[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Problem with multiple push "route..."

Subject: Re: [Openvpn-users] Problem with multiple push "route..."
From: "Thomas Heidemann" <Thomas.Heidemann@xxxxxxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 23:00:00 +0200

Title: AW: [Openvpn-users] Problem with multiple push "route..."

Hi Erich,

of course "a" is not "1" :)
Sorry for the obfuscate network address but I have to...

Now I double checked the firewall settings, the routing tables and the configs.
The ping from client to the vpn server or to one host in the mentioned networks is leaving through the tun0 interface, which is perfect. But it never arrives at the server! (checked with tcpdump) I don't know why!?
In debugging mode I can see that the client is sending a lot of TCPv4_CLIENT WRITE but never receives and TCPv4_CLIENT READ statements.
The server itself is sending a lot of TCPv4_SERVER WRITE but does not receive the packets from the client. So the connection is closed after some seconds (keepalive setting).
If I only push one route to the client (or the default route replacement) everything is fine. The tunnel comes up, stays up and traffic is working like a charm. I already tested with UDP and had no luck too. Same problem!

Here are the configs:

client:
client
dev tun
proto tcp-client
remote server-ip 443
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
pkcs12 client.domain.p12
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
comp-lzo
verb 6
keepalive 3 30

server:
local servir-ip
lport 443
proto tcp-server
dev tun
ca /etc/openvpn/ca.pem
cert /etc/openvpn/openvpnserver.crt
key /etc/openvpn/openvpnserver.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS 192.168.a.1"
push "dhcp-option WINS 192.168.a.1"
push "route 192.168.a.0 255.255.255.0"
push "route 10.1.b.0 255.255.255.0"
client-to-client
keepalive 10 30
tls-auth ta.key 0 # This file is secret
cipher DES-EDE3-CBC # Triple-DES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log-append /var/log/openvpn.log
verb 6
tun-mtu 1500
crl-verify /etc/openvpn/crl.pem
client-connect "/etc/openvpn/scripts/client-up.sh"
client-disconnect "/etc/openvpn/scripts/client-down.sh"

If you or someone else has some comments about that....
I'm happy about any statement.

Regards,
Thomas

-----Ursprüngliche Nachricht-----
Von: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx im Auftrag von Erich Titl
Gesendet: Mo 11.09.2006 20:03
An: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: [Openvpn-users] Problem with multiple push "route..."

Hi Thomas

Thomas Heidemann wrote:
> Hi Erich, hi list.
>
> Here is the routing table after a successful connect with 2 routes pushed.
>
> Kernel IP Routentabelle
> Ziel            Router          Genmask         Flags Metric Ref    Use Iface
> 10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
> 10.1.b.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.a.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0
> 10.8.0.0        10.8.0.5        255.255.0.0     UG    0      0        0 tun0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         192.168.1.10    0.0.0.0         UG    0      0        0 eth1
>
> A mentioned before, the routes to 192.168.a.0 and 10.1.b.0 are pushed.
> The other ones are routes of my client itself.
>
> Does it become clearer now?

Yes, and you can see the routes installed on your client. I hope a is
_not_ 1 :-)

As you can see both, routes point to the same address, 10.8.0.5 which is
probably the other tunnel end point. What exactly does not work in this
context? Did you check the traffic using a tool like tcpdump. What
happens on the tun0 interface when you send a ping to an existing
address in 10.1.b.0/24 or 192.168.a.0/24. Check the traffic on both ends
of the tunnel. I am wondering about the details.

And whatever a or b is, obfuscating does not help here :-). After all it
is tunnelled traffic.

cheers

Erich

-------------------------------------------------------------------------
Get stuff done quickly with pre-integrated technology to make your job easier

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl

Prev by Date: Re: [Openvpn-users] "pkitool --initca" has coredump if run with root, otherwise OK
Next by Date: Re: [Openvpn-users] Problem with multiple push "route..."
Previous by thread: Re: [Openvpn-users] Problem with multiple push "route..."
Next by thread: Re: [Openvpn-users] Problem with multiple push "route..."
Index(es):
- Date
- Thread