Comments at bottom. ----- Original Message ----- From: "Mathias Jeschke" <openvpn-us...@0xaffe.de> To: <openvpn-users@lists.sourceforge.net> Cc: "Jeff Boyce" <jbo...@meridianenv.com> Sent: Friday, November 07, 2014 3:19 PM Subject: Re: [Openvpn-users] Classic case of can't reach machine behind OpenVPN server from the connected client
> Hi Jeff, > > See response inline: > > Jeff Boyce wrote: > >>> I guess you need at least something like this: >>> >>> $ cat /etc/config/network >>> ... >>> config interface 'vpn' >>> option ifname 'tun0' >>> option defaultroute '0' >>> option peerdns '0' >>> option proto 'none' >>> >> >> I had everything here in my network config file, except the defaultroute >> and >> peerdns options. After reviewing what those options are, I am not sure >> that >> they are necessary, but I have included them in my config now. > > Maybe they are not really needed - most important is to have that "vpn" > interface that can be used in the firewall config. > >>> $ cat /etc/config/firewall >>> ... >>> config zone >>> option name 'vpn' >>> option input 'ACCEPT' >>> option output 'ACCEPT' >>> option forward 'ACCEPT' >>> option network 'vpn' >>> >> >> I had Option Forward REJECT on this. I have changed this to ACCEPT on >> the >> VPN zone, and also changed it to ACCEPT on the LAN zone (which was also >> REJECT). > > That's definitely needed. > >> So after all these changes, and restarting services, and even rebooting >> the >> router, the result was the same. In summary, trying to ping the Vista >> box >> behind the Server would result in the response: Reply from 10.4.0.1: >> Destination host unreachable. Address 10.4.0.1 is the tunnel address at >> the >> server end of the VPN tunnel. So it seems to me that the server end of >> the >> tunnel doesn't know what the LAN network is behind it. > > If you are able to ping the Vista box from the OpenWrt router it still > sounds like a firewall issue to me - either on the router or on the Vista > box. > > Since the OpenWrt router is configured as the default gateway on the Vista > box you don't need to add additional routes (except for the OpenVPN > client, which should be done by the OpenVPN config.) > > In order to identify the firewall that causes the issue, I would disable > all firewalls first, retry the ping tests, and enable them again step by > step. > > On the OpenWrt box this can be done by: > $ /etc/init.d/firewall stop > and to enable: > $ /etc/init.d/firewall start > (Warning: this also disables NAT/MASQUERADING and may disconnect hosts > behind the router from the internet!) > > On Vista there is also a way to completely disable the firewall. > > If the OpenWrt firewall is the origin of the issue it helps to see what > are the resulting iptables rules. The OpenWrt firewall config is just used > for a set of macros/scripts which create iptables rules. > > Please send those iptables rules and you will probably get further help > here ;) > > $ iptables -L -n -v > $ iptables -L -n -v -t nat > > Cheers, > Mathias. > I have been having a little trouble with keeping Wireshark running long enough on the Vista Box for me to see whether it is receiving the pings or not. It keeps stopping with an error before I get to the remote client location to run the ping test. That is more of a logistical issue that I might be able to address differently at another time. However, I turned off the firewall on the OpernWRT router (confirmed with $ iptables -L -n) then ran the ping test again. The result is the same (Reply from 10.4.0.1: Destination host unreachable). That to me indicates that my issue is with routing, and not with the firewall. Which then takes me to the decision diagram provided by David previously and puts me at the point of "Add a route to the router so it knows how to reach the VPN subnet". Which is where my lack of routing knowledge gets me stuck, as I am not sure what exactly to put for a static route, and also the right syntax to put into an OpenWRT config. Does it seem like I am on the right track with this synopsis? Thanks. Jeff ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
