Solved

OpenVPN: can't ping network computers

Posted on 2010-09-20
3
1,243 Views
Last Modified: 2012-05-10
I have setup a vpn using OpenVPN. The server side is on a CentOS machine and I'm connecting using a windows client.
I can connect to the VPN without errors but I have two issues.

One is regarding the server side, where I get this error in the openvpn.log file every second.

Mon Sep 20 14:33:39 2010 10.0.0.1:37854 TLS Error: reading acknowledgement record from packet

and this error every minute:

Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 TLS Error: TLS handshake failed
Mon Sep 20 14:43:58 2010 10.0.0.1:38395 SIGUSR1[soft,tls-error] received, client-instance restarting



10.0.0.1 is the internal ip of the fortigate firewall. I have disabled the linux firewall and accept all connections between the fortigate and linux pc. I also disabled tls-auth temporarily.

The other issue is when I connect to the vpn from the client, everything runs ok, but I cannot ping any pc in the lan.

here's the configuration files from the server and the client pc, firewall is off in the windows client as well

server

port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server-bridge 10.0.0.81 255.255.254.0 10.0.0.82 10.0.0.86
push "route 10.0.0.0 255.255.254.0"
push "dhcp-option DNS 10.0.0.21"
push "dhcp-option DNS 10.0.0.27"
client-to-client
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

client

client
dev tap0
dev-node "OpenVPN"
proto udp
remote 217.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 3
0
Comment
Question by:uilli
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
McNetic earned 500 total points
ID: 33716179
For the pinging problem: The lan pcs also have to know how to reach the vpn clients; either by setting an explicit route on them for the client network to point to the vpn gateway, or by setting a route to the client network on the default gateway of the lan (in this case all packets will take 1 more hop).
Next, the vpn gateway must also have ip forwarding enabled.
0
 

Author Comment

by:uilli
ID: 33735670
Is it correct that the gw for the vpn client is the openvpn server?
[q]Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.45       20
       10.30.12.0    255.255.254.0      10.30.12.82     10.30.12.82       30
      10.30.12.82  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.1.0    255.255.255.0     192.168.1.45    192.168.1.45       20
     192.168.1.45  255.255.255.255        127.0.0.1       127.0.0.1       20[/q]




0
 

Author Comment

by:uilli
ID: 33735696
actually 10.30.12.82 is the ip assigned to the client of the vpn, shouldn' t the gateway be the openvpn server?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now