thr3ads.net - CentOS - [CentOS] Openvpn problem not able to access the other machines on remote subnet [Aug 2006]

If this information is useful, please help other people find it:
Share via:

ankush grover

2006-Aug-02 11:57 UTC

[CentOS] Openvpn problem not able to access the other machines on remote subnet

hey friends,

 I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO]
[EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag
repository). The network scenario of my office is below


Remote Client ---->   Internet   <------->  Cisco Pix Firewall
(Gateway) <---->  VPN Server

                                     & LAN Clients

                                     (192.168.5.0/24)

Cisco Pix Firewall:  Having a static public ip address and a LAN
Address of 192.168.5.5 and it is also acting as gateway for the LAN

VPN Server: 192.168.5.20 and this is also a server on LAN
                    running few more services for the clients in LAN.

LAN Clients:  192.168.5.0/24

VPN Server port that is 1194 is open on Firewall. This is a test
scenario and I was able to connect to the VPN Server from my home
machine but I was not able to browse the clients or servers in the
network range of 192.168.5.0/24.

Routing table on the client machine. The client machine is having
static ipaddress of 172.19.112.154( dsl connection)

10.1.1.5         0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.5.0     10.1.1.5         255.255.255.0   UG    0      0        0 tun0
10.1.1.0        10.1.1.5        255.255.255.0    UG    0      0        0 tun0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0          255.0.0.0       U     0      0        0 lo
0.0.0.0         172.19.0.1      0.0.0.0         UG    0      0        0 eth0


Tue Aug  1 23:10:55 2006 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug  1 23:10:55 2006 Restart pause, 2 second(s)
Tue Aug  1 23:10:57 2006 IMPORTANT: OpenVPN's default port number is now
1194,
based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
Tue Aug  1 23:10:57 2006 Re-using SSL/TLS context
Tue Aug  1 23:10:57 2006 LZO compression initialized
Tue Aug  1 23:10:57 2006 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0
ET:0 EL:0 ]
Tue Aug  1 23:10:57 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Tue Aug  1 23:10:57 2006 Local Options hash (VER=V4): '504e774e'
Tue Aug  1 23:10:57 2006 Expected Remote Options hash (VER=V4):
'14168603'
Tue Aug  1 23:10:57 2006 UDPv4 link local: [undef]
Tue Aug  1 23:10:57 2006 UDPv4 link remote: xx.xx.xx.xx:1194   --->>
public ip address on pix firewall
Tue Aug  1 23:11:21 2006 TLS: Initial packet from xx.xx.xx.xx:1194,
---->> public ip address on pix firewall
sid=7c6f6585 62ec6b5f
Tue Aug  1 23:11:21 2006 VERIFY OK: depth=1,
/C=IN/ST=DE/L=ND/O=OpenVPN-TEST/OU=VPN_Server/CNserver1.test.net/emailAddress=postmater
at localhost.localdomain
Tue Aug  1 23:11:21 2006 VERIFY OK: nsCertType=SERVER
Tue Aug  1 23:11:21 2006 VERIFY OK: depth=0,
/C=IN/ST=DE/O=OpenVPN-TEST/OU=VPN_Server/CN=server1.test.net/emailAddress=postmater
at localhost.localdomain
Tue Aug  1 23:11:23 2006 Data Channel Encrypt: Cipher 'BF-CBC'
initialized
with 128 bit key
Tue Aug  1 23:11:23 2006 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug  1 23:11:23 2006 Data Channel Decrypt: Cipher 'BF-CBC'
initialized
with 128 bit key
Tue Aug  1 23:11:23 2006 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug  1 23:11:23 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
 Tue Aug  1 23:11:23 2006 [server1.test.net] Peer Connection Initiated
with xx.xx.xx.xx:1194
Tue Aug  1 23:11:25 2006 SENT CONTROL [server1.test.net ]:
'PUSH_REQUEST' (status=1)
Tue Aug  1 23:11:25 2006 PUSH: Received control message: 'PUSH_REPLY,route
192.168.5.0 255.255.255.0,dhcp-option DNS  192.168.5.10,route 10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6  10.1.1.5'
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: route options modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Tue Aug  1 23:11:25 2006 TUN/TAP device tun0 opened
Tue Aug  1 23:11:25 2006 /sbin/ip link set dev tun0 up mtu 1500
 Tue Aug  1 23:11:25 2006 /sbin/ip addr add dev tun0 local 10.1.1.6 peer
10.1.1.5
Tue Aug  1 23:11:25 2006 /sbin/ip route add  192.168.5.0/24 via 10.1.1.5
Tue Aug  1 23:11:25 2006 /sbin/ip route add 10.1.1.0/24 via 10.1.1.5
Tue Aug  1 23:11:25 2006 Initialization Sequence Completed

