Solved

Connecting VPN (Openvpn) Channel Between 2 Ubuntu Machines Using

Posted on 2009-05-20
95
1,658 Views
Last Modified: 2013-12-06
Dear Experts:
I have (2) Ubuntu Machines connected to the internet with one (NW) card (eth1) , I posted before asking for this Question:
http://www.experts-exchange.com/Networking/Linux_Networking/Q_24042052.html

No one answer the question and the two machines still not communicating , Please look at the attached files (setting+log files + NW design) My questions:

The routs:
On Client :



1- What sort of modifications in seting file I should do to let the two networks communicating?
2- How I can remotly connect to the two (ubuntu) machines?


Dear Experts:
I have (2) Ubuntu Machines connected to the internet with one (NW) card (eth1) , I posted before asking for this Question:
http://www.experts-exchange.com/Networking/Linux_Networking/Q_24042052.html

No one answer the question and the two machines still not communicating , Please look at the attached files (setting+log files + NW design) My questions:

The routs:
On Client :
Destination               GW                     gnmask                       metric              Iface
192.168.7.0                *                       255.255.255.0             0                     eth1
default                 192.168.7.192        0.0.0.0                        100                  eth1

on server:
Destination               GW                     gnmask                       metric              Iface
10.0.0.0                       *                       255.255.255.0             0                     eth1
default                 10.0.0.138                 0.0.0.0                      100                  eth1


1- What sort of modifications in seting file I should do to let the two networks communicating?
2- How I can remotly connect to the two (ubuntu) machines?
Client Setting file:

client

proto udp

;dev tap

dev tun

;---->Internet

remote 86.60.99.191 1194  ;10.0.0.80 1194

;remote 10.0.0.138

resolv-retry infinite

nobind

pull

persist-key

persist-tun

comp-lzo

daemon

writepid /var/run/openvpn.pid

;verb 3

verb 4

;mute 20

;ping 10

;ping-restart 60

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/client1.crt

key /etc/openvpn/easy-rsa/2.0/keys/client1.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

;;The following command important for openvpn 2.0 and bellow

ns-cert-type server

cipher BF-CBC

;chroot chroot

log-append /var/log/vpnclient.log

 

////////////////////////////////////////////////////////

 

Server Sitting:

port 1194

;local 192.168.3.1

mode server

;mssfix 1400

# TCP or UDP server?

proto udp

dev tun0

keepalive 10 120

;ping 10

;ping-restart 120

writepid /var/run/openvpn.pid

comp-lzo

max-clients 100

persist-key

persist-tun

verb 3

mute 20

#New Lines

ifconfig-pool 10.0.0.200 10.0.0.220 

ifconfig-pool 192.168.7.170 192.168.7.200

ifconfig-pool-persist ipp.txt

push "route 192.168.7.0255.255.255.0"

;//------->New Lines 03-Feb-2009

push "route-gateway 10.0.0.80"

push "route 10.0.0.0 255.255.255.0 10.0.0.80"

push "route 192.168.7.0 255.255.255.0 10.0.0.80"

;//------->End New Lines

;route 192.168.7.0

client-to-client

#End New Lines

tls-server

cipher BF-CBC

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

chroot /etc/openvpn/chroot

client-config-dir ccd

status /var/log/serverstatus.log

log-append /var/log/vpnserver.log

Open in new window

VPN-NETWORK.jpg
vpnclient.log
vpnserver.log
0
Comment
Question by:mubama0n
  • 62
  • 33
95 Comments
 

Author Comment

by:mubama0n
ID: 24441724
No Body Answer , What's the probloem?
Is it very bold?

I don't know?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24444102
Hmm, that configuration is bit of messed up. You've got two IP pools defined, the server is using only the second one:
IFCONFIG POOL: base=192.168.7.168 size=9
However, your primary problem seems to be that the client cannot contact the server:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
And the interrupt messages confuse me:
event_wait : Interrupted system call (code=4)
and further the server log messages seem to be mixed (19h before 15h messages).



0
 

Author Comment

by:mubama0n
ID: 24448451
Dear  Qlemo
The interrupt message on (server) log because I didn't found any interaction between the two machines (event_wait : Interrupted system call (code=4)) , so I press (ctrl+c) to cancel the operation , here is some lines of the log(server):
Wed May 20 15:35:35 2009 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Wed May 20 15:35:35 2009 Diffie-Hellman initialized with 1024 bit key
Wed May 20 15:35:35 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed May 20 15:35:35 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 20 15:35:35 2009 TUN/TAP device tun0 opened
Wed May 20 15:35:35 2009 TUN/TAP TX queue length set to 100
Wed May 20 15:35:35 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 20 19:35:35 2009 chroot to '/etc/openvpn/chroot' and cd to '/' succeeded
Wed May 20 19:35:35 2009 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed May 20 19:35:35 2009 UDPv4 link local (bound): [undef]:1194
Wed May 20 19:35:35 2009 UDPv4 link remote: [undef]
Wed May 20 19:35:35 2009 MULTI: multi_init called, r=256 v=256
Wed May 20 19:35:35 2009 IFCONFIG POOL: base=192.168.7.168 size=9
Wed May 20 19:35:35 2009 IFCONFIG POOL LIST
Wed May 20 19:35:35 2009 Initialization Sequence Completed
Wed May 20 19:40:14 2009 event_wait : Interrupted system call (code=4)
Wed May 20 19:40:14 2009 TCP/UDP: Closing socket
Wed May 20 19:40:14 2009 Closing TUN/TAP interface
//////
And about the time this is because there was a problem  on server time but I corrected it.
I didn't get your point about the pool ? do you means that I should put only the pool of client and comment the others?
The main problem now there is no interaction between the client and the server although the two machines are connecting to the internet without any problem and pinging any internet websites correctly in both sites (in addition) to their local machines within the NW.

Please note that In our country today (Friday) is a weekend and tomorrow (Saturday) I can do any further comments  that may help (kindly) post it if you have another advices.

Take Care
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24448620
Ok, I will ignore my confusion about the server log.
Multiple IP pools are senseless. OpenVPN can use only one pool of addresses, and that is the one for dial-in clients. The max-clients 100 does not fit, btw, to the IP pool, but that is not important here.

I suggest you switch on more verbose messaging on server side or both, verb 6 should show more, or else set verb 9.
0
 

Author Comment

by:mubama0n
ID: 24448671
Dear

 You said:
The max-clients 100 does not fit, btw, to the IP pool, but that is not important here.

I suggest you switch on more verbose messaging on server side or both, verb 6 should show more, or else set verb 9.

What I will get from using (Verbose)? :http://marc.info/?t=117047249100002&r=1&w=2
What is the realtionship between (verbose) and my Case?
How I install (verbose)?

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24448724
You need to change the option "verb" in your config file to a value of 6 or 9. That's all. OpenVPN will output much more on detail, which can help us to see if traffic is going on at all.
0
 

Author Comment

by:mubama0n
ID: 24456822
Thanks Qlemo for UR Feedback within 4 Hours from Now I'll be in front of the machine , hopefuly
It could give us some result , I'll inform you what's the result , enjoy your weekend and take care.
0
 

Author Comment

by:mubama0n
ID: 24457600
Dear Qlemo

 Attached the (client)  log file after your suggestion , please note the following:
1-When I put Verb=6 I got the following message:
UDPv4 WRITE [14] to 86.60.51.154:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

2- When I set it to = 9

There is another thing:
TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Sat May 23 14:38:18 2009 us=77333 ACK reliable_can_send active=1 current=0 : [1] 0
Sat May 23 14:38:18 2009 us=77363 ACK reliable_send_timeout 2 [1] 0
Sat May 23 14:38:18 2009 us=77380 TLS: tls_process: timeout set to 2
Sat May 23 14:38:18 2009 us=77408 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=cebd228f 8d8d2327, stored-sid=00000000 00000000, stored-ip=[undef]
Sat May 23 14:38:18 2009 us=77435 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Sat May 23 14:38:18 2009 us=77456 PO_CTL rwflags=0x0001 ev=3 arg=0x08098f50
Sat May 23 14:38:18 2009 us=77478 I/O WAIT T?|T?|SR|Sw [1/225115]
Sat May 23 14:38:19 2009 us=306957  event_wait returned 0
Sat May 23 14:38:19 2009 us=306997 I/O WAIT status=0x0020
Sat May 23 14:38:19 2009 us=307015 TIMER: coarse timer wakeup 1 seconds
Sat May 23 14:38:19 2009 us=307048 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=6425ac7b 38314d2f, stored-sid=00000000 00000000, stored-ip=86.60.51.154:1194
Sat May 23 14:38:19 2009 us=307069 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Sat May 23 14:38:19 2009 us=307089 ACK reliable_can_send active=1 current=0 : [1] 0
Sat May 23 14:38:19 2009 us=307120 ACK reliable_send_timeout 1 [1] 0
Sat May 23 14:38:19 2009 us=307137 TLS: tls_process: timeout set to 1
Sat May 23 14:38:19 2009 us=307165 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=cebd228f 8d8d2327, stored-sid=00000000 00000000, stored-ip=[undef]
Sat May 23 14:38:19 2009 us=307193 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef

At least now we get some details , so wating for your advice , take care.

vpnclient.log
0
 

Author Comment

by:mubama0n
ID: 24457604
Please not that the server has not moved , and there is no any response by them (server)
The log file is the same.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24457621
Since the server has not logged anything, the packets on udp/1194 do not arrive there. Is the server the same as the Internet gateway? I.e. who is "owner" of the public IP? If there is a router before the Ubuntu box, you will need to forward OpenVPN port to Ubuntu.

0
 

Author Comment

by:mubama0n
ID: 24458009
The owner of the public IP is the DSL router , I'll try to do port forwarding and give you the result , I would like to thank you for your cooperation since you're very kind with me I'll also be kind with you and give you a rest for one day enjoying your weekend , but keep'n touch next monday to continue a discussion , I'm appreciating your help.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24458476
I'm on holiday, I don't need a rest :-) I'll stay tuned.
0
 

Author Comment

by:mubama0n
ID: 24461250

Dear Qlemo

Still nothing updated , I Set the Port on the (server) DSL ,
Attached a photos of setting of DSL that server (10.0.0.80) connecting to it.
The client is (3G) connection.

Here is also the setting of the (client) verb=9.
The log same as yesterday.
Waiting your advice
/////////////////
Client Setting file:
client
proto udp
;dev tap
dev tun
;---->Internet
remote 86.60.63.221 1194  ;
resolv-retry infinite
nobind
pull
persist-key
persist-tun
comp-lzo
daemon
writepid /var/run/openvpn.pid
;verb 3
verb 9
;mute 20
;ping 10
ping-restart 60
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/client1.crt
key /etc/openvpn/easy-rsa/2.0/keys/client1.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
;;The following command important for openvpn 2.0 and bellow
ns-cert-type server
cipher BF-CBC
;chroot chroot
log-append /var/log/vpnclient.log

figure1.JPG
figure2.JPG
figure3.JPG
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24461331
  1. (figure1) you need only to forward udp/1194, not all protocols. This is not an error, however.
  2. (figure3) The modem/router is displaying a Ethernet MAC address. I would have expected an IP address here. Could be ok, could be a problem - I don't know.
  3. (figure3) Using UPnP is pointless here and a security risk. It is able to open ports on your client's firewall dynamically, which can be misused by malicious attackers.
As I cannot see the problem, you have to do some homework: change the inside port of the forwarding defintion to a TCP (!) port you know is open on Ubuntu, e.g. telnet, ssh, or alike.
  • Then try via a Web pages like ShieldsUp! (http://www.grc.com/x/ne.dll?rh1dkyd2) to scan for port 1194. If you get Closed or Stealth, it's not working!
  • Or use telnet from client to that public port; you should have at least an empty prompt, and be able to type something. If telnet closes, noone is listening.
The two Ubuntu machines are hopefully separated by the Internet. If not (the same physical network, but different IP addresses) many devices are not capable of managing traffic send to the public IP from inside, to be send back again to the same network.

I suppose that you tried to connect the two machines already when both were locally connected, as the config shows local target addresses, too. And that this worked. If I'm right, the modem/router/firewall on either side is the problem.

BTW, be carefull with displaying your public IP here! Since it is static, attackers might use the information for a better hacking. Together with the modem type it's much easier. If this question will remain in the knowledge base, you should request to remove all dangerous material, which is the public IPs including figure2.jpg.
0
 

Author Comment

by:mubama0n
ID: 24461371
I did the following actions on server but still every thing is the same:

Edit /etc/sysctl.conf
Uncomment net.ipv4.ip_forward=1 and save your changes.
At this point you can either reboot or run the following command.
.$ sysctl -w net.ipv4.ip_forward=1
Confirm that ip_forward is actually enabled.

.$ sysctl net.ipv4.ip_forward

Add the following rules to /etc/rc.local before the exit 0 statement

1.iptables -P FORWARD ACCEPT
2.iptables -t nat -A POSTROUTING -s 10.0.0.80/24 -o eth1 -j MASQUERADE
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24461386
No, you should not have to do anything on Ubuntu! The modem is acting as router, applying NAT already. No masquerading needed, I don't know whether this counterproductive, but I suppose it is. And forwarding / routing is not needed on Ubuntu, too.

I'm sorry having to ask you, and no offence meant: Do you know what you are doing?
0
 

Author Comment

by:mubama0n
ID: 24461433
Sure no problem it is not offence ?
The last post I post it at the momment before reading your post at (24/05/09 02:53 PM, ID: 24461331) So my post (24/05/09 03:11 PM, ID: 24461371) comes before reading your answer now I understand what U'r talking about , About this NW they are for testing purpose and Not Our main network our essential is separeted on another building the one we're used is Just for training and no sensitive data on it , thanks for your recommendations.
Can you send me a link to Setting up (SSH) with more easier steps?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24461458
>> "Can you send me a link to Setting up (SSH) with more easier steps?"
Pardon?
0
 

Author Comment

by:mubama0n
ID: 24470375
Dear Qlemo

 I Setup  (SSH) on my server machine successfully , I did many tests as you recommend and here is the result:

Test:
----------
Since the DSL router of that connected to the (Server) has two IP Addresses:
10.0.0.XXX
192.168.1.XXX
In order to check if the port (1194) is working (internally) or not  I made some modification as the following:
1-  (/etc/network/interfaces) file of (client) machine I set the IP address to be: 192.168.1.XXY  and gateway is DSL Router of the server (192.168.1.XXX)
2- On (client.conf) I wrote :
remote 10.0.0.80 1194 ===> Server IP Address
instead of (86.60.63.XXX 1194)===> DSL Router For Internet0
 then I run the (client.conf) on client machine  + (server.conf) on server machines the VPN connection established and each machine know the other by pinging.

Then I set back again every thing as the original case (refer to the NW design) the Client machine returned back to original IP address (192.168.7.XXX) and the gateway is the PC (192.168.7.XXY) that connected into (3G) internet , and again i wrote on (client.conf) remote 86.60.63.XXX 1194 but to communication between the (2) machines !!!
The (SSH) on the could be connected to server machine with full control through (putty) = 10.0.0.XXY 22 from any were.
 
Conclusion (private viewpoint):
-------------
Server machine has no problem , around 80% the problem on client machine either on (setting file) or something else because as you see server machine we can access it from (SSH) through any internet provider.

Advice
0
 

Author Comment

by:mubama0n
ID: 24470380
into (3G) internet , and again i wrote on (client.conf) remote 86.60.63.XXX 1194 but NO communication between the (2) machines !!!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24471286
What's the setup difference between
"Then I set back again every thing as the original case (refer to the NW design) the Client machine returned back to original IP address (192.168.7.XXX) and the gateway is the PC (192.168.7.XXY) that connected into (3G) internet , and again i wrote on (client.conf) remote 86.60.63.XXX 1194 but to communication between the (2) machines !!!
The (SSH) on the could be connected to server machine with full control through (putty) = 10.0.0.XXY 22 from any were."
and
"into (3G) internet , and again i wrote on (client.conf) remote 86.60.63.XXX 1194 but NO communication between the (2) machines !!!"
? In both cases you connected via 3G to the public IP. I suppose in first case you where routing internally, involving the Internet router, and in second you used another Internet connection?!

I agree, your server is not causing issues. If it does not display any message, no packets arrive. So the way from router to OpenVPN server must be broken.



0
 

Author Comment

by:mubama0n
ID: 24471366
The Word (NO) & (TO) mistake done by me:

On my first I said post: "remote 86.60.63.XXX 1194 but to communication "
So I correcte it on my second one:
"remote 86.60.63.XXX 1194 but NO communication "

Sorry for misunderstod

--------------
You said:
"? In both cases you connected via 3G to the public IP. I suppose in first case you where routing internally, involving the Internet router, and in second you used another Internet connection?!"

The reson for Test just to check port (1194) (internally) & (externally)
I found the internal part is ok , So Do U think I need to make modification on setting file ?
Or I do some checking (tool) for way from router to OpenVPN server ? which tool that can help?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24472149
If it works using private addresses (internal), the router is the problem. The router translates the public to to internal address (I hope). Hence, after the router all addresses are local. I doubt that the router does the NAT/port forward as requested. You can use WireShark on the server - filter for traffic from and to the router (capture filter "host 10.0.0.x) or from and to client's public IP.

Wait, I've seen two pitfalls now:
1. IP Pool and local IP of client are from same network - could be troublesome. You should use a unique network for OpenVPN. - However, this would come into play AFTER connection established.
2. Your router has two IP addresses. Maybe it is sending the port forward to the wrong IP (wrong network)? The MAC address of the local Ubuntu should point to a single (and correct) IP address, but who knows ... Your router should have a page with ARP cache, showing paired MAC and IP addresses.
0
 

Author Comment

by:mubama0n
ID: 24472312
DO YOU THink If I setup OPENVPN on (XP) machine as a clint machine connected directly to (3G) will solve the problem?
Or this is not the case?
0
 

Author Comment

by:mubama0n
ID: 24472449
Note:

Why SSH respond from any machiene Including (XP) gateway (192.168.7.192)?

That's why I told u to setup Openvpn on (XP) as a client instead of (Ubuntu) , I'll do tommorow
Installation for Openvpn on XP machine client connected directly to (3G) and telling U result of test.

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24473393
Did you forward SSH the same way as OpenVPN?
0
 

Author Comment

by:mubama0n
ID: 24479929
Yes , I used (putty) from Machine (192.168.7.192) which is the Gateway connected to (3G) and then I typed (10.0.0.80) on the Server with port 22 and I get connected successfuly.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24481367
Not exact enough. SSH via putty works from both 192.168.7.192 and 192.168.7.XXX?
0
 

Author Comment

by:mubama0n
ID: 24481643
You said "Not exact enough"

pardon ?
SSH working from any PC 192.168.7.192 and 192.168.7.XXX using putty !!
Can you explain more

Any way I'll setup now (openvpn) on (192.168.7.192 ) then I'll give you the results.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24481671
That has not been clear yet.
I suspect UDP to be a problem with forwading on that router ... For test, change protocol on both sides' config files to TCP instead of UDP, and try again. TCP is not recommended for several reasons, however, it could help you here ...
0
 

Author Comment

by:mubama0n
ID: 24490238
Dear Qlemo

You said "That has not been clear yet.
I suspect UDP to be a problem with forwading on that router ... For test, change protocol on both sides' config files to TCP instead of UDP, and try again. TCP is not recommended for several reasons, however, it could help you here ..."

Yes Sir You're right The router protocol (was) receiving (TCP) only and since the client using (udp) it rejects receiving it but I fixed the problem I did small cahnge to test the port from (1194) into (22) now the two parties communicating on the new (XP) client machine  it displays a message said (Vpn connection established and assigned IP address (192.168.7.170) but still something missed:
-Any machines (devices) connected to both parties cannot pinging the other (10.0.0.X) & (192.168.7.XX)
And even the server (192.168.7.192) cannot ping (10.0.0.80) but any way at least there is a communication channel.
 Please read the configuration files for both parties + log file of client and give me your feedback about what Modification on the files I should do.

Thanks for your cooperation.

client.log
server-1.txt
client-1.txt
0
 

Author Comment

by:mubama0n
ID: 24490260
Yes Sir You're right The router protocol (was) receiving (TCP) only and since the client using (udp) it rejects receiving it but I fixed the problem I did small cahnge to test By ask the router to recive any protocol (udb or TCP) and I did some change changing port from (1194) into (22) now the two parties communicating on the new (XP) client machine  it displays a message said (Vpn connection established and assigned IP address (192.168.7.170) but still something missed:
-Any machines (devices) connected to both parties cannot pinging the other (10.0.0.X) & (192.168.7.XX)
And even the server (192.168.7.192) cannot ping (10.0.0.80) but any way at least there is a communication channel.
 Please read the configuration files for both parties + log file of client and give me your feedback about what Modification on the files I should do.

Thanks for your cooperation.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24491015
I'm analyzing at the moment. One obvious part is that the client got a 192.168.7. address. I think you have to use the other IP pool on server, but I can't have a more precise look at the moment. You might try, or wait till I have checked the config files in some hours.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24492310
Sorry, but that configuration is totally messed up, and I'm confused about the IP addresses used. The roles of server and client seem to be exchanged sometimes. Further, the use of the same network for OpenVPN on server or client is very problematic. I now need clarification about (my understandings in parenthesis):

Internal server IP and network         (10.0.0.80/24)
Internal client IP and network           (192.168.7.0/24)
OpenVPN transfer network IP          (192.168.7.170-200)

If this is true, you should change the IP pool to an own network not colliding with any other (e.g. 192.168.254.0/24). Remove all routing commands in the server and client config files. In server config, add
push "route 10.0.0.0 255.255.255.0".
Then test ONLY client to server or vice versa, other devices will not be reachable without changes.

0
 

Author Comment

by:mubama0n
ID: 24492456
Dear

 I'm not familier with VPN setting file the thing that I'm sure I have two networks with the following subnets:
Internal server IP and network         (10.0.0.80/24)
Internal client IP and network           (192.168.7.0/24)

Pool is not important for me (no specific pool needed) it is open for your suggestion i'm still get training from experts like you All I need is that any device connected to any of this networks(parties) pinging each other, If ther is a need for Omitting or dropping any suggestion I'm open to it , And from my site I'll try to open linux forms and know more about the setting commands , so it is open for any suggestion by yours.
0
 

Author Comment

by:mubama0n
ID: 24492480
The Client Ip address now is : 192.168.7.192
And communicating with the server.
Thnaks
0
 

Author Comment

by:mubama0n
ID: 24492530
I'll do your recommendation with the next (2) Hours and give you feedback , or may be now after finishing some business phones.

Your help is Appreciated
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24492576
As far as I can see, you stick on ifconfig-pool 192.168.7.170.

If you want to access devices in the 10.0.0.x network, those devices need to know how to access the 192.168.7.0 network. To allow for this, you have to set the route for 192.168.7.0/24 using 10.0.0.80 on your default gateway (which is NOT the OpenVPN server). This should be all.
0
 

Author Comment

by:mubama0n
ID: 24492602
You said:
"If this is true, you should change the IP pool to an own network not colliding with any other (e.g. 192.168.254.0/24)"

If I put it like this on server: ifconfig-pool 192.168.254.100 192.168.254.200
As I understand from the above command it state (give pool of clintes for this subnet 192.168.254.0
range from 100-200 is that right?

Then What is the relationship between (192.168.7.0) and (192.168.254.0)?
Thanks
0
 

Author Comment

by:mubama0n
ID: 24494133
I wrote "route 10.0.0.0 255.255.255.0" ,

If I comment ;ifconfig-pool 192.168.7.170 192.168.7.200
;ifconfig-pool-persist ipp.txt

The VPN will not work and connection will be refused?

Advice

0
 

Author Comment

by:mubama0n
ID: 24494149
Still :
push "route 10.0.0.0 255.255.255.0" ,


VPN is conneted successfuly but parties cannot pinging each other?
0
 

Author Comment

by:mubama0n
ID: 24494330
I wrote also on client conf:

push "route 192.168.7.0 255.255.255.0"

But still parties cannot pinging the other !
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24494387
You need a ifconfig pool or server command (latter is replacement for several further configuration options, but it will interfere with your config at the moment). Without no connection will be established.

I never told you to push route 10.0.0.0. Do not change that much in that short time, I can't keep track of your changes!

Forget all I said till now (for the next hours). Let's start over. At server side, use your
ifconfig-pool 192.168.7.170 192.168.7.200
ifconfig-pool-persist ipp.txt
Remove all routing commands.
Add
push "route 10.0.0.0 255.255.255.0"
The client will get 192.168.7.192, and the route to 10.0.0.0 with gateway 192.168.7.x (x = 102, I suppose).
Please confirm this.

After this, client to server and vice versa will work. But no other devices!
0
 

Author Comment

by:mubama0n
ID: 24494667
You said :
"Forget all I said till now (for the next hours). Let's start over. At server side, use your
ifconfig-pool 192.168.7.170 192.168.7.200
ifconfig-pool-persist ipp.txt
Remove all routing commands.
Add
push "route 10.0.0.0 255.255.255.0"

Done successfully , the clint dispalyes connected and assigned IP = 192.168.7.170
Now the VPN channel established , I didn't tried any pinging as you siad.
Next,

"
0
 

Author Comment

by:mubama0n
ID: 24495269
I made also some changes (for test) and (Try) on server site:
Instead:
ifconfig-pool 192.168.7.170 192.168.7.200

I did:
ifconfig-pool 192.168.254.10 192.168.254.20

It do a channel but without pinging
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24497145
If you ping the server address 192.168.254.10 (or 11?), do you see traffic flow? You can watch this on XP either by looking into Task Manager, network, or in the Status dialog of your TAP adapter, or in openvpn with verb 9 (there should be multiple "w" and "r" if traffic is passing TAP interface).
0
 

Author Comment

by:mubama0n
ID: 24500817
TAP Adapter?  but I'm using TUN as written on (setting file)
When I'm connecting a machine to Sever e.g. connecting (10.0.0.70) and GW=10.0.0.80

try to ping any device on (192.168.7.XX) or (192.168.7.XX) the server said:
MULTI  BAD Source address (192.168.7.XX) packet dropped.

