10.4.0.4 255.255.255.252 On-link 10.4.0.6 >> 286 >> 10.4.0.6 255.255.255.255 On-link 10.4.0.6 >> 286 >> 10.4.0.7 255.255.255.255 On-link 10.4.0.6 >> 286 >> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 >> 306 >> 127.0.0.1 255.255.255.255 On-link 127.0.0.1 >> 306 >> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 >> 306 >> 192.168.112.0 255.255.255.0 On-link 192.168.112.125 >> 266 >> 192.168.112.125 255.255.255.255 On-link 192.168.112.125 >> 266 >> 192.168.112.255 255.255.255.255 On-link 192.168.112.125 >> 266 >> 192.168.123.0 255.255.255.0 10.4.0.5 10.4.0.6 >> 31 >> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 >> 306 >> 224.0.0.0 240.0.0.0 On-link 10.4.0.6 >> 286 >> 224.0.0.0 240.0.0.0 On-link 192.168.112.125 >> 266 >> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 >> 306 >> 255.255.255.255 255.255.255.255 On-link 10.4.0.6 >> 286 >> 255.255.255.255 255.255.255.255 On-link 192.168.112.125 >> 266 >> =========================================================================== >> Persistent Routes: >> None >> >> SERVER ROUTING TABLE >> root@gateway:~# route -n >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric Ref Use >> Iface >> 0.0.0.0 98.125.178.1 0.0.0.0 UG 0 0 0 >> pppoe-wan >> 10.4.0.0 10.4.0.2 255.255.255.0 UG 0 0 0 >> tun0 >> 10.4.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 >> tun0 >> 98.125.178.1 0.0.0.0 255.255.255.255 UH 0 0 0 >> pppoe-wan >> 192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 >> br-lan >> >> >> VISTA BOX ROUTING TABLE >> Well I can't get to that one right now as I am remote to the box. But >> last >> evening I did add a static route to its routing table using the command >> below and verified that it was persistent across a reboot. If this is >> needed for diagnosis, I can get it tonight. >> >> C:\Users\jeffheidi>route -p add 10.4.0.0 mask 255.255.255.0 192.168.123.2 >> >> Thanks for the assistance anyone can provide. If I have left out any >> important details, or if additional information is needed please let me >> know. >> >> > nice and extensive post , but what exactly is not working? have you tried > pinging the machine on the server-side LAN? > can you ping the LAN IP of the VPN server from the client? > is there a firewall blocking access (typically FORWARDing rules) ? > Jan - Yea, the problem sometimes with providing good detailed posts is that it may not be so easy to identify the issue. So in a brief summary, my issue is that I am unable to access the Vista box behind the server (which my goal is to be able to access it remotely). The Vista box is 192.168.123.111, and when I try to ping it from the client connected to the OpenVPN server I get the following reply. C:\Users\jeffb>ping 192.168.123.111 Pinging 192.168.123.111 with 32 bytes of data: Reply from 10.4.0.1: Destination host unreachable. I can ping the LAN side of the OpenVPN server (192.168.123.2), and can even ping it by name. Jeff ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
