wbens
asked on
routing using openvpn to a private network
Hello Team:
I am trying to access a private network. I have openvpn running on a Linux box, and I would like to access the LAN behind that box. I can establish and ping the vpn tunnel, but I cannot ping any of the boxes behind the openvpn. The network behind the vpn is 192.168.1.0. These are my configuration files for the client and for the server:
client configuration file (Linux, Centos 5.0):
client
dev tun
proto udp
remote 75.22.82.166 1194
ifconfig 10.3.0.2 10.3.0.1
route 192.168.1.0 255.255.255.0
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1. crt
key /etc/openvpn/keys/client1. key
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
status /var/log/openvpn-status.lo g
log-append /var/log/openvpn.log
comp-lzo
verb 4
;mute 20
server configuration file (Linux, Centos 5.0):
local 75.22.82.166
ifconfig 10.3.0.1 10.3.0.2
port 1194
proto udp
dev tun
daemon
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.c rt
key /etc/openvpn/keys/server.k ey
dh /etc/openvpn/keys/dh1024.p em
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC
comp-lzo
max-clients 25
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.lo g
log-append /var/log/openvpn.log
verb 4
mute 20
Now let me do some explaining:
192.168.1.0 is the network behind the vpn server that I wan to get access to.
192.168.1.1 is the gateway for the 192.168.1.0 network.
75.22.82.166 is the public IP of the box that the openvpn server is running on.
10.3.0.1 and 10.3.0.2 are the virtual IPs of the openvpn tunnel. These I can ping. However, I cannot ping any box on the 192.168.1.0 network.
Now my routing tables:
routing table for the server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.0.2 * 255.255.255.255 UH 0 0 0 tun0
75.22.82.128 * 255.255.255.192 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
10.3.0.0 10.3.0.2 255.255.255.0 UG 0 0 0 tun0
269.254.0.0 * 255.255.0.0 U 0 0 eth1
default 75.22.82.129 0.0.0.0 UG 0 0 0 eth0
routing table for client:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.0.1 10.3.0.5 255.255.255.255 UGH 0 0 0 tun0
10.3.0.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
269.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
Please someone help to figure this routing problem out.
Thanks.
--Willie
I am trying to access a private network. I have openvpn running on a Linux box, and I would like to access the LAN behind that box. I can establish and ping the vpn tunnel, but I cannot ping any of the boxes behind the openvpn. The network behind the vpn is 192.168.1.0. These are my configuration files for the client and for the server:
client configuration file (Linux, Centos 5.0):
client
dev tun
proto udp
remote 75.22.82.166 1194
ifconfig 10.3.0.2 10.3.0.1
route 192.168.1.0 255.255.255.0
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.
key /etc/openvpn/keys/client1.
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
status /var/log/openvpn-status.lo
log-append /var/log/openvpn.log
comp-lzo
verb 4
;mute 20
server configuration file (Linux, Centos 5.0):
local 75.22.82.166
ifconfig 10.3.0.1 10.3.0.2
port 1194
proto udp
dev tun
daemon
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.c
key /etc/openvpn/keys/server.k
dh /etc/openvpn/keys/dh1024.p
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC
comp-lzo
max-clients 25
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.lo
log-append /var/log/openvpn.log
verb 4
mute 20
Now let me do some explaining:
192.168.1.0 is the network behind the vpn server that I wan to get access to.
192.168.1.1 is the gateway for the 192.168.1.0 network.
75.22.82.166 is the public IP of the box that the openvpn server is running on.
10.3.0.1 and 10.3.0.2 are the virtual IPs of the openvpn tunnel. These I can ping. However, I cannot ping any box on the 192.168.1.0 network.
Now my routing tables:
routing table for the server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.0.2 * 255.255.255.255 UH 0 0 0 tun0
75.22.82.128 * 255.255.255.192 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
10.3.0.0 10.3.0.2 255.255.255.0 UG 0 0 0 tun0
269.254.0.0 * 255.255.0.0 U 0 0 eth1
default 75.22.82.129 0.0.0.0 UG 0 0 0 eth0
routing table for client:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.0.1 10.3.0.5 255.255.255.255 UGH 0 0 0 tun0
10.3.0.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
269.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
Please someone help to figure this routing problem out.
Thanks.
--Willie
ASKER
Ok arnold, I will give this a try.
I will come back with the results.
Thanks.
--Willie
I will come back with the results.
Thanks.
--Willie
ASKER
I have a question though, do I have to change the IP on the client's box or just on the client.conf file?
As you can see, the client is running on a network whose IP overlaps with the private LAN behind the vpn server. Therefore, if I change the IP on the client's box, I think that would not work.
This is why I am asking the question. Or should I try connecting the client to a different network whose IP does not overlap with the private LAN behind the openvpn.
Note: No iptalbes/firewalls is running.
Thanks.
As you can see, the client is running on a network whose IP overlaps with the private LAN behind the vpn server. Therefore, if I change the IP on the client's box, I think that would not work.
