From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Samad Date: Mon, 10 Sep 2007 09:05:11 +0000 Subject: Re: [LARTC] OpenVPN routing Message-Id: <20070910090511.GE6156@samad.com.au> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0524169170==" List-Id: References: <46E4E5E2.2070703@amfes.com> In-Reply-To: <46E4E5E2.2070703@amfes.com> To: lartc@vger.kernel.org --===============0524169170== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zjcmjzIkjQU2rmur" Content-Disposition: inline --zjcmjzIkjQU2rmur Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: > Hi! > > I'm trying to create a routed VPN using OpenVPN - and having trouble with= =20 > the routing concepts involved. Let me see if I can properly describe my= =20 > current topology: > > Server - > LAN, with both local workstations and remote bridged workstations on the > 192.168.0.0/24 network (this works without reservation). > Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few= =20 > others. > Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. > Server can talk to clients, and clients can talk to server. > > My 1st goal is to allow selected server-side LAN workstations to reach th= e=20 > routed VPN workstations. The LAN should be invisible to the routed VPN. > > My 2nd goal is to allow selected server-side LAN workstations to reach=20 > networks server by routed VPN workstations as gateways [this involves=20 > OpenVPN more, I believe]. The LAN should still be invisible to the route= d=20 > VPN. > > My server routing table is: > 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 > 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 > 10.4.1.0/24 via 172.27.0.2 dev tun0 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 > 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 > 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 > 172.27.0.0/16 via 172.27.0.2 dev tun0 > default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but= I=20 do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168=20 addresses if that is the case this is more a iptables question you will nee= d to=20 nat the lan network going out, if you want in bound traffic you will need t= o=20 setup natting on the way back in as well - static though. why do you want to hide the network - ? unless your server is the default gateway for the network you will have to = do 1=20 of 2 things, either setup routing on each client or update the default gate= way=20 how to route the packet (ie via the server).=20 Why do the client (openvpn client) not respond to pings, I would guess agai= n=20 routing usual problem, can you run tcpdump on these machines ? > > IP forwarding is enabled on all interfaces, and iptables (by way of=20 > firehol) has rules to allow all forwarding between all interfaces. > > If I create a 172.27.0.0/16 route on a LAN workstation, I can ping the=20 > server at 172.27.0.1. But I cannot reach any VPN workstation. At one=20 > time, by playing with some NAT rules, I was able to - but it didn't seem= =20 > right. > > What am I missing? > > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > --zjcmjzIkjQU2rmur Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG5QjHkZz88chpJ2MRAiilAKDrneZVEr0Wg9q79zQaavRuZGZeEgCeNlOs NjI8TVVdyWJvJS4DckevEvo= =oBgw -----END PGP SIGNATURE----- --zjcmjzIkjQU2rmur-- --===============0524169170== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============0524169170==--