[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1097
  • Last Modified:

OpenVPN- cant see internal network

I have a server running and clients configured but i cant ping internal resources, i have been struggling with this for a couple days now.
the layout is like so:

LAN 192.168.10.X 255.255.255.0 Gateway:192.168.10.254

Open VPN server is sitting on the 192.168.10.235 box-
Virtual network is handing out 192.168.123.X addresses

I have all traffic allowed in firewall from 192.168.123.x --> LAN and LAN-->192.168.123.X

Server config as follows:

local 192.168.10.235
port 11936
proto tcp
dev tun
ca "C:\\KEYS\\ca.crt"
cert "C:\\KEYS\\server.crt"
key "C:\\KEYS\\server.key"
dh "C:\\KEYS\\dh1024.pem"
server 192.168.123.0 255.255.255.0
;route 192.168.10.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.200"
push "redirect-gateway"
duplicate-cn
client-to-client
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
status openvpn-status.log
verb 3

Client Config:

client
dev tun
proto tcp
remote 70.91.81.194 443
resolv-retry infinite
nobind
persist-key
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1.key"
cipher BF-CBC
comp-lzo
verb 3

As I said, the client can connect to the vpn from external source but i cannot ping the anything on the intternal network.   What am I missing?

0
mdsurfrider
Asked:
mdsurfrider
  • 9
  • 9
3 Solutions
 
techfortatCommented:
Well first off if you are running a Windows Server it has VPN capabilities built-in using PPTP where you can do similar setup except not using a thrid-party software. Secondly a cheap VPN solution is the RV042 Linksys/Cisco VPN firewall, handles 5 VPN to client connections and a multitude of host to host connections. or you can go straight Cisco ASA firewall but is costly and not easy to setup unless you are a Cisco tech. having said that here are my suggestions.

Well not being very familiar with the software you are using I can only assume based on what you have shown. Two things stick out immediately to me.
1.You need to make sure the DHCP  table for the VPN clients assigns the same gateway as your internal LAN.
2. How are you allowing this traffic between LAN and VPN IP schemes?
"I have all traffic allowed in firewall from 192.168.123.x --> LAN and LAN-->192.168.123.X"
Is this a firewall rule? or do you have an IP route entered on the server? if its a Windows route then you need to be sure you enter it on the workstations connecting and the servers/resources that will be accessed.

According to your above statements the VPN connects no problems with authenticating and you can check the connection status or ipconfig to view the VPN's ip/gateway/subnet/DNS.
***What is that info?***
If you are connecting properly but just have problems accessing the resources then its either #1 or #2 above or you are trying to access the resources by Name and WINS is not configured properly. You either need named objects to assign static IP's on the VPN server or you need to edit the LMhost file to the VPN server isn't trying to use DNS to lookup names for the VPN requests or assign the DNS names in the LMhost file on the client computers connecting.
Start by looking at the VPN connection setting specifics...then try pinging the resources by IP address if they do not ping try pinging the LAN Gateway. Start trying to back track and figure out where its broke down.

Sounds like tunnel is formed and its just a routing problem, not having the proper gateway will cause this but you will still be able to ping the LAN gateway. Get the VPN connection specific info for me in as much detail as possible if the above suggestions do not fix the issue.
fyi: any external IP address please change them next time you post if you didn't i.e. the client config ip.
0
 
mdsurfriderAuthor Commented:
I am trying to ping the servers on 192.168.10.X network (by IP address).

The VPN client is assigned 192.168.125.6 255.255.255.252 no default gateway

I have setup static route in my router to point 192.168.125.X traffic to the 192.168.10.235 ip (hosting the vpn traffic)

I can ping 192.168.125.1 from the router and client machines
i can not ping the 192.168.10.254 router from client machines
0
 
mdsurfriderAuthor Commented:
"Is this a firewall rule? or do you have an IP route entered on the server? if its a Windows route then you need to be sure you enter it on the workstations connecting and the servers/resources that will be accessed."

what would be the route to add to the server to access the 192.168.10.x network from the 192.168.125.x network?

wwhen i start the server is gives me this in the log...

