Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

OpenVPN Lan-to-Lan routing between 3 Windows sites

Posted on 2014-08-10
4
Medium Priority
?
682 Views
Last Modified: 2014-08-26
Hi fellow experts,

I know there are many how-tos on this, but they are either not clear enough, or otherwise unusable... As I need to get this going, I'm asking for your help here for my very personal problem:

There are 3 sites, each with a handful of PCs behind a Windows server that shall be the OpenVPN server:

Site NWZ with a LAN of 192.168.10.0/24 (the Server being 192.168.10.10) and an OpenVPN transfer network of 10.10.0.0/24
Site Kaiserplatz with a LAN of 192.168.20.0/24 (the Server being 192.168.20.10) and an OpenVPN transfer network of 10.20.0.0/24
Site Markus with a LAN of 192.168.30.0/24 (the Server being 192.168.30.10) and an OpenVPN transfer network of 10.30.0.0/24

I plan that

NWZ connects to Markus
Markus connects to Kaiserplatz
Kaiserplatz connects to NWZ

That way there is no single point of failure and even if one site is unavailable, the other two can still talk to each other.

Of course, the clients on each LAN shall be able to reach all other clients on all other LANs. For this, I have entered static routes on the router at each site (a separate AVM Fritz Box 3370) that points the 10.(10 or 20 or 30).0.0/24 and the 192.168.(10 or 20 or 30).0/24 nets to the server at that site (wich is 192.168.(10 or 20 or 30).10).

It works to the extend that the connections can be established fine, but as soon as all 3 links are up, something starts to stop talking to each other... (this something is a bit vague, I haven't fully traced when exactly it breaks, but I hope that from the config files I'll post below you can see my mistake anyhow.)

Right now, when the 3 connections are up and running, I have the following situation:

Server NWZ (192.168.10.10) can ping Server Kaiserplatz (192.168.20.10) but not Markus (192.168.30.10)
Server Kaiserplatz (192.168.20.10) can ping Server Markus (192.168.30.10) but not NWZ (192.168.10.10)
Server Markus (192.168.30.10) can ping Server Kaiserplatz (192.168.20.10) but not NWZ (192.168.10.10)

So here are the 3 configurations (I've left the obvious parts out, like public ip addresses, ports, and such)

server.ovpn on NWZ:
proto tcp
dev tun
server 10.10.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
route 192.168.20.0 255.255.255.0
route 192.168.30.0 255.255.255.0
client-to-client
client-config-dir ccd

Open in new window


in ccd there's a file named kaiserplatz that contains
iroute 192.168.20.0 255.255.255.0

Open in new window


server.ovpn on Kaiserplatz:
proto tcp
dev tun
server 10.20.0.0 255.255.255.0
push "route 192.168.20.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
route 192.168.30.0 255.255.255.0
client-to-client
client-config-dir ccd

Open in new window


in ccd there's a file named markus that contains
iroute 192.168.30.0 255.255.255.0

Open in new window


server.ovpn on Markus:
proto tcp
dev tun
server 10.30.0.0 255.255.255.0
push "route 192.168.30.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
route 192.168.20.0 255.255.255.0
client-to-client
client-config-dir ccd

Open in new window


in ccd there's a file named nwz that contains
iroute 192.168.10.0 255.255.255.0

Open in new window


When creating the keys (with build-key), I have entered nwz, markus or kaiserplatz as the "Common Name", so that this matches the files I have put under in the ccd-directory.

This is the routing table of NWZ:
IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.10    261
        10.10.0.0    255.255.255.0        10.10.0.2        10.10.0.1     30
        10.10.0.0    255.255.255.0        10.10.0.2        10.30.0.6     30
        10.10.0.0  255.255.255.252   Auf Verbindung         10.10.0.1    286
        10.10.0.1  255.255.255.255   Auf Verbindung         10.10.0.1    286
        10.10.0.3  255.255.255.255   Auf Verbindung         10.10.0.1    286
        10.30.0.0    255.255.255.0        10.30.0.5        10.10.0.1     30
        10.30.0.0    255.255.255.0        10.30.0.5        10.30.0.6     30
        10.30.0.4  255.255.255.252   Auf Verbindung         10.30.0.6    286
        10.30.0.6  255.255.255.255   Auf Verbindung         10.30.0.6    286
        10.30.0.7  255.255.255.255   Auf Verbindung         10.30.0.6    286
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.10.0    255.255.255.0   Auf Verbindung     192.168.10.10    261
    192.168.10.10  255.255.255.255   Auf Verbindung     192.168.10.10    261
   192.168.10.255  255.255.255.255   Auf Verbindung     192.168.10.10    261
     192.168.20.0    255.255.255.0        10.10.0.2        10.10.0.1     30
     192.168.20.0    255.255.255.0        10.10.0.2        10.30.0.6     30
     192.168.30.0    255.255.255.0        10.10.0.2        10.10.0.1     30
     192.168.30.0    255.255.255.0        10.30.0.5        10.10.0.1     30
     192.168.30.0    255.255.255.0        10.10.0.2        10.30.0.6     30
     192.168.30.0    255.255.255.0        10.30.0.5        10.30.0.6     30
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung         10.30.0.6    286
        224.0.0.0        240.0.0.0   Auf Verbindung         10.10.0.1    286
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.10.10    261
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung         10.30.0.6    286
  255.255.255.255  255.255.255.255   Auf Verbindung         10.10.0.1    286
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.10.10    261
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     192.168.10.1     256
===========================================================================

