hey friends,
I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO]
[EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag
repository). The network scenario of my office is below
Remote Client ----> Internet <-------> Cisco Pix Firewall
(Gateway) <----> VPN Server
& LAN Clients
(192.168.5.0/24)
Cisco Pix Firewall: Having a static public ip address and a LAN
Address of 192.168.5.5 and it is also acting as gateway for the LAN
VPN Server: 192.168.5.20 and this is also a server on LAN
running few more services for the clients in LAN.
LAN Clients: 192.168.5.0/24
VPN Server port that is 1194 is open on Firewall. This is a test
scenario and I was able to connect to the VPN Server from my home
machine but I was not able to browse the clients or servers in the
network range of 192.168.5.0/24.
Routing table on the client machine. The client machine is having
static ipaddress of 172.19.112.154( dsl connection)
10.1.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.19.0.1 0.0.0.0 UG 0 0 0 eth0
Tue Aug 1 23:10:55 2006 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug 1 23:10:55 2006 Restart pause, 2 second(s)
Tue Aug 1 23:10:57 2006 IMPORTANT: OpenVPN's default port number is now 1194,
based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
Tue Aug 1 23:10:57 2006 Re-using SSL/TLS context
Tue Aug 1 23:10:57 2006 LZO compression initialized
Tue Aug 1 23:10:57 2006 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0
ET:0 EL:0 ]
Tue Aug 1 23:10:57 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Tue Aug 1 23:10:57 2006 Local Options hash (VER=V4): '504e774e'
Tue Aug 1 23:10:57 2006 Expected Remote Options hash (VER=V4): '14168603'
Tue Aug 1 23:10:57 2006 UDPv4 link local: [undef]
Tue Aug 1 23:10:57 2006 UDPv4 link remote: xx.xx.xx.xx:1194 --->>
public ip address on pix firewall
Tue Aug 1 23:11:21 2006 TLS: Initial packet from xx.xx.xx.xx:1194,
---->> public ip address on pix firewall
sid=7c6f6585 62ec6b5f
Tue Aug 1 23:11:21 2006 VERIFY OK: depth=1,
/C=IN/ST=DE/L=ND/O=OpenVPN-TEST/OU=VPN_Server/CN=
server1.test.net/emailAddress=postmater at localhost.localdomain
Tue Aug 1 23:11:21 2006 VERIFY OK: nsCertType=SERVER
Tue Aug 1 23:11:21 2006 VERIFY OK: depth=0,
/C=IN/ST=DE/O=OpenVPN-TEST/OU=VPN_Server/CN=server1.test.net/emailAddress=postmater at localhost.localdomain
Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug 1 23:11:23 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 1 23:11:23 2006 [server1.test.net] Peer Connection Initiated
with xx.xx.xx.xx:1194
Tue Aug 1 23:11:25 2006 SENT CONTROL [server1.test.net ]:
'PUSH_REQUEST' (status=1)
Tue Aug 1 23:11:25 2006 PUSH: Received control message: 'PUSH_REPLY,route
192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5'
Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: route options modified
Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Tue Aug 1 23:11:25 2006 TUN/TAP device tun0 opened
Tue Aug 1 23:11:25 2006 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 1 23:11:25 2006 /sbin/ip addr add dev tun0 local 10.1.1.6 peer
10.1.1.5
Tue Aug 1 23:11:25 2006 /sbin/ip route add 192.168.5.0/24 via 10.1.1.5
Tue Aug 1 23:11:25 2006 /sbin/ip route add 10.1.1.0/24 via 10.1.1.5
Tue Aug 1 23:11:25 2006 Initialization Sequence Completed
ifconfig on server
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:173 errors:0 dropped:0 overruns:0 frame:0
TX packets:145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:14052 (13.7 KiB) TX bytes:12192 ( 11.9 KiB)
ifconfig on client
tun0 Link encap:Point-to-Point Protocol
inet addr:10.1.1.6 P-t-P:10.1.1.5 Mask: 255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:143 errors:0 dropped:0 overruns:0 frame:0
TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:12024 (11.7 Kb) TX bytes:14112 (13.7 Kb)
Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 1 23:01:10 2006 202.149.50.30:1030 [clien1.test.net ] Peer
Connection Initiated with 202.149.50.30:1030
Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI:
Learn: 10.1.1.6 -> clien1.test.net/202.149.50.30:1030
Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI:
primary virtual IP for clien1.test.net/202.149.50.30:1030: 10.1.1.6
Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 PUSH:
Received control message: 'PUSH_REQUEST'
Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 SENT
CONTROL [ clien1.test.net]: 'PUSH_REPLY,route 192.168.5.0
255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5'
(status=1)
Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030
[clien1.test.net] Inactivity timeout (--ping-restart), restarting
Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030
SIGUSR1[soft,ping-restart] received, client-instance restarting
iptables -L on VPN Server
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.1.1.0/24 192.168.5.0/24
One setting is missing in client.conf that is "route 192.168.5.0 255.255.255.0"
These entries are also added to iptables on VPN Server
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
IP Forwarding is enable on the VPN Server.
But still I am not able to access the machines/clients in subnet
192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf)
file with this emai.
What more iptables entries needs to be added ? Please let me know if
you need any further inputs.
Thanks & Regards
Ankush Grover
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openvpnserver.conf
Type: application/octet-stream
Size: 10264 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20060802/329c1b47/attachment-0004.obj>