Thu May 05 19:16:36 2011 Successful ARP Flush on interface [393218] {BD1C2E66-6343-4C65-BD69-6BD4525F003D}
Thu May 05 19:16:36 2011 route ADD 192.168.125.0 MASK 255.255.255.0 192.168.125.2
Thu May 05 19:16:36 2011 Route addition via IPAPI succeeded
Thu May 05 19:16:36 2011 Data Channel MTU parms [ L:1544 D:1400 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 05 19:16:36 2011 Listening for incoming TCP connection on 192.168.10.235:11936
Thu May 05 19:16:36 2011 TCPv4_SERVER link local (bound): 192.168.10.235:11936
Thu May 05 19:16:36 2011 TCPv4_SERVER link remote: [undef]
Thu May 05 19:16:36 2011 MULTI: multi_init called, r=256 v=256
Thu May 05 19:16:36 2011 IFCONFIG POOL: base=192.168.125.4 size=62
Thu May 05 19:16:36 2011 MULTI: TCP INIT maxclients=10 maxevents=14
Thu May 05 19:16:36 2011 Initialization Sequence Completed

then when i do an ipconfig /all i get 192.168.125.1 as my ip address on my servers virtual inteerface:
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
techfortatCommented:
Well I am not sure what the 192.168.10.254 router is doing do you have two gateways?
The gateway used by the VPN Client needs to be the same as your LAN computers. I and basing this off Cisco VPn technologies which is what I have the most experience configuring.

If your client connects susccessfully and you can ping the gateway that is good, you just need to figure out how to assign that as the VPN client Gateway also. That was one of my first VPN routing problems years ago. Something else I would like you to try... See if when you are connected to your VPN, can you access web pages? If not then that is for sure the problem. When you make the tunnels bi-directinal it ignores your local internet gateway and routes all web traffic through the VPN gateway first using your local gateway just as a route to the VPN's gateway.

Also your LAN gateway is what tells the traffic on the LAN network and VPN whether it is local or to route out to the internet so if that IP is not assigned then it won't go anywhere. Tomorrow at work I will look a little more in depth to see if I can find the command or what you need to do to assign that gateway if you havent responded by then.
0
 
techfortatCommented:
Your LAN is 192.168.10.1-254 correct?
Yes/No?

What is the gateway IP address of your internal LAN computers? 192.168.10.254?
Yes/No?

VPN Internal IP 192.168.10.235?
Yes/No?

Then i see:
"Thu May 05 19:16:36 2011 route ADD 192.168.125.0 MASK 255.255.255.0 192.168.125.2"
This indicates you have a route going to a .2 address, what is that? If that is nothing should probably be directed to the Internal LAN gateway. because that is the only route I can assume its trying to assign this as teh gateway.

This indicates you have 10 max clients and the pool begins at .4
Thu May 05 19:16:36 2011 IFCONFIG POOL: base=192.168.125.4 size=62
Thu May 05 19:16:36 2011 MULTI: TCP INIT maxclients=10 maxevents=14

If you break down the issue to what you do have and don't:
You do have connection!
You do have the pass through tot he server!
You do have authentication!

Your routes from the VPN should be directing you to the Internal Firewall for the next route wheter its to an internal computer or the internet. In your questiion above you ask for the command to do what I would assume is a reverse route from the LAN to the VPN-LAN. Not sure that is the issue unless the Privately networked computer is the resource. All you should need is a rule or access list on the firewall permitting traffic from the VPN-LAN tot he LAN, then you need a route to the LAN gateway. This route is defined in the VPN server software, in Windows Server or the software simply assigns a gateway of the internal LAN gateway to the VPN clients.

That route listed aboce witht he .2 doesnt make sense at this point. Not sure how it is there considering the VPN server thinks it is .1. Thinking based on Internet Connection Sharing methods the ICS server makes itself .1 and assigns itself as the gateway to all computers it is sharing internet too. If your software was even trying to mimic this ICS technique the IP is off so that is definitely what I would check out first.
0
 
mdsurfriderAuthor Commented:
Your LAN is 192.168.10.1-254 correct?
Yes/No? YES

What is the gateway IP address of your internal LAN computers? 192.168.10.254?
Yes/No? YES 192.168.10.254

VPN Internal IP 192.168.10.235?
Yes/No? YES, this is the ip of vpn server-

I have static route in my router (192.168.10.254) pointing 192.168.125.x network to 192.168.10.235-- this is correct?

Then on my vpn server i need to add route "route add 192.168.125.0 mask 255.255.255.0 192.168.10.254" correct?

This is route table on the vpn server...