ifconfig on server
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:145 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14052 (13.7 KiB)  TX bytes:12192 ( 11.9 KiB)


ifconfig on client
tun0      Link encap:Point-to-Point Protocol
          inet addr:10.1.1.6  P-t-P:10.1.1.5  Mask: 255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:143 errors:0 dropped:0 overruns:0 frame:0
          TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:12024 (11.7 Kb)  TX bytes:14112 (13.7 Kb)


Tue Aug  1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug  1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug  1 23:01:10 2006  202.149.50.30:1030 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug  1 23:01:10 2006 202.149.50.30:1030 [clien1.test.net ] Peer
Connection Initiated with 202.149.50.30:1030
Tue Aug  1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI:
Learn:  10.1.1.6 -> clien1.test.net/202.149.50.30:1030
Tue Aug  1 23:01:10 2006 clien1.test.net/202.149.50.30:1030  MULTI:
primary virtual IP for clien1.test.net/202.149.50.30:1030: 10.1.1.6
Tue Aug  1 23:01:11 2006  clien1.test.net/202.149.50.30:1030 PUSH:
Received control message: 'PUSH_REQUEST'
Tue Aug  1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 SENT
CONTROL [ clien1.test.net]: 'PUSH_REPLY,route 192.168.5.0
255.255.255.0,dhcp-option DNS 192.168.5.10,route  10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5'
(status=1)
Tue Aug  1 23:34:41 2006  clien1.test.net/202.149.50.30:1030
[clien1.test.net] Inactivity timeout (--ping-restart), restarting
Tue Aug  1 23:34:41 2006  clien1.test.net/202.149.50.30:1030
SIGUSR1[soft,ping-restart] received, client-instance restarting


iptables -L on VPN Server
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.1.1.0/24           192.168.5.0/24

One setting is missing in client.conf that is  "route 192.168.5.0
255.255.255.0"

These entries are also added to iptables on VPN Server
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT


# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT


IP Forwarding is enable on the VPN Server.

But still I am not able to access the machines/clients in subnet
192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf)
file with this emai.

What more iptables entries needs to be added ? Please let me know if
you need any further inputs.

Thanks & Regards

Ankush Grover
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openvpnserver.conf
Type: application/octet-stream
Size: 10264 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060802/329c1b47/attachment-0003.obj>

René Standfest

2006-Aug-02 15:05 UTC

head link

[CentOS] Openvpn problem not able to access the other machines on remote subnet

Hi Ankush!

ankush grover musste am 02.08.2006 13:57 dies kund tun:
> hey friends,
> 
>  I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO]
> [EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag
> repository). The network scenario of my office is below
> 
> [snip]
>
> IP Forwarding is enable on the VPN Server.
> 
> But still I am not able to access the machines/clients in subnet
> 192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf)
> file with this emai.
> 
> What more iptables entries needs to be added ? Please let me know if
> you need any further inputs.
> 
> Thanks & Regards
> 
> Ankush Grover
My OpenVPN Configuration works with tap-Interfaces. I think this is easier to
setup and as I have a Windows Network behind it works with no problems because
tap-Interfaces allows broadcasting.

HTH

Greets
Ren?
-- 
GEEKCODE: GIT d- s+: a-- C+++ U*++++ P+ L++ E--- W++ N+ o-- K- w+ O-
M-- V- PS+ PE Y PGP++ t++ 5++ X+ R tv++ b DI D++ G e++ h! !r y+++++
      PGP-Key and more available at http://www.standfest.net
           My Blog is at http://www.gaudidiecher.de

Maybe Matching Threads

Search for more reasonably related threads

CentOS - Aug 2006 - Openvpn problem not able to access the other machines on remote subnet

[CentOS] Openvpn problem not able to access the other machines on remote subnet

[CentOS] Openvpn problem not able to access the other machines on remote subnet

Maybe Matching Threads