OpenVPN Routing Help

tntcoder

tntcoder

tntcoder

Soldato
Joined
7 Apr 2004
Posts
4,212
Hi,

I'm having some problems getting an openvpn server/client to route/work correctly.

The network looks like this:

Network 1 (VPN Server on 192.168.1.45):
Many hosts (192.168.1.x) -> ADSL Router -> Interwebs

Network 2 (VPN Client on 192.168.1.30):
Many Hosts: (192.168.1.x) -> ADSL Router -> Interwebs

So everything connects and authenticates fine, and both networks have a virtual Ethernet tap device created at 192.168.1.80 (defined in my server.conf). There's no obvious errors in the logs and kernel ip forwarding is enabled at both ends.

So I'm all connected with a working? tap device, from here I assumed I would be able ping hosts between networks, i.e 192.168.1.10 on network 2 should be able to ping 192.168.1.47 on network 1.


My routing table looks like this on the client:

Code: 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 tap0
default         dsldevice.lan   0.0.0.0         UG    0      0        0 eth0

The client's tap0:

Code: 
tap0      Link encap:Ethernet  HWaddr EA:7B:63:5C:82:23
          inet addr:192.168.1.80  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e87b:63ff:fe5c:8223/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:77652 (75.8 Kb)  TX bytes:468 (468.0 b)

So, any 192.168.1.x packets first go out on the local LAN, if that fails they should get routed to the tap0 interface and get VPN'ned right? And failing that we go to the gateway.

However none of the hosts can speak between networks. Am I doing something obviously stupid here? Or is there more complexity required in the routing tables?

EDIT: The server is using a bridged interface, but also has tap0 defined. Not too sure if this is correct or not? So I think br0 is bridged with the servers eth0 (lan network).

Code: 
Routing table (server):
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
default         bebox.config    0.0.0.0         UG    0      0        0 br0
 
Last edited:
Routing failover doesn't work like that. But you shouldn't be using failover routes for VPN anyway.

Your setup wont work because you have the same network address range at either end. They have to be different.

If you changed the client to 192.168.2.0 then the route would be
192.168.1.0 * 255.255.255.0 U 0 0 0 tap0

The server route would be
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
 
Ok thanks a lot, I feared that might be the problem and it's gonna be a pain to readdress everything as they are statically assigned :(

Hopefully it will work after that change though.
 
Yup. It's also not the routes that decide what goes over VPN. You need to define interesting traffic for it in the config. I.E which packets based on source and destination addresses etc are to be tunnelled and which not.

So in there you'd want to configure it for packets with source 192.168.1.0 and dest 192.168.2.0 on the client and vice versa on the server.
 
You must log in or register to reply here.
Back
Top Bottom