[LARTC] Openvpn routing problem

[LARTC] Openvpn routing problem

[Peter Rabbitson]

Hi,

I posted this question yesterday on the Openvpn mailing list, with no 
response, figured I will ask here too. I have been using openvpn for 
quite a while, no major problems encountered. Now I need to allow the 
server to access the lan of the  client, and I can not figure out the 
routing. This is what I have after the tunnel is brought up:


SERVER (A.A.A.A)

Arx:~# ip addr
...
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff
      inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1
...
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
pfifo_fast qlen 100
      link/[65534]
      inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0

Arx:~# ip route
A.A.A.B dev ppp0  proto kernel  scope link  src A.A.A.A
10.0.13.2 dev tun0  proto kernel  scope link  src 10.0.13.1
10.0.13.0/24 via 10.0.13.2 dev tun0
192.168.13.0/24 dev eth1  proto kernel  scope link  src 192.168.13.1
default dev ppp0  scope link



CLIENT (192.168.9.11, machine behind a router)

root@Thesaurus:~# ip addr
...
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff
      inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0
...
5: tun_arx: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
pfifo_fast qlen 100
      link/[65534]
      inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx

root@Thesaurus:~# ip route
10.0.13.13 dev tun_arx  proto kernel  scope link  src 10.0.13.14
10.0.13.1 via 10.0.13.13 dev tun_arx
192.168.13.0/24 via 10.0.13.13 dev tun_arx
192.168.9.0/24 dev eth0  proto kernel  scope link  src 192.168.9.11
default via 192.168.9.1 dev eth0


  From the client ping 192.168.13.1 works as expected. I want to be able
to ping 192.168.9.20 from the server. So on the server I did:
	ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0
and I got
	RTNETLINK answers: Network is unreachable

Then I tried both
	ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0
	ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0
which seem to work, but the icmp packets vanish in the tunnel. I checked
all my firewall settings and the ip_forward settings on both systems. I 
looked at the tunnel with tcpdump - packets go in and never come out.

Any suggestions?

Thanks
Peter


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Openvpn routing problem

[Andre Guimarães]

As described here:
> 10.0.13.2 dev tun0  proto kernel  scope link  src 10.0.13.1
> 10.0.13.0/24 via 10.0.13.2 dev tun0

You are not in the 10.0.13.0/24 entire network, I presume you are 10.0.13.1 
in the 10.0.13.0/30 network, and 10.0.13.2 is the next hop.

> 	ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0
> and I got
> 	RTNETLINK answers: Network is unreachable
Yes, because you can only use gateways that are on the same net as you, and 
you are not on the  10.0.13.0/24.



On Thursday 15 March 2007 06:50, Peter Rabbitson wrote:

> Arx:~# ip addr
> ...
> 3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
>       link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff
>       inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1
> ...
> 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
> pfifo_fast qlen 100
>       link/[65534]
>       inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0
>
> Arx:~# ip route
> A.A.A.B dev ppp0  proto kernel  scope link  src A.A.A.A
> 10.0.13.2 dev tun0  proto kernel  scope link  src 10.0.13.1
> 10.0.13.0/24 via 10.0.13.2 dev tun0
> 192.168.13.0/24 dev eth1  proto kernel  scope link  src 192.168.13.1
> default dev ppp0  scope link
>
>
>
> CLIENT (192.168.9.11, machine behind a router)
>
> root@Thesaurus:~# ip addr
> ...
> 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
>       link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff
>       inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0
> ...
> 5: tun_arx: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
> pfifo_fast qlen 100
>       link/[65534]
>       inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx
>
> root@Thesaurus:~# ip route
> 10.0.13.13 dev tun_arx  proto kernel  scope link  src 10.0.13.14
> 10.0.13.1 via 10.0.13.13 dev tun_arx
> 192.168.13.0/24 via 10.0.13.13 dev tun_arx
> 192.168.9.0/24 dev eth0  proto kernel  scope link  src 192.168.9.11
> default via 192.168.9.1 dev eth0
>
>
>   From the client ping 192.168.13.1 works as expected. I want to be able
> to ping 192.168.9.20 from the server. So on the server I did:
> 	ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0
> and I got
> 	RTNETLINK answers: Network is unreachable
>
> Then I tried both
> 	ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0
> 	ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0
> which seem to work, but the icmp packets vanish in the tunnel. I checked
> all my firewall settings and the ip_forward settings on both systems. I
> looked at the tunnel with tcpdump - packets go in and never come out.
>
> Any suggestions?
>
> Thanks
> Peter
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

-- 
André Guimarães
Databras Informática
Matriz RJ - 55 (21) 2518-2363
Filial ES - 55 (27) 3233-0098
http://www.databras.com.br
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc