On 06/11/14 00:09, Jeff Boyce wrote: > ----- Original Message ----- > From: "Jan Just Keijser" <janj...@nikhef.nl> > To: "Jeff Boyce" <jbo...@meridianenv.com>; > <openvpn-users@lists.sourceforge.net> > Sent: Wednesday, November 05, 2014 2:48 PM > Subject: Re: [Openvpn-users] Classic case of can't reach machine behind > OpenVPN server from the connected client > > >> Hi Jeff, >> >> On 05/11/14 21:38, Jeff Boyce wrote: >>> Greetings - >>> >>> I have a routed vpn setup and I can ping back and forth from the client >>> to >>> the server. Now I want to expand the configuration so that I can reach a >>> Windows Vista box behind the server from the client. My network diagram >>> is >>> as follows: >>> >>> Client LAN address 192.168.112.125 >>> Client VPN address 10.4.0.6 >>> >>> Server VPN address 10.4.0.1 >>> Server LAN address 192.168.123.2 >>> Server LAN network 192.168.123.0/24 >>> >>> Vista Box behind Server address 192.168.123.111 >>> >>> The OpenVPN server is running on a OpenWRT router. This router is the >>> WAN/LAN access point and firewall to my network, and is my LAN network >>> router. >>> >>> When the VPN is established, from the client I can ping both the 10.4.0.1 >>> and the 192.168.123.2 addresses of the server. When I try to ping the >>> Vista >>> box behind the server from the client I get the following: >>> >>> C:\Users\jeffb>ping 192.168.123.111 >>> Pinging 192.168.123.111 with 32 bytes of data: >>> Reply from 10.4.0.1: Destination host unreachable. >>> >>> I have read the How-To that explains connecting to additional machines >>> behind the server, and know I have followed some of the steps properly, >>> but >>> my routing knowledge is a little fuzzy, and since I still can't connect I >>> must not be doing something to complete the steps or doing something >>> wrong. >>> >>> Step 1. First, you must advertise the LAN (192.168.123.0/24) subnet to >>> VPN >>> clients as being accessible through the VPN. This can easily be done with >>> the following server-side config file directive: >>> push "route 192.168.123.0 255.255.255.0"Result of Step 1 - DONE, see >>> server >>> config below. >>> >>> Step 2. Next, you must set up a route on the server-side LAN gateway to >>> route the VPN client subnet (10.4.0.0/24) to the OpenVPN server (this is >>> only necessary if the OpenVPN server and the LAN gateway are different >>> machines). >>> >>> Result of Step 2. My OpenVPN server and my LAN gateway are on the same >>> OpenWRT box. But I am not sure whether this still may apply based on my >>> network configuration. >>> >>> Step 3. Make sure that you've enabled IP and TUN/TAP forwarding on the >>> OpenVPN server machine. >>> >>> Result of Step 3. IP forwarding is enabled. >>> root@gateway:~# cat /proc/sys/net/ipv4/ip_forward >>> 1 >>> >>> I am not sure about TUN/TAP forwarding, as I am not sure of the >>> description >>> of this and the link in the how-to just went back to the FAQ list. >>> >>> Below is my pertinent configs (both server and client) and the routing >>> tables for the client, server, and the Vista Box I am trying to connect >>> to. >>> >>> CLIENT CONFIG >>> client >>> dev tun >>> proto udp >>> remote <dynamicdns> 1194 >>> pull >>> nobind >>> persist-key >>> persist-tun >>> tls-client >>> ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" >>> cert "C:\\Program Files\\OpenVPN\\config\\JABopti-755.crt" >>> key "C:\\Program Files\\OpenVPN\\config\\JABopti-755.key" >>> ns-cert-type server >>> resolv-retry infinite >>> comp-lzo >>> route-method exe >>> route-delay 2 >>> verb 4 >>> >>> SERVER CONFIG >>> port 1194 >>> >>> proto udp >>> >>> dev tun >>> >>> tls-server >>> >>> ca /etc/easy-rsa/keys/ca.crt >>> >>> cert /etc/easy-rsa/keys/GatewayVPNServer.crt >>> >>> key /etc/easy-rsa/keys/GatewayVPNServer.key >>> >>> dh /etc/easy-rsa/keys/dh2048.pem >>> >>> server 10.4.0.0 255.255.255.0 >>> >>> float >>> >>> ifconfig-pool-persist /etc/openvpn/ipp.txt 120 >>> >>> push "route 192.168.123.0 