Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN tap connects / ips assigned / but can't ping other
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
RayDude
Veteran
Veteran


Joined: 29 May 2004
Posts: 1724
Location: San Jose, CA

PostPosted: Mon May 03, 2010 5:49 pm    Post subject: OpenVPN tap connects / ips assigned / but can't ping other Reply with quote

I'm trying to set up openvpn tap so that my machine can connect to home from anywhere and look like its on my intranet.

Here's the openvpn.conf file for the server:

Code:
port 1194
proto tcp-server
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-server
mode server
ifconfig 10.1.10.200 255.255.255.0
ifconfig-pool 10.1.10.201 10.1.10.209 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route-gateway 10.1.10.1"
keepalive 10 120
comp-lzo
# user nobody
# group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3


Here's the client side:
Code:
client
dev tap1
proto tcp
# change this to your servers ip or hostname

remote myserver.com 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert brian.crt
key brian.key

comp-lzo
verb 3


Both sides get tap devices and ip addresses assigned. Each can ping his own tap device, but they cannot ping each other and the client cannot ping the intranet of the server.

Any help would be greatly appreciated.

Brian
_________________
Some day there will only be free software.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1799
Location: Oranienburg/Germany

PostPosted: Mon May 03, 2010 6:12 pm    Post subject: Reply with quote

Do you have ipforward enabled? Does the intranet know how to reach your openvpn network?

bb
_________________
1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB
Back to top
View user's profile Send private message
RayDude
Veteran
Veteran


Joined: 29 May 2004
Posts: 1724
Location: San Jose, CA

PostPosted: Mon May 03, 2010 8:55 pm    Post subject: Reply with quote

bbgermany wrote:
Do you have ipforward enabled? Does the intranet know how to reach your openvpn network?

bb


I did enable ipforward on the server, but that didn't make any difference.

Since the network IP addys that are being assigned are on the same subnet, do I need ipforward?

I think I'm only missing one piece of the puzzle. Still haven't figured it out though.

Thanks for the quick reply.

Brian

PS Just to make sure, I enable ipforward this way:

echo "1" > /proc/sys/net/ipv4/ip_forward
_________________
Some day there will only be free software.
Back to top
View user's profile Send private message
Simba7
l33t
l33t


Joined: 22 Jan 2007
Posts: 705
Location: Billings, MT, USA

PostPosted: Mon May 03, 2010 9:23 pm    Post subject: Reply with quote

Easy.. I've already did this on 3 remote routers.

Here's my config on the server:

Code:
port 11194
proto tcp
dev tun
ca myvpn/ca.crt
cert myvpn/server.crt
key myvpn/server.key
dh myvpn/dh2048.pem
server 192.168.0.192 255.255.255.224
client-to-client
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
push "route 192.168.0.0 255.255.255.128"

client-config-dir ccd
#route 192.168.0.0 255.255.255.128
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

..you also have to put in entries to iptables so your firewall doesn't block you.

This works quite well, since I can access any computer on the other networks (monitoring through my local Cacti server).
Back to top
View user's profile Send private message
RayDude
Veteran
Veteran


Joined: 29 May 2004
Posts: 1724
Location: San Jose, CA

PostPosted: Mon May 03, 2010 10:39 pm    Post subject: Reply with quote

Simba7 wrote:
Easy.. I've already did this on 3 remote routers.

Here's my config on the server:

Code:
port 11194
proto tcp
dev tun
ca myvpn/ca.crt
cert myvpn/server.crt
key myvpn/server.key
dh myvpn/dh2048.pem
server 192.168.0.192 255.255.255.224
client-to-client
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
push "route 192.168.0.0 255.255.255.128"

client-config-dir ccd
#route 192.168.0.0 255.255.255.128
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

..you also have to put in entries to iptables so your firewall doesn't block you.

This works quite well, since I can access any computer on the other networks (monitoring through my local Cacti server).


Thanks, but I'm using tap, not tun, the config is a bit different.

I have realized that I don't have routing in my kernel and am adding it, in my copious spare time...

I'll let you guys know if iptables fixes this for me.

Brian
_________________
Some day there will only be free software.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1799
Location: Oranienburg/Germany

PostPosted: Tue May 04, 2010 8:09 am    Post subject: Reply with quote

Hi,

if you are on the same subnet, you should do bridgeing and yes you need ipforwarding enabled, coz your system acts as gateway in this case. If you need help setting up a bridged configuration, just let me know, i have this running at home for several years now an i can provide a working config.

bb
_________________
1st: i5-7400, 16GB, 2TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 32GB, 14.5TB
4th: i5-3210M, 8GB, 512GB
5th: i5-3210M, 8GB, 120GB
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum