Solved

OpenVPN: can't ping network computers

Posted on 2010-09-20
3
1,426 Views
Last Modified: 2012-05-10
I have setup a vpn using OpenVPN. The server side is on a CentOS machine and I'm connecting using a windows client.
I can connect to the VPN without errors but I have two issues.

One is regarding the server side, where I get this error in the openvpn.log file every second.

Mon Sep 20 14:33:39 2010 10.0.0.1:37854 TLS Error: reading acknowledgement record from packet

and this error every minute:

Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS handshake failed
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 SIGUSR1[soft,tls-error] received, client-instance restarting



10.0.0.1 is the internal ip of the fortigate firewall. I have disabled the linux firewall and accept all connections between the fortigate and linux pc. I also disabled tls-auth temporarily.

The other issue is when I connect to the vpn from the client, everything runs ok, but I cannot ping any pc in the lan.

here's the configuration files from the server and the client pc, firewall is off in the windows client as well

server

port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server-bridge 10.0.0.81 255.255.254.0 10.0.0.82 10.0.0.86
push "route 10.0.0.0 255.255.254.0"
push "dhcp-option DNS 10.0.0.21"
push "dhcp-option DNS 10.0.0.27"
client-to-client
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

client

client
dev tap0
dev-node "OpenVPN"
proto udp
remote 217.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 3
0
Comment
Question by:uilli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
McNetic earned 500 total points
ID: 33716179
For the pinging problem: The lan pcs also have to know how to reach the vpn clients; either by setting an explicit route on them for the client network to point to the vpn gateway, or by setting a route to the client network on the default gateway of the lan (in this case all packets will take 1 more hop).
Next, the vpn gateway must also have ip forwarding enabled.
0
 

Author Comment

by:uilli
ID: 33735670
Is it correct that the gw for the vpn client is the openvpn server?
[q]Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.45       20
       10.30.12.0    255.255.254.0      10.30.12.82     10.30.12.82       30
      10.30.12.82  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.1.0    255.255.255.0     192.168.1.45    192.168.1.45       20
     192.168.1.45  255.255.255.255        127.0.0.1       127.0.0.1       20[/q]




0
 

Author Comment

by:uilli
ID: 33735696
actually 10.30.12.82 is the ip assigned to the client of the vpn, shouldn' t the gateway be the openvpn server?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question