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x60002 ...00 ff bd 1c 2e 66 ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
0x60005 ...00 18 8b 54 47 8b ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.10.254  192.168.10.235        10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      169.254.0.0      255.255.0.0   192.168.10.235  192.168.10.235        20
     192.168.10.0    255.255.255.0   192.168.10.235  192.168.10.235        1
   192.168.10.235  255.255.255.255        127.0.0.1       127.0.0.1        10
   192.168.10.255  255.255.255.255   192.168.10.235  192.168.10.235        10
    192.168.125.0  255.255.255.252    192.168.125.1   192.168.125.1        30
    192.168.125.0    255.255.255.0    192.168.125.2   192.168.125.1        1
    192.168.125.1  255.255.255.255        127.0.0.1       127.0.0.1        30
  192.168.125.255  255.255.255.255    192.168.125.1   192.168.125.1        30
        224.0.0.0        240.0.0.0   192.168.10.235  192.168.10.235        10
        224.0.0.0        240.0.0.0    192.168.125.1   192.168.125.1        30
  255.255.255.255  255.255.255.255   192.168.10.235  192.168.10.235        1
  255.255.255.255  255.255.255.255    192.168.125.1   192.168.125.1        1
Default Gateway:    192.168.10.254
===========================================================================
Persistent Routes:
  None
0
 
techfortatCommented:
Ok we are going to start with the basics. Disregard the previous things we talked about and follow below.
Did you start with the client/Server Sample Configs and build from there?
http://openvpn.net/index.php/open-source/documentation/howto.html#examples

Read below and see if my new config helps if not scroll to the very bottom of the page linked above and just start comparing your config lines to the sample lines and see if your command input is correct.

The Tun/Tap interface (MyTap) did you remove the windows firewall from that interface in your network connections?


Here are my revisions to your config with my comments find the recommended config below:

route 192.168.10.0 255.255.255.0 (this command is unnecessary and its ; commented remove it)

ifconfig-pool-persist ipp.txt  (uncomment by removing the ; for logging and so the server Ip table)

push "route 192.168.10.0 255.255.255.0" (this line looks good)

push "redirect-gateway" (I placed this line above the DHCP push option)

push "dhcp-option DNS 192.168.123.1" (here i changed this from your LAN DNS server to the VPN server)


Here is what your config should look like:

local 192.168.10.235
port 11936
proto tcp
dev tun
ca "C:\\KEYS\\ca.crt"
cert "C:\\KEYS\\server.crt"
key "C:\\KEYS\\server.key"
dh "C:\\KEYS\\dh1024.pem"
server 192.168.123.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.123.1"
duplicate-cn
client-to-client
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
status openvpn-status.log
verb 3
0
 
techfortatCommented:
And what we talked about yesterday the server does set itself up as 192.168.123.1 to serve as the NAT gateway between the networks. In that scenario its acting like an Internet Connection Sharing (ICS) setup where the ICS server is the DHCP and DNS and Gateway. So if you end up having trouble with name resolution after we resolve the access by IP address then you will want to configure WINS on the server hosting the OPENvpn.
Then enter the command:
push "dhcp-option WINS 192.168.123.1"

If the above config modifications do not work as expected then we need to revisit the client configs. I noticed a couple things we might want to check but lets get the server built properly first and test. Let me know what happens.
0
 
techfortatCommented:
Also VERY IMPORTANT!
 I see in half your posts you have the VPN network as 192.168.123.0 and in some you have it 192.168.125.0.

You need to make sure the routes in your firewall and the server match. I posted your changes as 192.168.123.0 because that is what you have the server assigned. make sure the DHCP is handing out IP addresses in the correct IP range, get rid of any 192.168.125.0 IP's.

Like you say here:
"I have setup static route in my router to point 192.168.125.X traffic to the 192.168.10.235 ip (hosting the vpn traffic)"

and you have the 192.168.125.0 IP's listed in your active routes, shouldn't these be 192.168.123.0?
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.10.254  192.168.10.235        10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      169.254.0.0      255.255.0.0   192.168.10.235  192.168.10.235        20
     192.168.10.0    255.255.255.0   192.168.10.235  192.168.10.235        1
   192.168.10.235  255.255.255.255        127.0.0.1       127.0.0.1        10
   192.168.10.255  255.255.255.255   192.168.10.235  192.168.10.235        10
-->   192.168.125.0  255.255.255.252    192.168.125.1   192.168.125.1        30
-->    192.168.125.0    255.255.255.0    192.168.125.2   192.168.125.1        1
-->    192.168.125.1  255.255.255.255        127.0.0.1       127.0.0.1        30
-->  192.168.125.255  255.255.255.255    192.168.125.1   192.168.125.1        30
        224.0.0.0        240.0.0.0   192.168.10.235  192.168.10.235        10
-->        224.0.0.0        240.0.0.0    192.168.125.1   192.168.125.1        30
  255.255.255.255  255.255.255.255   192.168.10.235  192.168.10.235        1
-->  255.255.255.255  255.255.255.255    192.168.125.1   192.168.125.1        1
Default Gateway:    192.168.10.254
===========================================================================

