OpenVPN client cannot route to LAN

TheAmazingSteve · 09-23-2005, 10:17 AM

I'm have problems configuring OpenVPN.

While my WinXP box (in a test DMZ area, 192.168.1.15) can connect to my Debian (Sarge) server on my LAN (10.42.42.146), I cannot access other servers on the LAN. (Which, of course, is the whole purpose.)

I can ping over the VPN to the server (10.42.5.1), but I cannot ping to other internal boxes (e.g. 10.42.42.20, which is pingable within my LAN).

Since an initial connection and a direct ping work just fine, I belive my firewall is directing 192.1.68.1.75 UDP:1194 to 10.42.42.146 just fine.

I have executed the following on the Debian server, which should allow for packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

Any thoughts? Assistance greatly appreciated!

server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.42.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.42.42.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

client.conf:
client
dev tun
proto udp
remote 192.168.1.75 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

C:\>netstat -rn

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 70 6c 63 de ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport

0x10004 ...00 0a e6 42 22 32 ...... SiS 900-Based PCI Fast Ethernet Adapter - Vi rtual Machine Network Services Driver ===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.15 20
10.42.5.1 255.255.255.255 10.42.5.5 10.42.5.6 1
10.42.5.4 255.255.255.252 10.42.5.6 10.42.5.6 30
10.42.5.6 255.255.255.255 127.0.0.1 127.0.0.1 30
10.42.42.0 255.255.255.0 10.42.5.5 10.42.5.6 1
10.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15 20
192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15 20
224.0.0.0 240.0.0.0 10.42.5.6 10.42.5.6 30
224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15 20
255.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6 1
255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

TheAmazingSteve · 09-29-2005, 03:40 PM

The problem was neither in the OpenVPN server nor the client!

Seems that the destination servers (ping targets, for example) need to have a route back to the OpenVPN client (throught the OpenVPN server) in order to work.

A few "route add" commands on select servers and things worked great.

I will do better by having the LAN gateway know what to do when I implement this VPN solution. (No custom routes on each machine in the LAN... yuck!)

Thanks to those who scratches their heads on this one!

- Steve