Hi,
you're giving lots of info and leaving some important stuff out :)
See comments inline
On 02/10/17 19:17, Xen wrote:
So it appears that by upgrading a client to 2.4 something stopped working.
I have a rather old Synology server.
Version is 2.1.4
Topology is as follows:
Home network --> VPN server --> VPN client --> client behind client
Home network (my computer) has a route for the VPN and a route for the client
behind client.
10.3.0.0 255.255.255.0 192.168.0.3 192.168.0.100 26
10.8.0.0 255.255.255.0 192.168.0.3 192.168.0.100 26
VPN server has a route for home network, VPN client and client behind client:
10.8.0.25 dev tun0
192.168.0.0/24 dev eth0 src 192.168.0.3
10.3.0.0/24 via 10.8.0.25 dev tun0
So, which box is the synology server?
As well as for the VPN entire:
10.8.0.0/24 dev tun0 src 10.8.0.1
10.8.0.0/24 dev tun1 src 10.8.0.1
VPN client has a route for home network, internal client, and VPN:
10.3.0.0/24 dev lxc-nat-bridge proto kernel scope link src 10.3.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.25
192.168.0.0/24 via 10.8.0.1 dev tun0
And the client behind the client only has one route:
default via 10.3.0.1 dev eth0
Now normally this works fine.
Currently the:
- home computer can reach the vpn client
- vpn client can reach the home computer
- internal host (10.3.0.2) can reach the VPN address of the server (10.8.0.1)
But that's where it ends. The internal client (10.3.0.2) is unable to reach the
home network and vice versa.
without knowing your server config, this is "expected behaviour": the VPN server will not know how to handle packets coming from
an internal client and will discard them. This is not new behaviour, BTW.
The client config file is as follows:
ifconfig-push 10.8.0.25 255.255.255.0
iroute 10.3.0.0 255.255.255.0
push 'route 192.168.0.0 255.255.255.0'
Before, I used no topology. I did use the above. Now the 2.4 client expects a p2p topology by default and complains about the
above ifconfig-push directive.
I assume the iroute is currently not working.
What topology should I use? I now forced it to "subnet".
the 'iroute' does not do anything on the client, that's a server statement. The
'ifconfig-push' should have worked with OpenVPN 2.4.
Try adding an
iroute 10.3.0.0. 255.255.255.0
to a CCD file named 'bugger' inside the *SERVER* config, so that the VPN server knows that the network 10.3.0.0 is to be found
"behind" the VPN client 'bugger', e.g
mkdir /etc/openvpn/clients
chmod 755 /etc/openvpn/clients
echo "iroute 10.3.0.0. 255.255.255.0" > /etc/openvpn/clients/bugger
And add "client-config-dir /etc/openvpn/clients" to the VPN server config. This option was present in OpenVPN 2.1 already, so
this is not something you need to do as a result of the upgrade. Also, check that the CCD file is picked up by the server by
running with "verb 5" and look for any references to client-config files.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