You have the wrong subnet listed everywhere, now IF that is another IP block you need to direct IP traffic to then you will want to use these commands:

client-config-dir ccd
route 10.9.0.0 255.255.255.252 (using the Ip addresses you need mapped)

Either make it all x.x.123.x or x.x.125.x
0
 
mdsurfriderAuthor Commented:
i will try this this weekend- appologies- the 192.168.123.x and 192.168.125.x are just because i was switching the networks between 123,124, and 125 sorry
0
 
mdsurfriderAuthor Commented:
USing your server config file i get this output when client connects:

at May 07 13:01:09 2011 Re-using SSL/TLS context
Sat May 07 13:01:09 2011 LZO compression initialized
Sat May 07 13:01:09 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat May 07 13:01:09 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat May 07 13:01:09 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sat May 07 13:01:09 2011 Local Options hash (VER=V4): '69109d17'
Sat May 07 13:01:09 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat May 07 13:01:09 2011 Attempting to establish TCP connection with xx.WAN.IP..xxx:443
Sat May 07 13:01:09 2011 TCP connection established with xx.wam.ip.xxx:443
Sat May 07 13:01:09 2011 TCPv4_CLIENT link local: [undef]
Sat May 07 13:01:09 2011 TCPv4_CLIENT link remote: xx.wan.ip.xxx:443
Sat May 07 13:01:09 2011 TLS: Initial packet from 70.91.81.194:443, sid=a3c9aad0 526213a4
Sat May 07 13:01:10 2011 VERIFY OK:
BLOCKED OUT INFO
Sat May 07 13:01:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 07 13:01:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 07 13:01:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 07 13:01:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 07 13:01:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat May 07 13:01:11 2011 [OPENVPNSERV] Peer Connection Initiated with xxx.wan.ip.xxx
Sat May 07 13:01:13 2011 SENT CONTROL [OPENVPNSERV]: 'PUSH_REQUEST' (status=1)
Sat May 07 13:01:13 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway,dhcp-option DNS 192.168.123.1,route 192.168.123.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 192.168.123.10 192.168.123.9'
Sat May 07 13:01:13 2011 OPTIONS IMPORT: timers and/or timeouts modified
Sat May 07 13:01:13 2011 OPTIONS IMPORT: --ifconfig/up options modified
Sat May 07 13:01:13 2011 OPTIONS IMPORT: route options modified
Sat May 07 13:01:13 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat May 07 13:01:13 2011 ROUTE default_gateway=192.168.1.1
Sat May 07 13:01:13 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{9D20FF2C-93CA-4C85-A406-9C8825327930}.tap
Sat May 07 13:01:13 2011 TAP-Win32 Driver Version 9.8
Sat May 07 13:01:13 2011 TAP-Win32 MTU=1500
Sat May 07 13:01:13 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.123.10/255.255.255.252 on interface {9D20FF2C-93CA-4C85-A406-9C8825327930} [DHCP-serv: 192.168.123.9, lease-time: 31536000]
Sat May 07 13:01:13 2011 Successful ARP Flush on interface [4] {9D20FF2C-93CA-4C85-A406-9C8825327930}
Sat May 07 13:01:18 2011 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sat May 07 13:01:18 2011 C:\WINDOWS\system32\route.exe ADD 70.91.81.194 MASK 255.255.255.255 192.168.1.1
Sat May 07 13:01:18 2011 Route addition via IPAPI succeeded [adaptive]
Sat May 07 13:01:18 2011 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
Sat May 07 13:01:18 2011 Route deletion via IPAPI succeeded [adaptive]
Sat May 07 13:01:18 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.123.9
Sat May 07 13:01:18 2011 Route addition via IPAPI succeeded [adaptive]
Sat May 07 13:01:18 2011 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 192.168.123.9
Sat May 07 13:01:18 2011 Route addition via IPAPI succeeded [adaptive]
Sat May 07 13:01:18 2011 WARNING: potential route subnet conflict between local LAN [192.168.123.8/255.255.255.252] and remote VPN [192.168.123.0/255.255.255.0]Sat May 07 13:01:18 2011 C:\WINDOWS\system32\route.exe ADD 192.168.123.0 MASK 255.255.255.0 192.168.123.9
Sat May 07 13:01:18 2011 Route addition via IPAPI succeeded [adaptive]
Sat May 07 13:01:18 2011 Initialization Sequence Completed

