OpenVPN config / routing advice request
Posted: Mon Sep 24, 2012 7:53 am
I've got site to site OpenVPN connecting, but things aren't routing correctly. I'd appreciate some guidance on what I'm doing wrong.
2 sites, client (192.168.2.x) and server (192.168.1.x). 192.168.1.x is the site I primarily want access to; bidirectional would be nice.
Each site with TD-1043ND @ gargoyle 1.5.6 connected via LAN port to Dynalink RTA1025W ADSL routers. ADSL router at 192.168.1.x site has TCP/UDP on 1194 forwarded to gargoyle openvpn server, and the client site connects fine.
On 192.168.2.1, I've configured a static route for 192.168.1.0/255.255.255.0 to go to 192.168.2.2 via Dynalink webmin.
Once the client openvpn connects, I can ping & browse 192.168.1.2 (gargoyle) from 192.168.2.10 (computer). However, packets destined for other machines on 192.168.1.x machines are not routed beyond the openvpn server.
route -n on openvpn server -
route -n on openvpn client (external ip replaced with xx.xx.xx.xx) -
traceroute 192.168.1.1 from 192.168.2.10 -
however, traceroute to 192.168.2.2 works -
openvpn server.conf -
openvpn client conf -
/etc/openvpn/ccd contains a CCD file with this -
I'm keen to brush up on my routing. So aside from getting this working, I have a couple of general questions -
2 sites, client (192.168.2.x) and server (192.168.1.x). 192.168.1.x is the site I primarily want access to; bidirectional would be nice.
Each site with TD-1043ND @ gargoyle 1.5.6 connected via LAN port to Dynalink RTA1025W ADSL routers. ADSL router at 192.168.1.x site has TCP/UDP on 1194 forwarded to gargoyle openvpn server, and the client site connects fine.
Code: Select all
+--------------+ +-------------+ +-------------+
| computer | | gargoyle | | adsl |
| 192.168.1.13 +---------> 192.168.1.2 +----------> 192.168.1.1 +----------+
+--------------+ | 10.8.0.1 | +-------------+ |
+-------------+ |
|
(tubes)
|
|
+--------------+ +-------------+ +-------------+ |
| computer | | gargoyle | | adsl | |
| 192.168.2.10 +---------+ 192.168.2.2 +----------+ 192.168.2.1 +----------+
+--------------+ | 10.8.0.7 | +-------------+
+-------------+Once the client openvpn connects, I can ping & browse 192.168.1.2 (gargoyle) from 192.168.2.10 (computer). However, packets destined for other machines on 192.168.1.x machines are not routed beyond the openvpn server.
route -n on openvpn server -
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br-lanCode: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xx.xx.xx.xx 192.168.2.1 255.255.255.255 UGH 0 0 0 br-lan
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 br-lanCode: Select all
traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
1 rta1025w.home (192.168.2.1) 4.189 ms 1.487 ms 1.200 ms
2 192.168.2.2 (192.168.2.2) 1.827 ms 1.553 ms 2.428 ms
3 10.8.0.1 (10.8.0.1) 61.305 ms 61.399 ms 61.365 ms
4 * * *
5 * * * (repeats)
Code: Select all
$ traceroute 192.168.1.2
traceroute to 192.168.1.2 (192.168.1.2), 64 hops max, 52 byte packets
1 rta1025w.home (192.168.2.1) 20.227 ms 1.066 ms 1.021 ms
2 192.168.2.2 (192.168.2.2) 8.892 ms 1.603 ms 1.478 ms
3 some.example.net (192.168.1.2) 62.573 ms 61.923 ms 63.255 msCode: Select all
mode server
port 1194
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
client-to-client
cipher BF-CBC
keysize 128
dev tun
keepalive 25 180
status /var/openvpn/current_status
verb 5
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key
persist-key
persist-tun
comp-lzo
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"
route 192.168.2.0 255.255.255.0 10.8.0.7Code: Select all
client
remote xx.xx.xx.xx 1194
dev tun
proto udp
status /var/openvpn/current_status
resolv-retry infinite
ns-cert-type server
topology subnet
verb 5
cipher BF-CBC
keysize 128
ca /etc/openvpn/grouter_client_dsbqegtzsolt_ca.crt
cert /etc/openvpn/grouter_client_dsbqegtzsolt.crt
key /etc/openvpn/grouter_client_dsbqegtzsolt.key
tls-auth /etc/openvpn/grouter_client_dsbqegtzsolt_ta.key
nobind
persist-key
persist-tun
comp-lzoCode: Select all
ifconfig-push 10.8.0.7 255.255.255.0
iroute 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0 10.8.0.1"- Should 192.168.2.2 be able to advertise to the network that it can route for the 1.x range, instead of me configuring a static route on 192.168.2.1?
- When packets are routed to 192.168.1.x range from 192.168.2.x range, does the 1.x network need special configuration for return traffic? Or is this handled automatically?
