Solved

OpenVPN: can't ping network computers

Posted on 2010-09-20
3
1,301 Views
Last Modified: 2012-05-10
I have setup a vpn using OpenVPN. The server side is on a CentOS machine and I'm connecting using a windows client.
I can connect to the VPN without errors but I have two issues.

One is regarding the server side, where I get this error in the openvpn.log file every second.

Mon Sep 20 14:33:39 2010 10.0.0.1:37854 TLS Error: reading acknowledgement record from packet

and this error every minute:

Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS handshake failed
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 SIGUSR1[soft,tls-error] received, client-instance restarting



10.0.0.1 is the internal ip of the fortigate firewall. I have disabled the linux firewall and accept all connections between the fortigate and linux pc. I also disabled tls-auth temporarily.

The other issue is when I connect to the vpn from the client, everything runs ok, but I cannot ping any pc in the lan.

here's the configuration files from the server and the client pc, firewall is off in the windows client as well

server

port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server-bridge 10.0.0.81 255.255.254.0 10.0.0.82 10.0.0.86
push "route 10.0.0.0 255.255.254.0"
push "dhcp-option DNS 10.0.0.21"
push "dhcp-option DNS 10.0.0.27"
client-to-client
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

client

client
dev tap0
dev-node "OpenVPN"
proto udp
remote 217.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 3
0
Comment
Question by:uilli
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
McNetic earned 500 total points
ID: 33716179
For the pinging problem: The lan pcs also have to know how to reach the vpn clients; either by setting an explicit route on them for the client network to point to the vpn gateway, or by setting a route to the client network on the default gateway of the lan (in this case all packets will take 1 more hop).
Next, the vpn gateway must also have ip forwarding enabled.
0
 

Author Comment

by:uilli
ID: 33735670
Is it correct that the gw for the vpn client is the openvpn server?
[q]Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.45       20
       10.30.12.0    255.255.254.0      10.30.12.82     10.30.12.82       30
      10.30.12.82  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.1.0    255.255.255.0     192.168.1.45    192.168.1.45       20
     192.168.1.45  255.255.255.255        127.0.0.1       127.0.0.1       20[/q]




0
 

Author Comment

by:uilli
ID: 33735696
actually 10.30.12.82 is the ip assigned to the client of the vpn, shouldn' t the gateway be the openvpn server?
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question