Open in new window


This is the routing table of Kaiserplatz:
IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     192.168.20.1    192.168.20.10    261
        10.10.0.0    255.255.255.0        10.10.0.5        10.10.0.6     30
        10.10.0.4  255.255.255.252   Auf Verbindung         10.10.0.6    286
        10.10.0.6  255.255.255.255   Auf Verbindung         10.10.0.6    286
        10.10.0.7  255.255.255.255   Auf Verbindung         10.10.0.6    286
        10.20.0.0    255.255.255.0        10.20.0.2        10.20.0.1     30
        10.20.0.0  255.255.255.252   Auf Verbindung         10.20.0.1    286
        10.20.0.1  255.255.255.255   Auf Verbindung         10.20.0.1    286
        10.20.0.3  255.255.255.255   Auf Verbindung         10.20.0.1    286
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.10.0    255.255.255.0        10.20.0.2        10.20.0.1     30
     192.168.10.0    255.255.255.0        10.10.0.5        10.10.0.6     30
     192.168.20.0    255.255.255.0   Auf Verbindung     192.168.20.10    261
    192.168.20.10  255.255.255.255   Auf Verbindung     192.168.20.10    261
   192.168.20.255  255.255.255.255   Auf Verbindung     192.168.20.10    261
     192.168.30.0    255.255.255.0        10.20.0.2        10.20.0.1     30
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung         10.10.0.6    286
        224.0.0.0        240.0.0.0   Auf Verbindung         10.20.0.1    286
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.20.10    261
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung         10.10.0.6    286
  255.255.255.255  255.255.255.255   Auf Verbindung         10.20.0.1    286
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.20.10    261
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     192.168.20.1  Standard
===========================================================================

Open in new window


This is the routing table of Markus:
IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     192.168.30.1    192.168.30.10    261
        10.20.0.0    255.255.255.0        10.20.0.5        10.20.0.6     30
        10.20.0.4  255.255.255.252   Auf Verbindung         10.20.0.6    286
        10.20.0.6  255.255.255.255   Auf Verbindung         10.20.0.6    286
        10.20.0.7  255.255.255.255   Auf Verbindung         10.20.0.6    286
        10.30.0.0    255.255.255.0        10.30.0.2        10.30.0.1     30
        10.30.0.0  255.255.255.252   Auf Verbindung         10.30.0.1    286
        10.30.0.1  255.255.255.255   Auf Verbindung         10.30.0.1    286
        10.30.0.3  255.255.255.255   Auf Verbindung         10.30.0.1    286
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.10.0    255.255.255.0        10.30.0.2        10.30.0.1     30
     192.168.20.0    255.255.255.0        10.30.0.2        10.30.0.1     30
     192.168.20.0    255.255.255.0        10.20.0.5        10.20.0.6     30
     192.168.30.0    255.255.255.0   Auf Verbindung     192.168.30.10    261
    192.168.30.10  255.255.255.255   Auf Verbindung     192.168.30.10    261
   192.168.30.255  255.255.255.255   Auf Verbindung     192.168.30.10    261
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung         10.20.0.6    286
        224.0.0.0        240.0.0.0   Auf Verbindung         10.30.0.1    286
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.30.10    261
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung         10.20.0.6    286
  255.255.255.255  255.255.255.255   Auf Verbindung         10.30.0.1    286
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.30.10    261
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     192.168.30.1     256
===========================================================================

Open in new window



Can you help me sort out this mess?

Thanks a lot for your support!
Thomas
0
Comment
Question by:Staudte
2 Comments
 
LVL 72

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 40284284
Hmm, das ist aber eine harte Nuss!

First of all, I would not use the push configs. Use static routing on the server site - and you will need to add a different metric to define the preferred route. The preferred route should always be the one each location is directly connected.

I'm not sure about whether you really should use server-client configs instead of static server-server connections (the config examples usually show that for a Static Secret aka PSK).
0
 

Author Closing Comment

by:Staudte
ID: 40286569
Thank you Qlemo, for looking into this.

Meanwhile I've resorted back to a router-based VPN and given up on using openvpn for this. All three sites have AVM Fritz!Boxes and the VPN was set up within an hour... (including my learning curve...)

Sorry for having taken your time...

I'm accepting this because you have taken your time to wade through the large amount of info I posted :-)
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question