hey friends,
I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag repository). The network scenario of my office is below
Remote Client ----> Internet <-------> Cisco Pix Firewall (Gateway) <----> VPN Server
& LAN Clients
(192.168.5.0/24)
Cisco Pix Firewall: Having a static public ip address and a LAN Address of 192.168.5.5 and it is also acting as gateway for the LAN
VPN Server: 192.168.5.20 and this is also a server on LAN running few more services for the clients in LAN.
LAN Clients: 192.168.5.0/24
VPN Server port that is 1194 is open on Firewall. This is a test scenario and I was able to connect to the VPN Server from my home machine but I was not able to browse the clients or servers in the network range of 192.168.5.0/24.
Routing table on the client machine. The client machine is having static ipaddress of 172.19.112.154( dsl connection)
10.1.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.5.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0 10.1.1.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 172.19.0.1 0.0.0.0 UG 0 0 0 eth0
Tue Aug 1 23:10:55 2006 SIGUSR1[soft,tls-error] received, process restarting Tue Aug 1 23:10:55 2006 Restart pause, 2 second(s) Tue Aug 1 23:10:57 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Aug 1 23:10:57 2006 Re-using SSL/TLS context Tue Aug 1 23:10:57 2006 LZO compression initialized Tue Aug 1 23:10:57 2006 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Tue Aug 1 23:10:57 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Aug 1 23:10:57 2006 Local Options hash (VER=V4): '504e774e' Tue Aug 1 23:10:57 2006 Expected Remote Options hash (VER=V4): '14168603' Tue Aug 1 23:10:57 2006 UDPv4 link local: [undef] Tue Aug 1 23:10:57 2006 UDPv4 link remote: xx.xx.xx.xx:1194 --->> public ip address on pix firewall Tue Aug 1 23:11:21 2006 TLS: Initial packet from xx.xx.xx.xx:1194, ---->> public ip address on pix firewall sid=7c6f6585 62ec6b5f Tue Aug 1 23:11:21 2006 VERIFY OK: depth=1, /C=IN/ST=DE/L=ND/O=OpenVPN-TEST/OU=VPN_Server/CN= server1.test.net/emailAddress=postmater@localhost.localdomain Tue Aug 1 23:11:21 2006 VERIFY OK: nsCertType=SERVER Tue Aug 1 23:11:21 2006 VERIFY OK: depth=0, /C=IN/ST=DE/O=OpenVPN-TEST/OU=VPN_Server/CN=server1.test.net/emailAddress=postmater@localhost.localdomain Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:11:23 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Aug 1 23:11:23 2006 [server1.test.net] Peer Connection Initiated with xx.xx.xx.xx:1194 Tue Aug 1 23:11:25 2006 SENT CONTROL [server1.test.net ]: 'PUSH_REQUEST' (status=1) Tue Aug 1 23:11:25 2006 PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5' Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: timers and/or timeouts modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ifconfig/up options modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: route options modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Aug 1 23:11:25 2006 TUN/TAP device tun0 opened Tue Aug 1 23:11:25 2006 /sbin/ip link set dev tun0 up mtu 1500 Tue Aug 1 23:11:25 2006 /sbin/ip addr add dev tun0 local 10.1.1.6 peer 10.1.1.5 Tue Aug 1 23:11:25 2006 /sbin/ip route add 192.168.5.0/24 via 10.1.1.5 Tue Aug 1 23:11:25 2006 /sbin/ip route add 10.1.1.0/24 via 10.1.1.5 Tue Aug 1 23:11:25 2006 Initialization Sequence Completed
ifconfig on server tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:173 errors:0 dropped:0 overruns:0 frame:0 TX packets:145 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:14052 (13.7 KiB) TX bytes:12192 ( 11.9 KiB)
ifconfig on client tun0 Link encap:Point-to-Point Protocol inet addr:10.1.1.6 P-t-P:10.1.1.5 Mask: 255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:143 errors:0 dropped:0 overruns:0 frame:0 TX packets:174 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:12024 (11.7 Kb) TX bytes:14112 (13.7 Kb)
Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Aug 1 23:01:10 2006 202.149.50.30:1030 [clien1.test.net ] Peer Connection Initiated with 202.149.50.30:1030 Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI: Learn: 10.1.1.6 -> clien1.test.net/202.149.50.30:1030 Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI: primary virtual IP for clien1.test.net/202.149.50.30:1030: 10.1.1.6 Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 PUSH: Received control message: 'PUSH_REQUEST' Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 SENT CONTROL [ clien1.test.net]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5' (status=1) Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030 [clien1.test.net] Inactivity timeout (--ping-restart), restarting Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030 SIGUSR1[soft,ping-restart] received, client-instance restarting
iptables -L on VPN Server Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.1.1.0/24 192.168.5.0/24
One setting is missing in client.conf that is "route 192.168.5.0 255.255.255.0"
These entries are also added to iptables on VPN Server # Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces iptables -A FORWARD -i tap+ -j ACCEPT
IP Forwarding is enable on the VPN Server.