I'll look the (TM) network process or log file at the client and telling U the result, but I want to know
Why Any device cannot communicating the other network devices although the VPN connection is established successfully?

I did more commands to create routing between the machines but it never does anything here are the commands:
ON CLIENT (192.168.7.192) : route add -net 10.0.0.0 netmask 255.255.255.0 dev eth1
 route add -net 10.0.0.0 netmask 255.255.255.0 GW 10.0.0.80

On server :
route add -net 192.168.7.0 netmask 255.255.255.0 dev eth1
 route add -net 192.168.7.0  netmask 255.255.255.0 GW 192.168.7.192

Please note that I have (system down) on Internet today at the place where server located coused by (cabling problem) so I apologize if you post advanced comments and I cannot test it , the (DSL router) ISP guaranteed the Internet will resume successfully tomorrow as normal when they fix the problem today on the cable, So If you have any comments I'll test it on saturday or hopefuly if Internet returned today and giving you test results , Thanks for your cooperation in advanced.








0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:mubama0n
ID: 24500827
I forget from Client machine when I pinged the (VPN) connection IP (192.168.254.10) it succsseed.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24500957
Those route commands are on Ubuntu. And they are wrong. You need to use solely the respective TUN/TAP adapter address as gateway, no eth1.

On server:
route add -net 192.168.7.0 netmask 255.255.255.0 192.168.254.11
(if 11 is the client)

On client you won't have to do anything.

I thought you used XP as client (for testing), but now you presented a Linux route command ... Please, remove your recently set routes, and test only the following:
  • Connect with XP to Ubuntu via OpenVPN, using 192.168.254.x pool addresses.
  • Ping from XP to Ubuntu OpenVPN server address (192.168.254.x)
  • Ping from XP to Ubuntu server address (10.0.0.80)
  • Ping from XP another 10.0.0.x address
  • Ping from Ubuntu to XP OpenVPN address (192.168.254.x)
  • Ping from Ubuntu to XP address (192.168.7.x)
0
 

Author Comment

by:mubama0n
ID: 24507908
Dear Qlemo

Thanks for this information I believe it is logic and (hopefully) will solve the problem , But before I test just I want to review some points :

1- If I wrote : route add -net 192.168.7.0 netmask 255.255.255.0 192.168.254.11
directly it display an error message said (Not sure) :
either: no such process or
device not found

but If I write it into (2) steps e.g.:
route add -net 192.168.7.0 netmask 255.255.255.0 dev eth1
then:
route add -net 192.168.7.0 netmask 255.255.255.0 192.168.254.11
it accepts without any error message.

2- Shall I put pool command on my server setting file for (192.168.254.xx)  pool addresses.

3-On XP ubuntu machine shall I keep the IP address subnet as it is or change reset the Address into ==> 192.168. 254.XXX ?

 
0
 

Author Comment

by:mubama0n
ID: 24507921
Shall i keep the Pool addresses:

ifconfig-pool 192.168.7.170 192.168.7.200 (Drop / keep)?
ifconfig-pool 192.168.7.10 192.168.254.30
ifconfig-pool-persist ipp.txt
and
push "route 10.0.0.0 255.255.255.0" without any change?

0
 

Author Comment

by:mubama0n
ID: 24507923
Within (3) HRS from now I'll be in front of the server.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24508343
1- eth1 is wrong. You shouldn't (need to) use static routing command with OpenVPN server. It's better to set routing in the server config file.
At the moment you do not yet need the 192.168.7.0 route. Client will use it's OpenVPN address 192.168.254.x to communicate. This changes as soon as the devices behind the client want to have access. So let's ignore my proposal to add the route on server for now, we'll come back later to that route. However, without it, the last ping from above should not reply.

2- yes, you should have only one IP pool 192.168.254.x
 
ifconfig-pool 192.168.254.10 192.168.254.20
 ifconfig-pool-persist ipp.txt
 push "route 10.0.0.0 255.255.255.0"if

3- on "XP Ubuntu" - sorry? Either XP, or Ubuntu.


0
 

Author Comment

by:mubama0n
ID: 24508452
On XP machine  shall I keep the IP address subnet as it is or change the Address into ==> 192.168.254.XXX ?

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24508457
Keep it to 192.168.7.0 for now.
0
 

Author Comment

by:mubama0n
ID: 24508659
Dear

Connect with XP to Ubuntu via OpenVPN, using 192.168.254.x pool addresses=OK
 
Ping from XP to Ubuntu OpenVPN server address (192.168.254.x) =OK
Ping from XP to Ubuntu server address (10.0.0.80) =FAILED
Ping from XP another 10.0.0.x address=FAILED
Ping from Ubuntu to XP OpenVPN address (192.168.254.x) =FAILED
Ping from Ubuntu to XP address (192.168.7.x)=FAILED

Advice ,
 
0
 

Author Comment

by:mubama0n
ID: 24508781
Please note that The (VPN) Ip address assigned to Client by server is Dynamic nature.
0
 

Author Comment

by:mubama0n
ID: 24508799


Under any case of this:
Ping from XP to Ubuntu server address (10.0.0.80) =FAILED
Ping from XP another 10.0.0.x address=FAILED
Ping from Ubuntu to XP OpenVPN address (192.168.254.x) =FAILED
Ping from Ubuntu to XP address (192.168.7.x)=FAILED

The log of VPN server said:
Multi Bad source from (3G) IP address , Packet dropped
0
 

Author Comment

by:mubama0n
ID: 24508825
If I try to create a route on VPN Server:route add -net 192.168.7.0 netmask 255.255.255.0 192.168.254.11

SIOCADDRT error: no such process

what doest means?
0
 

Author Comment

by:mubama0n
ID: 24509128
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.254.11
route add -net 192.168.7.0 netmask 255.255.255.0 gw 10.0.0.80
route add -net 192.168.254.0 netmask 255.255.255.0 gw 10.0.0.80
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.254.11

But still no any party ping the other Only:
Ping from XP to Ubuntu OpenVPN server address (192.168.254.x) =OK

Thanks

0
 

Author Comment

by:mubama0n
ID: 24509134

Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!
Very frustrated Case!!!!!!!!!!!!!!!

