Re: [Openvpn-users] Site2Site - routing-problem (linux)

[Martin Müller - Rudolf Hausstein OHG <m.mueller@xxxxxxxxxxxx>]

Phil Burrow schrieb:
> Martin Müller - Rudolf Hausstein OHG wrote:
>
> > Client: route -n
> > Kernel IP Routentabelle
> > Ziel           Router         Genmask         Flags Metric Ref Use 
> Iface
> > 192.168.123.5  0.0.0.0        255.255.255.255 UH    0      0     0 tun0
> > 192.168.100.0  192.168.123.5  255.255.255.0   UG    0      0     0 tun0
> > 192.168.123.0  192.168.123.5  255.255.255.0   UG    0      0     0 tun0
> > 10.0.0.0       0.0.0.0        255.0.0.0       U     0      0     0 eth0
>
> Hi Martin,
>
> From this routing table, your local subnet is 10.0.0.0/255.0.0.0 
> instead of 10.8.0.0/255.255.255.0 like you put in your OpenVPN 
> configs. That's the reason push "route 10.8.0.0 255.255.255.0" breaks 
> your client LAN, because OpenVPN would create a route that directs 
> traffic for 10.8.0.0/255.255.255.0 to your OpenVPN server since there 
> is no route for that subnet on your client.
>
> EITHER change this line:
>
> > 10.0.0.0       0.0.0.0        255.0.0.0       U     0      0     0 eth0
>
> to
>
> > 10.8.0.0       0.0.0.0        255.255.255.0       U     0      0 0 eth0
>
> OR

I have tried to change this, but with no success. Cant figure out the 
right syntax.

> Try changing your client LAN subnet to 10.0.0.0/255.0.0.0 in your 
> OpenVPN config files (server.conf and ccd/test). i.e:
>
> server.conf:
>
>   route 10.0.0.0 255.0.0.0
>   push "route 192.168.100.0 255.255.255.0"
>   push "route 10.0.0.0 255.0.0.0"
>
> ccd/test:
>
>   iroute 10.0.0.0 255.0.0.0 

So I changed my second LAN to your suggestion. But it wasnt working 
(like 10.8.0.0). Cant reach the Server-LAN from the Client-Lan.

So what I think is, that the problem belongs to the networkmask.
I changed my Client-LAN to 192.168.200.0

#/etc/openvpn/server.conf
route 192.168.200.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0" 

Here again, I put away the line
   'push "route 192.168.200.0 255.255.255.0" '
because when I use this, the Clients of 192.168.200.0/24 cant reach 
192.168.200.99.

#/etc/openvpn/ccd/test
iroute 192.168.200.0 255.255.255.0


route on the client with tun0 down:
Ziel            Router          Genmask         Flags Metric Ref    Use 
Iface
83.64.124.96    0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         83.64.124.97    0.0.0.0         UG    0      0        0 eth1


route in the client with tun0 up:
Ziel            Router          Genmask         Flags Metric Ref    Use 
Iface
192.168.123.5   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
83.64.124.96    0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.100.0   192.168.123.5   255.255.255.0   UG    0      0        0 tun0
192.168.200.0   192.168.123.5   255.255.255.0   UG    0      0        0 tun0
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.123.0   192.168.123.5   255.255.255.0   UG    0      0        0 tun0
0.0.0.0         83.64.124.97    0.0.0.0         UG    0      0        0 eth1


> Apart from that it looks fine., all traffic for 192.168.100.0 and for 
> 192.168.123.0 goes via gateway 192.168.123.5 (tun0) which is what you 
> want.
>
> Can you ping 192.168.123.1 from your client?

Yes.


Thank you for your support.




Best regards,

Martin


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users