But still I am not able to access the machines/clients in subnet 192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf) file with this emai.
What more iptables entries needs to be added ? Please let me know if you need any further inputs.
Thanks & Regards
Ankush Grover
Hi Ankush!
ankush grover musste am 02.08.2006 13:57 dies kund tun:
hey friends,
I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag repository). The network scenario of my office is below
[snip]
IP Forwarding is enable on the VPN Server.
But still I am not able to access the machines/clients in subnet 192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf) file with this emai.
What more iptables entries needs to be added ? Please let me know if you need any further inputs.
Thanks & Regards
Ankush Grover
My OpenVPN Configuration works with tap-Interfaces. I think this is easier to setup and as I have a Windows Network behind it works with no problems because tap-Interfaces allows broadcasting.
HTH
Greets René
On 8/2/06, René Standfest centos@standfest.net wrote:
Hi Ankush!
ankush grover musste am 02.08.2006 13:57 dies kund tun:
hey friends,
I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag repository). The network scenario of my office is below
[snip]
IP Forwarding is enable on the VPN Server.
But still I am not able to access the machines/clients in subnet 192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf) file with this emai.
What more iptables entries needs to be added ? Please let me know if you need any further inputs.
Thanks & Regards
Ankush Grover
My OpenVPN Configuration works with tap-Interfaces. I think this is easier to setup and as I have a Windows Network behind it works with no problems because tap-Interfaces allows broadcasting.
HTH
Greets René
hey,
Thanks for the reply. What iptables configuration you had done on the VPN server or VPN with tap interfaces does not require iptables configuration ?
Hi Ankush!
ankush grover musste am 03.08.2006 07:06 dies kund tun:
My OpenVPN Configuration works with tap-Interfaces. I think this is easier to setup and as I have a Windows Network behind it works with no problems because tap-Interfaces allows broadcasting.
Thanks for the reply. What iptables configuration you had done on the VPN server or VPN with tap interfaces does not require iptables configuration ?
I bridged my eth0 and tap0, so they are on the same Subnet and no iptables needed.
Greets René
On 8/3/06, René Standfest centos@standfest.net wrote:
Hi Ankush!
ankush grover musste am 03.08.2006 07:06 dies kund tun:
My OpenVPN Configuration works with tap-Interfaces. I think this is easier to setup and as I have a Windows Network behind it works with no problems because tap-Interfaces allows broadcasting.
Thanks for the reply. What iptables configuration you had done on the VPN server or VPN with tap interfaces does not require iptables configuration ?
I bridged my eth0 and tap0, so they are on the same Subnet and no iptables needed.
Hey,
Thanks for the reply. I have also configured the same I want to know what ipaddress you gave to the bridge .
My network is in range of 192.168.5.0/24 and I have given 192.168.5.220/24 to bridge and 192.168.5.230-192.168.5.245 for the client ipaddresses.
I am using bridge-start and bridge-stop scripts given on the openvpn site. I have change the settings in those scripts as per lan settings.
Thanks & Regards
Ankush Grover