255.255.255.0" >>> >>> keepalive 10 120 >>> >>> comp-lzo >>> >>> persist-key >>> >>> persist-tun >>> >>> status /etc/openvpn-status.log >>> >>> log-append /home/openvpn.log >>> >>> verb 6 >>> >>> >>> CLIENT ROUTING TABLE >>> C:\Users\jeffb>route print >>> >>> IPv4 Route Table >>> =========================================================================== >>> Active Routes: >>> Network Destination Netmask Gateway Interface >>> Metric >>> 0.0.0.0 0.0.0.0 192.168.112.11 192.168.112.125 >>> 10 >>> 10.4.0.1 255.255.255.255 10.4.0.5 10.4.0.6 >>> 31 >>> 10.4.0.4 255.255.255.252 On-link 10.4.0.6 >>> 286 >>> 10.4.0.6 255.255.255.255 On-link 10.4.0.6 >>> 286 >>> 10.4.0.7 255.255.255.255 On-link 10.4.0.6 >>> 286 >>> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 >>> 306 >>> 127.0.0.1 255.255.255.255 On-link 127.0.0.1 >>> 306 >>> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 >>> 306 >>> 192.168.112.0 255.255.255.0 On-link 192.168.112.125 >>> 266 >>> 192.168.112.125 255.255.255.255 On-link 192.168.112.125 >>> 266 >>> 192.168.112.255 255.255.255.255 On-link 192.168.112.125 >>> 266 >>> 192.168.123.0 255.255.255.0 10.4.0.5 10.4.0.6 >>> 31 >>> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 >>> 306 >>> 224.0.0.0 240.0.0.0 On-link 10.4.0.6 >>> 286 >>> 224.0.0.0 240.0.0.0 On-link 192.168.112.125 >>> 266 >>> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 >>> 306 >>> 255.255.255.255 255.255.255.255 On-link 10.4.0.6 >>> 286 >>> 255.255.255.255 255.255.255.255 On-link 192.168.112.125 >>> 266 >>> =========================================================================== >>> Persistent Routes: >>> None >>> >>> SERVER ROUTING TABLE >>> root@gateway:~# route -n >>> Kernel IP routing table >>> Destination Gateway Genmask Flags Metric Ref Use >>> Iface >>> 0.0.0.0 98.125.178.1 0.0.0.0 UG 0 0 0 >>> pppoe-wan >>> 10.4.0.0 10.4.0.2 255.255.255.0 UG 0 0 0 >>> tun0 >>> 10.4.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 >>> tun0 >>> 98.125.178.1 0.0.0.0 255.255.255.255 UH 0 0 0 >>> pppoe-wan >>> 192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 >>> br-lan >>> >>> >>> VISTA BOX ROUTING TABLE >>> Well I can't get to that one right now as I am remote to the box. But >>> last >>> evening I did add a static route to its routing table using the command >>> below and verified that it was persistent across a reboot. If this is >>> needed for diagnosis, I can get it tonight. >>> >>> C:\Users\jeffheidi>route -p add 10.4.0.0 mask 255.255.255.0 192.168.123.2 >>> >>> Thanks for the assistance anyone can provide. If I have left out any >>> important details, or if additional information is needed please let me >>> know. >>> >>> >> nice and extensive post , but what exactly is not working? have you tried >> pinging the machine on the server-side LAN? >> can you ping the LAN IP of the VPN server from the client? >> is there a firewall blocking access (typically FORWARDing rules) ? >> > Jan - > Yea, the problem sometimes with providing good detailed posts is that it may > not be so easy to identify the issue. So in a brief summary, my issue is > that I am unable to access the Vista box behind the server (which my goal is > to be able to access it remotely). The Vista box is 192.168.123.111, and > when I try to ping it from the client connected to the OpenVPN server I get > the following reply. > > C:\Users\jeffb>ping 192.168.123.111 > Pinging 192.168.123.111 with 32 bytes of data: > Reply from 10.4.0.1: Destination host unreachable. > > I can ping the LAN side of the OpenVPN server (192.168.123.2), and can even > ping it by name. > > I'd install wireshark on the vista client 192.168.123.111 and then watch for incoming traffic as you ping it from the other end; if there is traffic coming in then it's most likely a return route issue; if there is no traffic reaching the 192.168.123.111 machine then it's a routing or firewalling problem elsewhere (most likely the openwrt router ).
HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
