Hi, I posted this question yesterday on the Openvpn mailing list, with no response, figured I will ask here too. I have been using openvpn for quite a while, no major problems encountered. Now I need to allow the server to access the lan of the client, and I can not figure out the routing. This is what I have after the tunnel is brought up: SERVER (A.A.A.A) Arx:~# ip addr ... 3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1 ... 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0 Arx:~# ip route A.A.A.B dev ppp0 proto kernel scope link src A.A.A.A 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 10.0.13.0/24 via 10.0.13.2 dev tun0 192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1 default dev ppp0 scope link CLIENT (192.168.9.11, machine behind a router) root@Thesaurus:~# ip addr ... 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0 ... 5: tun_arx: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx root@Thesaurus:~# ip route 10.0.13.13 dev tun_arx proto kernel scope link src 10.0.13.14 10.0.13.1 via 10.0.13.13 dev tun_arx 192.168.13.0/24 via 10.0.13.13 dev tun_arx 192.168.9.0/24 dev eth0 proto kernel scope link src 192.168.9.11 default via 192.168.9.1 dev eth0 From the client ping 192.168.13.1 works as expected. I want to be able to ping 192.168.9.20 from the server. So on the server I did: ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 and I got RTNETLINK answers: Network is unreachable Then I tried both ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0 ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0 which seem to work, but the icmp packets vanish in the tunnel. I checked all my firewall settings and the ip_forward settings on both systems. I looked at the tunnel with tcpdump - packets go in and never come out. Any suggestions? Thanks Peter
As described here:> 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 > 10.0.13.0/24 via 10.0.13.2 dev tun0You are not in the 10.0.13.0/24 entire network, I presume you are 10.0.13.1 in the 10.0.13.0/30 network, and 10.0.13.2 is the next hop.> ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 > and I got > RTNETLINK answers: Network is unreachableYes, because you can only use gateways that are on the same net as you, and you are not on the 10.0.13.0/24. On Thursday 15 March 2007 06:50, Peter Rabbitson wrote:> Arx:~# ip addr > ... > 3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff > inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1 > ... > 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc > pfifo_fast qlen 100 > link/[65534] > inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0 > > Arx:~# ip route > A.A.A.B dev ppp0 proto kernel scope link src A.A.A.A > 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 > 10.0.13.0/24 via 10.0.13.2 dev tun0 > 192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1 > default dev ppp0 scope link > > > > CLIENT (192.168.9.11, machine behind a router) > > root@Thesaurus:~# ip addr > ... > 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff > inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0 > ... > 5: tun_arx: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc > pfifo_fast qlen 100 > link/[65534] > inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx > > root@Thesaurus:~# ip route > 10.0.13.13 dev tun_arx proto kernel scope link src 10.0.13.14 > 10.0.13.1 via 10.0.13.13 dev tun_arx > 192.168.13.0/24 via 10.0.13.13 dev tun_arx > 192.168.9.0/24 dev eth0 proto kernel scope link src 192.168.9.11 > default via 192.168.9.1 dev eth0 > > > From the client ping 192.168.13.1 works as expected. I want to be able > to ping 192.168.9.20 from the server. So on the server I did: > ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 > and I got > RTNETLINK answers: Network is unreachable > > Then I tried both > ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0 > ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0 > which seem to work, but the icmp packets vanish in the tunnel. I checked > all my firewall settings and the ip_forward settings on both systems. I > looked at the tunnel with tcpdump - packets go in and never come out. > > Any suggestions? > > Thanks > Peter > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- André Guimarães Databras Informática Matriz RJ - 55 (21) 2518-2363 Filial ES - 55 (27) 3233-0098 http://www.databras.com.br