This is why I am asking the question. Or should I try connecting the client to a different network whose IP does not overlap with the private LAN behind the openvpn.
Note: No iptalbes/firewalls is running.
Thanks.
You should alter The remote IP segment from 192.168.1.0/24 or alter your VPN LAN segment from 192.168.1.0/24 to something like 172.16.1.0/24.
If you make the change on the LAN side behind the server, you would need to alter the route to reflect the changed LAN IP 172.16.1.0/24.
i.e. in the server config,
you should have an entry such as
push "route 172.16.1.0 255.255.255.0"
How are you managing the NAT of eth1 and access to and from it?
If you make the change on the LAN side behind the server, you would need to alter the route to reflect the changed LAN IP 172.16.1.0/24.
i.e. in the server config,
you should have an entry such as
push "route 172.16.1.0 255.255.255.0"
How are you managing the NAT of eth1 and access to and from it?
ASKER
No iptables/firewalls are running at the moment, this leads me to believe that I should not worry about the NAT. Please correct me if I am wrong.
It would be easier for me to alter the remote IP from the client. When you say alter, do you mean just to change it in the client.conf file or give the client box a new IP on the eth0 interface?
Thanks.
It would be easier for me to alter the remote IP from the client. When you say alter, do you mean just to change it in the client.conf file or give the client box a new IP on the eth0 interface?
Thanks.
The changes are needed on the physical location and not as part of the openVPN configuration.
The remote CLient system and the LAN behind the openVPN server to which the client needs to connect use the same IP segment which is a no-no.
You should worry about NAT if you expect the systems on the LAN behind your Centos server to have access to the outside or the systems connecting via VPN.
The LAN segment on the remote end or the LAN on your side need to be changed from 192.168.1.0/24 to anything else excluding 10.3.0.0/24 since this is the IP segment used for your VPN IP pool.
Changing the LAN segment on the remote side, does not require any changes.
Changing the LAN side on the server end, requires changes to the push directive to reflect the changed LAN IP Segment.
The remote CLient system and the LAN behind the openVPN server to which the client needs to connect use the same IP segment which is a no-no.
You should worry about NAT if you expect the systems on the LAN behind your Centos server to have access to the outside or the systems connecting via VPN.
The LAN segment on the remote end or the LAN on your side need to be changed from 192.168.1.0/24 to anything else excluding 10.3.0.0/24 since this is the IP segment used for your VPN IP pool.
Changing the LAN segment on the remote side, does not require any changes.
Changing the LAN side on the server end, requires changes to the push directive to reflect the changed LAN IP Segment.
ASKER
Hello arnold:
Please excuse me if I am asking too many questions, but I just want to be clear on your answers.
When you say "The changes are needed on the physical location and not as part of the openVPN configuration", by physical do you mean on the ethernet interface?
About NAT, I have to worry about it even if no iptables/firewalls are running?
I will test your suggestions, it might take me into next week because the network administrator is not back until Tuesday for me to discuss with him about the IP change(s).
Thanks arnold.
--Willie
Please excuse me if I am asking too many questions, but I just want to be clear on your answers.
When you say "The changes are needed on the physical location and not as part of the openVPN configuration", by physical do you mean on the ethernet interface?
About NAT, I have to worry about it even if no iptables/firewalls are running?
I will test your suggestions, it might take me into next week because the network administrator is not back until Tuesday for me to discuss with him about the IP change(s).
Thanks arnold.
--Willie
ASKER
I will also have to do some reading about the NAT since I am not familiar with it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The LAN behind the openvpn server is not exposed to the outside in any way. There is no proxy server and the private LAN behind the vpn is does not have access to the net.
I will look into the NAT link you provided me.
Thanks.
--Wilie
I will look into the NAT link you provided me.
Thanks.
--Wilie
ASKER
I also had to do this from the command line on the client side:
route add -host IPofPrivateHostRunningBehi ndopenVPN server tun0
and this on the command line on the server side, I executed the next three commands:
service iptables restart
iptables -I POSTROUTING -t nat -s 10.3.0.6 -j MASQUERADE
service iptables save
It works.
Thanks.
--Willie
route add -host IPofPrivateHostRunningBehi
and this on the command line on the server side, I executed the next three commands:
service iptables restart
iptables -I POSTROUTING -t nat -s 10.3.0.6 -j MASQUERADE
service iptables save
It works.
Thanks.
--Willie
You should be able to configure the openvpn server to push the route out where you do not need to manually add a route.
The issue with iptables rules are different.
I presume you are still using the 192.168.1.x on both sides and using the NAT functionality of the VPN connection?
The issue with iptables rules are different.
I presume you are still using the 192.168.1.x on both sides and using the NAT functionality of the VPN connection?
You have an IP overlap. Your LAN and the clients LAN use the same IPs.
Change the 192.168.1.x on one side and see whether you are still having a problem.