Benji_
asked on
OpenVPN not able to connect to Internal Subnet
Hi Guys,
I'm currently having a problem with an OpenVPN server im trying to setup, We have 10 remote workers who I need to be able to access a webpage on our internal network, no complicated configurations.
I have set-up a Cent OS 6 Server and installed OpevnVPN from the website guide.
We have a dedicated broadband line for this server and we have a Windows SBS network.
External Server IP Example : 123.123.123.123
Internal Server IP : 10.10.8.22 (SBS network 10.10.8.0/255.255.255.0
VPN Client Range: 10.66.4.0
I have setup the following config on the server
I have then setup the following config on the client.
When i ping 10.66.4.1 i get a reply, and i can ssh into the server and view the default page of the OpenVPN server.
When i ping 10.10.8.64 (the web server) i get no reply and cannot access anything within the subnet
here is the logs from the server.
here are the logs from the client.
I have been googling for 3 days and cannot come up with an answer,im hoping someone could help.
Regards
Ben
I'm currently having a problem with an OpenVPN server im trying to setup, We have 10 remote workers who I need to be able to access a webpage on our internal network, no complicated configurations.
I have set-up a Cent OS 6 Server and installed OpevnVPN from the website guide.
We have a dedicated broadband line for this server and we have a Windows SBS network.
External Server IP Example : 123.123.123.123
Internal Server IP : 10.10.8.22 (SBS network 10.10.8.0/255.255.255.0
VPN Client Range: 10.66.4.0
I have setup the following config on the server
#OpenVPN Server Config
proto udp
port 1194
dev tun0
server 10.66.4.0 255.255.255.0
push "route 10.10.8.0 255.255.255.0"
local 123.123.123.123
tun-mtu 1500
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
client-to-client
keepalive 10 60
status-version 1
status openvpn-status.log
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
log-append openvpn.log
I have then setup the following config on the client.
client
dev tun
proto udp
tun-mtu 1500
#Change my.publicdomain.com to your public domain or IP address
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
#comp-lzo
verb 3
When i ping 10.66.4.1 i get a reply, and i can ssh into the server and view the default page of the OpenVPN server.
When i ping 10.10.8.64 (the web server) i get no reply and cannot access anything within the subnet
here is the logs from the server.
##openvpn.log
Thu Sep 29 12:00:04 2011 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Thu Sep 29 12:00:04 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 29 12:00:04 2011 Diffie-Hellman initialized with 1024 bit key
Thu Sep 29 12:00:04 2011 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu Sep 29 12:00:04 2011 ROUTE default_gateway=10.10.8.1
Thu Sep 29 12:00:04 2011 TUN/TAP device tun0 opened
Thu Sep 29 12:00:04 2011 TUN/TAP TX queue length set to 100
Thu Sep 29 12:00:04 2011 /sbin/ip link set dev tun0 up mtu 1500
Thu Sep 29 12:00:04 2011 /sbin/ip addr add dev tun0 local 10.66.4.1 peer 10.66.4.2
Thu Sep 29 12:00:04 2011 /sbin/ip route add 10.66.4.0/24 via 10.66.4.2
Thu Sep 29 12:00:04 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 UDPv4 link local (bound): 123.123.123.123:1194
Thu Sep 29 12:00:04 2011 UDPv4 link remote: [undef]
Thu Sep 29 12:00:04 2011 MULTI: multi_init called, r=256 v=256
Thu Sep 29 12:00:04 2011 IFCONFIG POOL: base=10.66.4.4 size=62
Thu Sep 29 12:00:04 2011 Initialization Sequence Completed
here are the logs from the client.
Thu Sep 29 12:00:44 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Thu Sep 29 12:00:44 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 29 12:00:44 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Sep 29 12:00:44 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Local Options hash (VER=V4): '3514370b'
Thu Sep 29 12:00:44 2011 Expected Remote Options hash (VER=V4): '239669a8'
Thu Sep 29 12:00:44 2011 UDPv4 link local: [undef]
Thu Sep 29 12:00:44 2011 UDPv4 link remote: 123.123.123.123:1194
Thu Sep 29 12:00:44 2011 TLS: Initial packet from 123.123.123.123:1194, sid=9b1491fe ebb41df6
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=1, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=Resolveit-VPN-CA/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 VERIFY OK: nsCertType=SERVER
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=0, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=mviron-ca/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 29 12:00:44 2011 [mviron-ca] Peer Connection Initiated with 123.123.123.123:1194
Thu Sep 29 12:00:46 2011 SENT CONTROL [mviron-ca]: 'PUSH_REQUEST' (status=1)
Thu Sep 29 12:00:46 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.10.8.0 255.255.255.0,route 10.66.4.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.66.4.6 10.66.4.5'
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: route options modified
Thu Sep 29 12:00:46 2011 ROUTE default_gateway=192.168.2.1
Thu Sep 29 12:00:46 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}.tap
Thu Sep 29 12:00:46 2011 TAP-Win32 Driver Version 9.8
Thu Sep 29 12:00:46 2011 TAP-Win32 MTU=1500
Thu Sep 29 12:00:46 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.66.4.6/255.255.255.252 on interface {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB} [DHCP-serv: 10.66.4.5, lease-time: 31536000]
Thu Sep 29 12:00:46 2011 Successful ARP Flush on interface [4] {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}
Thu Sep 29 12:00:52 2011 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.10.8.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.66.4.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 Initialization Sequence Completed
I have been googling for 3 days and cannot come up with an answer,im hoping someone could help.
Regards
Ben
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
The output on the command is 1
the results below from iptables -L
The output on the command is 1
the results below from iptables -L
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s
REJECT all -- anywhere anywhere reject-with icmp-ho
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-ho
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vpnfirewall etc]# iptables -A FORWARD -i eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -i eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s
REJECT all -- anywhere anywhere reject-with icmp-ho
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-ho
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-ho
the problem is here. You are rejecting forwarding of all packets which aren't directed to your vpn gw host.
ASKER
Hi,
How would i resolve this, iptables is a new entity to me?
Regards
Ben
How would i resolve this, iptables is a new entity to me?
Regards
Ben
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
it will flush all rules and allow everything, setting up iptables is a different topic :)
ASKER
Hi,
Thanks for that, i'm not particully bothered about iptables at all as long as it works!.
I have executed that command, and i get the following output, i have even tried rebooting still the same.
Thanks
Ben
Thanks for that, i'm not particully bothered about iptables at all as long as it works!.
I have executed that command, and i get the following output, i have even tried rebooting still the same.
Thanks
Ben
[root@vpnfirewall ~]# iptables -F
[root@vpnfirewall ~]# iptables -X
[root@vpnfirewall ~]# iptables -t nat -F
[root@vpnfirewall ~]# iptables -t nat -X
[root@vpnfirewall ~]# iptables -t mangle -F
[root@vpnfirewall ~]# iptables -t mangle -X
[root@vpnfirewall ~]# iptables -P INPUT ACCEPT
[root@vpnfirewall ~]# iptables -P FORWARD ACCEPT
[root@vpnfirewall ~]# iptables -P OUTPUT ACCEPT
[root@vpnfirewall ~]#
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vpnfirewall ~]# iptables -l
iptables v1.4.7: option `-l' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vpnfirewall ~]#
ASKER
Thanks for your reply, I have confirmed that the OpenVPN server can ping back to the client and they can transfer information between each other, just not on the 10.10.8.x subnet.
Regards
Ben