(I underlined warning)

and route table on client:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c 23 2f 48 cf ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 1f 3a 0e 67 c9 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
0x4 ...00 ff 9d 20 ff 2c ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.123.5   192.168.123.6        1
     XXX.WAN.IP.XXX  255.255.255.255      192.168.1.1     192.168.1.3        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3        25
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1        25
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3        25
     192.168.10.0    255.255.255.0    192.168.123.5   192.168.123.6        1
    192.168.123.0    255.255.255.0    192.168.123.5   192.168.123.6        1
    192.168.123.4  255.255.255.252    192.168.123.6   192.168.123.6        30
    192.168.123.6  255.255.255.255        127.0.0.1       127.0.0.1        30
  192.168.123.255  255.255.255.255    192.168.123.6   192.168.123.6        30
        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3        25
        224.0.0.0        240.0.0.0    192.168.123.6   192.168.123.6        30
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3        1
  255.255.255.255  255.255.255.255    192.168.123.6               2        1
  255.255.255.255  255.255.255.255    192.168.123.6   192.168.123.6        1
Default Gateway:     192.168.123.5
===========================================================================
Persistent Routes:
  None

i still can not ping the internal network-
and yes: the firewall is disabled on the server


0
 
mdsurfriderAuthor Commented:
and to answer the statement about the build in windows vpn- it doesnt work in some foriegn countries- my client that i am setting this up for has operations on all continents and have people traveling constantly that cannot connect to microsoft vpn due to port blocking , ect- this will elimate that problem and create a much more robust and secure platform, once its working anyways
0
 
mdsurfriderAuthor Commented:
the issue is still not resolved :(
0
 
techfortatCommented:
I haven't forgotten about you. I looked it over and something sticks out to me. The default gateway is 192.168.123.5? I would imagine if anything the default gateway would be the VPN IP address of the OPENVPN server 192.168.123.1.

I see  
Active Routes:
Network Destination        Netmask         Gateway       Interface          Metric  
      0.0.0.0                     0.0.0.0       192.168.123.5   192.168.123.6        1

Which is saying for the interface with IP 192.168.123.6(VPN Client DHCP) uses Gateway 192.168.123.5 which should also be a VPN client IP of another computer connecting to the VPN. It would be
Active Routes:
Network Destination        Netmask         Gateway       Interface          Metric  
      0.0.0.0                     0.0.0.0       192.168.123.1   192.168.123.6        1

then at the bottom
Default Gateway:     192.168.123.5  (this should also be 192.168.123.1)

Where is this .5 route coming from I wonder, let me look some more but in the meantime can you try to configure another test client with the VPN and see if it ends up with the same route to .5?
0
 
techfortatCommented:
1. Also please output the running server config and post it to see what command lines took.
We may want to raise the max clients to 100 instead of 10 so I can better judge what it is doing with the client assignment. Considering we have 2 computers involved with the vpn network I think we have managed to occupy IP addresses 192.168.123.1, .2, .5, .6, .9. So I am trying to figure out what is changing these IP's.
2. Also connect the client then give me an IPCONFIG and then give me an IPCONFIG from the server with the client connected.

0
 
mdsurfriderAuthor Commented:
i appreciate the assistance- though i would like to resolve this I have decided to mode to using bridging mode and test tomorrow using the config and setup in this post:
http://www.dslreports.com/forum/remark,15752402


unfortunatly i created bridge remortely and lost connection so i'll have to get back to you tomorrow when i can get onsite
0
 
techfortatCommented:
OK :)
0
 
mdsurfriderAuthor Commented:
The bridge mode worked and I can successfully access all server/resources.  however, my config is setup to utilize its own dhcp and internal gateway- nothing is on a seperate network as I had hoped.  I did a little testing in bridged mode however in the end i went the easy way and used all internal IP's

step1: bridged LAN interfaces and assigned a static IP to bridge
server config:
local 192.168.10.235
port XXX
proto tcp
dev tap
ifconfig 192.168.10.234 255.255.255.0
server-bridge 192.168.10.234 255.255.255.0 192.168.10.145 192.168.10.159
ca "C:\\KEYS\\ca.crt"
cert "C:\\KEYS\\server.crt"
key "C:\\KEYS\\server.key"
dh "C:\\KEYS\\dh1024.pem"
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 192.168.10.200"
duplicate-cn
client-to-client
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
status openvpn-status.log
verb 3

client config:

client
dev tap
proto tcp
remote WANIPADDRESS
resolve-retry infinite
nobind
persist-key
ca "directory"
cert "directory"
key "directory"
cipher bf-cbc
verb 3


Finally- I would like to setup the seperate network 192.168.123.0 for the VPN clients in the future- any thoughts on utilizing the bridge-mode to accomplish this?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now