VPN routing / packet forwarding

Message

The Mad Crapper · Post by **The Mad Crapper** » Wed Aug 30, 2006 10:43 pm

i setup a VPN tunnel between our office and our colo and i can ping the end points of the tunnel from one another, but can't get either end point to forward traffic to either network. I am using OpenVPN

HostA is on the 192.168.5.0/24 network with address 192.168.5.22(eth0) and has a vpn adapter address of 192.168.15.2(tun0)
HostB is on the 192.168.1.0/24 network with address 192.168.1.22(eth0) and has a vpn adapter address of 192.168.15.1(tun0)

The routing table on HostA (office)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.15.1    *               255.255.255.255 UH    0      0        0 tun0
192.168.5.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     192.168.15.1    255.255.255.0   UG    0      0        0 tun0
default         192.168.5.253   0.0.0.0         UG    0      0        0 eth0

The routing table on HostB (colo)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.15.2    *               255.255.255.255 UH    0      0        0 tun0
192.168.5.0     192.168.15.2    255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

And iptables (same on both hosts)

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

i have checked that ip_forward is turned on more then a few times

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1

What am i missing?!?! why can't a get any data to pass through either host? if i ping something on the 192.168.5.0/24 network from HostB or the 192.168.1.0/24 network from HostA, i get nothing..

Thanks guys..

hilbert_space · Post by **hilbert_space** » Thu Aug 31, 2006 12:08 am

Without any additional config, you should be able to ping from each computer the two ends of the vpn-tunnel, in your case 192.168.15.x. If this is not the case:
Does the openvpn daemons find each other? Look into the system log, if they are connecting to each other, you will see something like this:

Code: Select all

Aug 30 14:55:56 neo openvpn[8111]: [psi] Peer Connection Initiated with 85.214.19.126:1194

If this is not the case, any errors?

What's your openvpn config on both sides? Are the settings with the ips correct? Did you bind the right device?

Is there anything in the networking which could block the port (default 1194 udp)?

-Thomas

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 12:13 am

the VPN is connecting. I can ping either end point from the other. From HostA i can ping 192.168.15.1 and from HostB i can ping 192.168.15.2.

Yes, the logs do show them connecting. Before i started it up with the init script, i started the end points with the openvpn command so i could see everything.

I will have to post the configs tomorrow when i get into the office.

xtlosx · Post by **xtlosx** » Thu Aug 31, 2006 1:14 pm

let me know if you get it to work, i had the exact same situation as you... the endpoints can ping eachother, but the machines behind them can't..

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 2:42 pm

here is the office (HostA) the config is

Code: Select all

dev tun0
ifconfig 192.168.15.2 192.168.15.1
#verb 9
secret vpn.key
ping 5

and at the colo (HostB)

Code: Select all

remote 69.15.62.58
dev tun0
ifconfig 192.168.15.1 192.168.15.2
#verb 9
secret vpn.key
ping 5

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 3:12 pm

oh my desktop, i added a route to the 192.168.1.0 network via this end poing as the gateway. and when i try to ping something at the other end...

Code: Select all

ping 192.168.1.53
PING 192.168.1.53 (192.168.1.53) 56(84) bytes of data.
From 192.168.5.22: icmp_seq=1 Redirect Host(New nexthop: 192.168.5.253)
64 bytes from 192.168.1.53: icmp_seq=1 ttl=60 time=17.3 ms
64 bytes from 192.168.1.53: icmp_seq=2 ttl=60 time=5.15 ms
64 bytes from 192.168.1.53: icmp_seq=3 ttl=60 time=5.76 ms
64 bytes from 192.168.1.53: icmp_seq=4 ttl=60 time=5.78 ms
64 bytes from 192.168.1.53: icmp_seq=5 ttl=60 time=5.86 ms

this end poing (HostA) is redirecting me out the default gateway.. It won't forward the packet..

This doesn't seem like it should be this difficult to make linux do packet forwarding...