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24509857
expected answers:
Ping from XP to Ubuntu OpenVPN server address (192.168.254.x) =OK
Ping from XP another 10.0.0.x address=FAILED
Ping from Ubuntu to XP address (192.168.7.x)=FAILED

unexpected:
Ping from XP to Ubuntu server address (10.0.0.80) =FAILED
Ping from Ubuntu to XP OpenVPN address (192.168.254.x) =FAILED
----------------------
Ok routes:
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.254.11

Superflous or wrong routes:
route add -net 192.168.7.0 netmask 255.255.255.0 gw 10.0.0.80
route add -net 192.168.254.0 netmask 255.255.255.0 gw 10.0.0.80
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.254.11
---------------------------

The routing for OpenVPN should better be managed thru its configuration file, but static routing would work, too, as long as the "dynamic" client IP address does not change. It does not change as long as you use ifconfig-pool-persist.

I think I should clean out your config files a bit, however this might last till tomorrow.
The fact that the ping from XP to Ubuntu 10.0.0.80 failed tells me there is a firewall / routing issue. Please look again into your XP client whether it has a route to 10.0.0.x active by default or thru misconfiguration in OpenVPN config file. And on server there should be NO route to 192.168.7.0 at the moment.
0
 

Author Comment

by:mubama0n
ID: 24512336
Dear Qlemo

 You said "The fact that the ping from XP to Ubuntu 10.0.0.80 failed tells me there is a firewall / routing issue.

If it is routing problem I'm agree with U , but (firewall) if it is found on (XP) what about the current communication between the (2) machines , I believe if there is a firewall then there is no communication is that right or wrong?

With best regards
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24512566
XP firewall protects only againts incoming calls. With active XP firewall all pings aso. from XP should work. And generelly spoken, if a firewall is in the way, it can block what it wants, specific ports, addresses, or combinations, based on time, weather and goodwill :-)

See attached both server and (XP) client OVPN file. No routes should be set when OpenVPN is not running; all routes should be set automatically thru the config scripts.
XP client should be able to ping anything, as long as the other devices on 10.0.0.0/24 know how to route 192.168.254.0/24 - you might have to add a route on your default gateway, or on each device you test, to the Ubuntu OpenVPN server.


Client Setting file:
 

client

proto udp

dev tun

remote 86.60.99.191 1194

resolv-retry infinite

nobind

pull

persist-key

persist-tun

comp-lzo

writepid /var/run/openvpn.pid

verb 4

;mute 20

ca   "/Program Files/openvpn/easy-rsa/2.0/keys/ca.crt"

cert "/Program Files/openvpn/easy-rsa/2.0/keys/client1.crt"

key  "/Program Files/openvpn/easy-rsa/2.0/keys/client1.key"

dh   "/Program Files/openvpn/easy-rsa/2.0/keys/dh1024.pem"

ns-cert-type server

cipher BF-CBC
 

; useless with XP:

;daemon
 

;ping 10

;ping-restart 60

;;The following command important for openvpn 2.0 and bellow

;chroot chroot

log-append /var/log/vpnclient.log

 

////////////////////////////////////////////////////////

 

Server Sitting:
 
 

port 1194

proto udp

dev tun0

keepalive 10 120

writepid /var/run/openvpn.pid

comp-lzo

persist-key

persist-tun

verb 3

mute 20

tls-server

cipher BF-CBC

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

chroot /etc/openvpn/chroot

client-config-dir ccd

status /var/log/serverstatus.log

log-append /var/log/vpnserver.log
 

; This will replace a lot of commands:

; mode server

; tls-server

; ifconfig-pool 192.168.254.4 192.168.254.251

; route 192.168.254.0 255.255.255.0

; push "route 192.168.254.0 255.255.255.0"      -- because of client-to-client

server 192.168.254.0 255.255.255.0

ifconfig-pool-persist ipp.txt
 

push "route 10.0.0.0 255.255.255.0"
 

; not required at the moment

; allows for communication between OVPN clients

client-to-client

Open in new window

0
 

Author Comment

by:mubama0n
ID: 24512832
Ok Now big Improvement:

Please NOTE: 192.168.7.192 IS the (XP) Client (GW)
machinec1 connected as 192.168.7.170 255.255.255.0 GW(VIA)  192.168.7.192

Ping from XP (or any 192.16.7.X) to Ubuntu OpenVPN server address (192.168.254.x) =OK
Ping from XP another 10.0.0.x address=OK
Ping from Ubuntu to XP address (192.168.7.x)=FAILED
Ping from XP to Ubuntu server address (10.0.0.80) =OK
Ping from Ubuntu to XP OpenVPN address (192.168.254.x) =OK

ping from machinec1 to Ubuntu OpenVPN server address (10.0.0.80) =FAILED
ping from machinec1 to Ubuntu OpenVPN server address (10.0.0.X) =FAILED
ping from machinec1 to OpenVPN server address (192.168.254.X) =OK

ADvice ,



0
 

Author Comment

by:mubama0n
ID: 24512840
Correction

ping from machinec1 to any address (10.0.0.X) =FAILED

ADvice ,
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24512938
This is the expected behaviour, if the Ubuntu OpenVPN server is your default gateway, or otherwise the route to 192.168.254.0/24 is set on that network.

I'll give you a bit background:
  • When pinging from XP, you will use IP address 192.168.254.x as source. If routing info is good on the remote network, full communication is available.
  • When pinging from Ubuntu, only network 192.168.254.0/24 and 10.0.0.0/24 (local) are known. 192.168.7.0/24 has no route yet. We have to set that up now.
  • When pinging from machinec1, the same applies - you are coming from 192.168.7.0/24, which is unknown to OpenVPN server. We could perform NAT on XP, so any traffic from XP network would be mapped to the single OpenVPN address, but that is unidirectional, only working INTO OpenVPN server network, not vice versa.
  • And last, for being able to ping from 10.0.0.0/24 (other than from Ubuntu) to a device other than XP, we need to have routes on BOTH sides.
As we need a full routing solution, to get from all to all, you need to set up routing for 192.168.7.0 on server side. It should be sufficient to add the following line to your server config:
route 192.168.7.0 255.255.255.0
Further has machinec1 to know where to send 10.0.0.0/24 packets to, i.e. you have to set route for 10.0.0.0/24, gateway XP (192.168.7.192).
At last, devices on 10.0.0.0/24 need to route traffic to 192.168.7.0/24 via Ubuntu. At the moment, they route 192.168.254.0/24 already, so I think you have set Ubunut as default gateway, and no further settings are required.

0
 

Author Comment

by:mubama0n
ID: 24515187
Dear Qlemo

 Thanks for this voluble information , I'm focusing now on the last point when you said "And last, for being able to ping from 10.0.0.0/24 (other than from Ubuntu) to a device other than XP, we need to have routes on BOTH sides" ,

In this connection I'll summarize what I'll do next and correct me if something wrong or misunderstood:
full routing solution:
Step 1:
On Server side I'll type the following command (setting file) to open route into the XP client:
route add -net 192.168.7.0 netmask 255.255.255.0 GW 192.168.7.192
or
route 192.168.7.0 255.255.255.0 ; " " needed or not?

