[nzlug] OpenVPN help

Raimund Eimann raimund at cs.auckland.ac.nz
Thu Oct 26 20:58:05 NZDT 2006 

On Thursday 26 October 2006 20:40, Daniel Pittman wrote:
> Raimund Eimann <raimund at cs.auckland.ac.nz> writes:
> > I've got two networks (192.168.2.x and 192.168.3.x) which I'd like to
> > connect with OpenVPN so that I can reach any machine on either
> > networks from any machine (if I understand right, this configuration
> > is called site-to-site).
> >
> > Currently, I've got all the keys and certificates set up and it seems
> > that both ends talk to each other properly, because I get a message
> > "Initialization Sequence Completed" at both ends and at both ends a
> > tun0 device is created.
>
> OK.  Can you talk between the two endpoints?

Only one way, apparently:

This is my interface on the server:

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:736 (736.0 b)  TX bytes:1874 (1.8 Kb)

This is my interface on the client:

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Both, server and client run webservers, for instance. When telnetting into 
port 80 of the server from the client, I get a response:

nyx:~ # telnet 10.8.0.1 80
Trying 10.8.0.1...
Connected to 10.8.0.1.
Escape character is '^]'.


and "get /blah.php" gets me a response that contains the hostname of the 
server, so I presume this works (for some reason, pings do not get through 
though).

When I try the same from the server to the client, I get no response:

nemesis:/etc/openvpn # telnet 10.8.0.6 80
Trying 10.8.0.6...

???

> > - In the config file there's a notice that pushing routes is not a
> >   kosher way to configure them. It should rather be done with
> >   iptables. Can anyone give me a pointer what that means and how it
> >   can be done?
>
> ...er.  That seems odd, and I suspect you have misunderstood something.
>
> iptables is not involved in routing, only firewalling. :)

Here it is:

nemesis:/etc/openvpn # grep -iC1 iptables /etc/openvpn/server.conf

#Routes the packages to the intern network, you should use iptables instead of 
this
#push "route 192.168.0.0 255.255.255.0"

>     ip route add 1.2.3.4/24 via 10.8.0.1
>
> where 1.2.3.4/24 is the network at the far end of the tunnel and
> 10.8.0.1 is the address of the OpenVPN interface on the far end of the
> tunnel.

Ok, I'll play with this...

> You also need to turn on ip_forward in the kernel, but that shouldn't be
> an issue if you have an existing router.

Yup, both boxes route already.

Thanks,
Raimund


-- 
Raimund Eimann
Department of Computer Science
University of Auckland, Tamaki Campus, 731.334
Ph. +64 9 373 7599 x85288, Skype: eimann, ICQ: 210376863


Today's wisdom:
Consciousness: that annoying time between naps.

More information about the NZLUG mailing list