Ast0r · Post by **Ast0r** » Thu Aug 31, 2006 4:58 pm

Are you sure that you have IPV4 Packet Forwarding enabled in the kernels (enabled "full NAT support")?

If not, compile the support into your kernel and check /etc/sysctl.conf for this line

Code: Select all

net.ipv4.ip_forward = 1

I had the same problem with not being able to get the endpoints to forward packets (do routing) until I fixed that in /etc/sysctl.conf. Good luck.

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 5:14 pm

cat /proc/sys/net/ipv4/ip_forward returns '1' on both hosts.

hilbert_space · Post by **hilbert_space** » Thu Aug 31, 2006 8:50 pm

Paket forwarding should be not necessary to ping the two ends of the tunnel, a good route config will do it. I communicate via VPN with my server (productive web/mail/xy-server).
My vpn config (all the certificate stuff should be not neccassary at this time):

server

Code: Select all

proto udp
dev tun
local 85.214.19.126
ca /etc/openvpn/ca.crt
cert /etc/openvpn/psi.crt
key /etc/openvpn/psi.key
dh /etc/openvpn/dh1024.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
#cipher AES-256-CBC
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
resolv-retry infinite
status /etc/openvpn/openvpn-status.log
chroot /etc/openvpn/chroot
push "route 85.214.19.0 255.0.0.0"

client

Code: Select all

remote 85.214.19.126
local 192.168.178.150
client
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/neo.crt
key /etc/openvpn/neo.key
tls-auth /etc/openvpn/ta.key 1  # "0" beim VPN-Server, "1" bei VPN-Clients
keepalive 10 120
#cipher BF-CBC  (=Default; sehr schnell)
#cipher AES-128-CBC (sicherer)
#cipher AES-256-CBC (am sichersten)
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
resolv-retry infinite
status /etc/openvpn/openvpn-status.log
chroot /etc/openvpn/chroot
verb 3
ns-cert-type server
tls-remote psi

An important line is the push-route line at the server config, this can be perhaps the reason for you problems.

A lot of information about the config stuff is available here:
http://openvpn.net/howto.html

-Thomas

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 9:52 pm

hilbert_space wrote:Paket forwarding should be not necessary to ping the two ends of the tunnel, a good route config will do it. ...

i can ping either end of the tunnel.. but nothing behind the end points.. they are not forwarding the traffic

The Mad Crapper · Post by **The Mad Crapper** » Thu Aug 31, 2006 10:12 pm

ok, on the machine here i put

Code: Select all

push "route 192.168.5.0 255.255.255.0"

and at the machine at the colo i put

Code: Select all

push "route 192.168.1.0 255.255.255.0"

in the configs. I also changed iptables

Code: Select all

iptables -A INPUT -i tun+ -j ACCEPT

and i still am getting no love! If i do a trace route, i can see the traffic goto the VPN end point and no futher..

hilbert_space · Post by **hilbert_space** » Fri Sep 01, 2006 9:45 am

Let's check the result of your route-config, here are my routing tables on both maschines:

server:

Code: Select all

thgersdorf ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
85.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         85.214.18.1     0.0.0.0         UG    0      0        0 eth0

client:

Code: Select all

neo # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth0

VPN wasn't complex to configure at my setup, there must me a little problem that we overlook.

The Mad Crapper · Post by **The Mad Crapper** » Tue Sep 05, 2006 7:13 pm

ok.. i THINK i might have it working.. I think i may have just needed to make sure to have the return route configured as well.

I would ping a machine at the other end and it wouldn't come back.. Until i got on the host i was trying to ping and changed its routing table to make it use the VPN to send back replies.

In the end, i think it was the iptables magic. I think i needed to change the forward and accept policy (i am not an iptables expert). Once i have to chance to try and bring the tunnel back up again i will know more.

Thank you all for your time, i will be sure to update this thread with anything i find.

cswbww · Post by **cswbww** » Wed Dec 27, 2006 8:26 pm

Hi, do you find the solution yet?