Step 2:
on client (XP) site I'll type the following command to open route into the XP client:
route -net 10.0.0.0 netmask 255.255.255.0 GW 10.0.0.80
or
route 10.0.0.0  255.255.255.0 ; " " needed or not?

////
About what you said "so I think you have set Ubunut as default gateway, and no further settings are required." is Step (2) the solution for it?

More question:
Sometimes on server when I tried to type routing command through command prompt like e.g.:
route add -net 192.168.7.0 netmask 255.255.255.0 GW 192.168.7.192
it display error message said :
SIOCADDRT error: no such process

so I should do (2) steps to avoid this error:
1-route add -net 192.168.7.0 netmask 255.255.255.0 dev eth1
then route add -net 192.168.7.0 netmask 255.255.255.0 GW 192.168.7.192

Is there a problem when we doing like this?

Thanks




0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24515805
Step 1 is answered already. Add
route 192.168.7.0 255.255.255.0
to your server config file, nothing else is needed.

Step 2 is superflous on XP, that is already done by the server when connecting (push "route ..."). On machineC1 it is WRONG, the machine does not know how to reach 10.0.0.80.

Again: You should not have to set up static routing commands outside OpenVPN for neither server nor client. All routing commands should be managed thru OpenVPN config files.
I don't know why your are comming back with routing commands all the time, in spite of me telling you not to do.

The other machines not connected by OpenVPN are different. They need to know who to ask for the other's network. You need to set the routes on each default gateway (most easy), or on each machine (not recommended).
If default gateway in 10.0.0.0/24 network is NOT the OpenVPN server, set a
route add 192.168.7.0 mask 255.255.255.0 10.0.0.80          (Windows syntax)
on default gateway device.
If default gateway in 192.168.7.0/24 network is NOT the OpenVPN client, set a
route add 10.0.0.0 mask 255.255.255.0 192.168.7.192        (Windows syntax)
on default gateway device.

Again: Setting a network route to a gateway in the same network as the route is senseless! Neither a route 192.168.7.0/24 over 192.168.7.192 nor 10.0.0.0/24 over 10.0.0.80 are valid. The gateway has to be reachable by the station you set the route on. This is network 101. Windows does not allow to set such faulty routes. Ubuntu should not, too, and instead throw that "SIOCADDRT error: no such process" message.
0
 

Author Comment

by:mubama0n
ID: 24516215
Nothing now wretting on (setting file)

I Typed (on command prompt) the following :

On server (IP 10.0.0.80) the GW is (10.0.0.138)
10.0.0.138( the default GW for Openvpn server 10.0.0.80)

On client site :
192.168.7.192 XP(VPN Client)  is the default GW
You said:"If default gateway in 192.168.7.0/24 network is NOT the OpenVPN client"
I didn't wrote the command (as recommended)
then any (10.0.0.0) couldn't reach any  (192.168.7.0)

But
---

When I typed (on XP vpn client) (default GW) :
 
XP client (192.168.7.192) is the default GW connected to the (3G)
So  I typed:
route add 192.168.7.0 mask 255.255.255.0 10.0.0.80          If default gateway in 192.168.7.0/24 network is NOT the OpenVPN client, set a

route add 10.0.0.0 mask 255.255.255.0 192.168.7.192        (Windows syntax)
route add 10.0.0.0 mask 255.255.255.0 192.168.7.192        

Any (10.0.0.0) can reach only the address (192.168.7.192) (Default XP GW) and others cannot

This is the case now
0
 

Author Comment

by:mubama0n
ID: 24516222
Nothing now wretting on (setting file)

I Typed (on command prompt) the following :

On server (IP 10.0.0.80) the GW is (10.0.0.138)
10.0.0.138( the default GW for Openvpn server 10.0.0.80)
I typed:
route add 192.168.7.0 mask 255.255.255.0 10.0.0.80          

Then

On client site :
192.168.7.192 XP(VPN Client)  is the default GW
You said:"If default gateway in 192.168.7.0/24 network is NOT the OpenVPN client"
I didn't wrote the command (as recommended)
then any (10.0.0.0) couldn't reach any  (192.168.7.0)

But
---

When I typed (on XP vpn client) (default GW) :
 
XP client (192.168.7.192) is the default GW connected to the (3G)
So  I typed:
route add 192.168.7.0 mask 255.255.255.0 10.0.0.80          If default gateway in 192.168.7.0/24 network is NOT the OpenVPN client, set a

route add 10.0.0.0 mask 255.255.255.0 192.168.7.192        (Windows syntax)
route add 10.0.0.0 mask 255.255.255.0 192.168.7.192        

Any (10.0.0.0) can reach only the address (192.168.7.192) (Default XP GW) and others cannot

This is the case now
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24516452
I'm still trying to understand what you wrote. Not easy with all that copied parts intermixed with your own code.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24516503
Without the extra routes you set, try to do a (Windows syntax)
tracert -d -w 100 192.168.7.x
on server side from both server and another device. For Linux, it should be traceroute instead of tracert (not sure about that).
You should see all routers passed, but OpenVPN tunnel will not appear (most probably). Expected output:
  10.0.0.138
  10.0.0.80
  192.168.254.11
  192.168.7.x
If issued on OpenVPN server, only the second and third addresses should apper.

Do the like from client side (again some other device). Expected:
  192.168.7.192
  192.168.254.1
  10.0.0.x

0
 

Author Comment

by:mubama0n
ID: 24516762
On client connected to (openvpn server)
10.0.0.80
  192.168.7.192

But from the (Openvpn) server I cannot because It is running (synchronousisly) with XP client
I cannot do any thing.


0
 

Author Comment

by:mubama0n
ID: 24516774
I put (Ctrl + Z) to exit from (synchronous) case  is that means it will stop because the result after traceroute is only:
192.168.7.192
0
 

Author Comment

by:mubama0n
ID: 24517036
Summry of the Case Now:

From XP client site:
----------------------
It can ping any (10.0.0.X) Successfully but only from the GW XP Client (192.168.7.192)
Any device connected to XP Client (192.168.7.192) cannot ping any (10.0.0.0)
Any device connected to (192.168.7.192) can ping any (192.168.254.X) Successfully

From Openvpn server site (10.0.0.0)
---------------------------------------------
It Can ping only (192.168.7.192) Successfully from any device (10.0.0.X).
Any device connected to (Openvn Server 10.0.0.80) can ping any (192.168.254.X) Successfully

Trace route result:
On client connected to (openvpn server) after tracing the result:
10.0.0.80
192.168.7.192

But from the (Openvpn) server I cannot because It is running (synchronousisly) with XP client
I tried press (Ctrl + Z) I get :
192.168.7.192

Thanks in Advanced



0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24517409
"Synchronously" seems to be the wrong expression - it will end some time, after 30 hops (gateways).
"On client connected to (openvpn server)
10.0.0.80
192.168.7.192"
Did you trace route 192.168.7.192 or another address on 192.168.7.x?

And what about the way back? E.g. trace route from the Ubuntu machine on client side?

0
 

Author Comment

by:mubama0n
ID: 24518821
Dear Qlemo

You said:

"Did you trace route 192.168.7.192 or another address on 192.168.7.x?"
Yes I traced "192.168.7.192" from the client (device) connected to VPN Server e.g.: 10.0.0.70
the other "192.168.7.x" not sure but I'll check shortly

"And what about the way back? E.g. trace route from the Ubuntu machine on client side?"
If you means From (OPENVPN) server checking (traceroute)  XP client (192.168.7.192) ?
192.168.7.192
or
You means checking (traceroute) (10.0.0.80) from XP client?

I'll do it within 1/2 HR I'll be in front of the server machine.

Thanks again
0
 

Author Comment

by:mubama0n
ID: 24519471


"Did you trace route 192.168.7.192 or another address on 192.168.7.x?"

Just now from (10.0.0.X) i traced another machine connected to (XP client) trace : 192.168.7.172
it displayes:
10.0.0.80
request time out (30) times


///////////////////////

Way backe I trced from (192.168.7.X) for (10.0.0.80)
30 times (request time out)

Thanks
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 24519749
192.168.7.172 exists, I suppose. Since the trace went from 10.0.0.x => 10.0.0.80 and not further, the problem lies on or behind 10.0.0.80.

The backroute is not working, and I think it is the same reason.

Ahhh, now I get the problem. XP is not routing by default. Forget that you did not enable routing yet (I have been troubleshooting in another OpenVPN issue in parallel, so I guess I mixed that up).
Execute the following in a cmd.exe window. Then try ping or tracert again from both sides.

@(

  echo Windows Registry Editor Version 5.00

  echo.

  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

  echo "IPEnableRouter"=dword:00000001

) > %temp%\iproute.reg

 

start "" %temp%\iproute.reg

del %temp%\iproute.reg >nul

 

net stop RemoteAccess >nul 2>nul

net start RemoteAccess

Open in new window

0
 

Author Comment

by:mubama0n
ID: 24524054
Dear Qlemo

 Shall I post the above text on XP : /start/run/(here posting all this text commands)?

Regards,
0
 

Author Comment

by:mubama0n
ID: 24524217
Also

What is the case if the main client (linux based) connected to Openvpn Server? How we translate the above windows text into linux (debian ,redhat ,....etc)?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24524561
With Linux (and no iptables or IPCop), you only need to enable forwarding (creating a file with 1 in it, I can't remember exactly, but you should know as you have done it on OpenVPN server).

With XP, call a cmd.exe, than paste the above commands as-is into it to execute.

0
 

Author Comment

by:mubama0n
ID: 24525799
Ok within 15-30 minutes I'll be in front of the machine , please just wait.

But About my second question(How we translate the above windows text into linux (debian ,redhat ,....etc)?)  can I put the same commands on (rc.local)?
0
 

Author Comment

by:mubama0n
ID: 24526090
Attached the result ,

Can I edit regedit and do the execute through it?

But what I write inside the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters?

Regards
script.JPG
0
 

Author Comment

by:mubama0n
ID: 24526325
Dear Qlemo

 I'll be online till (17:00) GMT So if you have  time (Kindly) stay in touch with me.

Thanks for your help
0
 

Author Comment

by:mubama0n
ID: 24527285
Qlemo ,

The summary :

Even any client(machine , device)  connected to XP client (192.168.7.192 ) can ping any 10.0.0.X
So Just only now (10.0.0.X) cannot see (192.168.7.X)
Around 75% of the problem finished the remaining is (%25) .
Waiting your response
Regards ,

 
0
 

Author Comment

by:mubama0n
ID: 24527336
Better Improvment ,

Any client connected to OpenvpnServer (10.0.0.80) can see Just XP Client (192.168.7.192)===>Success
Any client connected to OpenvpnServer (10.0.0.80) can't see Any (machine) connected to XP Client (192.168.7.192)===> Failed

Regards

0
 

Author Comment

by:mubama0n
ID: 24528592
Dear Qlemo

 I have business trip for (3) days (Wed-fri) , so I'll start keep'n touch again by (SAT) if U have time ,
Thanks for your (patient).

Regards,
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24529778
"But About my second question(How we translate the above windows text into linux (debian ,redhat ,....etc)?)  can I put the same commands on (rc.local)?"
You only need to enable routing under *NIX like you did on your Ubuntu OpenVPN server.

"Can I edit regedit and do the execute through it?But what I write inside the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters?"
The error is not the registry - that part worked. You cannot start RemoteAccess (Routing and Remote Access Service), obviously it is disabled. Hence try the following:
sc config RemoteAccess start= autosc start RemoteAccess
I guess as soon as you have the RemoteAccess service running, all should be fine.

Regarding Saturday, I cannot promise anything, but I will try to listen to your results.
0
 

Author Comment

by:mubama0n
ID: 24544078
Thanks for your concerns ,
still I'm out of town , saturday I'll continue my tasks may be thier is peoblem on the connection ,
I'll give u feedback.

0
 

Author Comment

by:mubama0n
ID: 24563301
Dear Qlemo

Sorry today I encountered some (Internet) problem connectivity from the client side , I couldn't test your solution and I'll test it tomorrow , I have  small question until internet connectivity returned back ,
If I have a OPENVPN server (Pentium 4) with 1 GHZ processor and 500 MB Ram how many machines (openvpn clients) can support concurrently from your experience on this field?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24563433
Hard to say, but I never saw any real CPU issue while using OpenVPN. I guess 100 clients are no problem with that machine.
0
 

Author Comment

by:mubama0n
ID: 24566635
Dear Qlemo

Thanks allot it works now successfully but When I do the following steps:

1) I keep XP box as Just (GW) to internet.
2) Set Machine (192.168.7.172) As the main client box (original state).
3)On the client Machine I added the following route command:
route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.7.172

After that each party can pinging  other from both sides.
The secret as you said is on the (routing) , Please I need your email , email me on : mohammed.mubarah@mopm.gov.sa

Thanks for your cooperation, I'm really appreciated
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24566672
That route add should not have been necessary. However, and obviously, the push route option of OpenVPN server config file seems not to be executed (or it is rejected by the client?). Whatsoever, that configuration is suitable now, quite easy to manage if anything changes.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now