[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Problem with multiple push "route..."

Subject: Re: [Openvpn-users] Problem with multiple push "route..."
From: "Thomas Heidemann" <Thomas.Heidemann@xxxxxxxxxxxxxxxx>
Date: Thu, 14 Sep 2006 22:32:34 +0200

Title: AW: [Openvpn-users] Problem with multiple push "route..."

Hi Erich,

sorry for revealing the real network addresses. That's a global policy here but after talking to my boss...
Please forget about all network addresses I talked about. Let's get to the real world.
I omitted the nat box because I thought it doesn't matter (like in openvpn 1.6) and because some clients might not be in natted networks.

Here the real diagram:

Client --- 192.168.1.0/24 --- NAT box ==== Internet === Router --- 145.253.90.32/27 --- server
                            85.216.23.103                 |
                            (but can be dynamic)          |
                                                      192.168.11.0/24

The server has to push routes to 192.168.11.0/24 (via gateway "Router") and to 145.253.90.32/27 as well. There are other application servers which has to be reached.

Here the server config again:
mode server
tls-server
proto tcp-server
dev tun
lport 443
ca certs/ca.pem
cert certs/server.crt
key certs/server.key
dh certs/dh2048.pem
tls-auth certs/ta.key 0
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.10 10.8.0.254
route 10.8.0.0 255.255.0.0
push "route 10.8.0.1"
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0"
push "route 145.253.90.32 255.255.255.224"
client-config-dir /etc/openvpn/ccd
keepalive 3 20
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 5
client-connect "/etc/openvpn/scripts/client-up.sh"
client-disconnect "/etc/openvpn/scripts/client-down.sh"

Extract of my server log file after initialisation:
Thu Sep 14 22:13:05 2006 us=123623 85.216.23.103:2586 [client] Peer Connection Initiated with 85.216.23.103:2586
Thu Sep 14 22:13:05 2006 us=137737 client/85.216.23.103:2586 MULTI: Learn: 10.8.0.10 -> client/85.216.23.103:2586
Thu Sep 14 22:13:05 2006 us=137855 client/85.216.23.103:2586 MULTI: primary virtual IP for client/85.216.23.103:2586: 10.8.0.10
RThu Sep 14 22:13:06 2006 us=214178 client/85.216.23.103:2586 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 22:13:06 2006 us=214321 client/85.216.23.103:2586 SENT CONTROL [client]: 'PUSH_REPLY,route 10.8.0.1,route 192.168.11.0 255.255.255.0,route 145.253.90.32 255.255.255.224,ping 3,ping-restart 20,ifconfig 10.8.0.10 10.8.0.9' (status=1)
WWWWWWWWWWWWWWWWWWWWWWWWWW
(I cut the connection because no ping went through)
As you can see, the server sends packets but does not receive some.

Extract from client log:
Thu Sep 14 22:21:26 2006 us=344614 [server] Peer Connection Initiated with 145.253.90.49:443
Thu Sep 14 22:21:27 2006 us=400212 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRRRRThu Sep 14 22:21:27 2006 us=492880 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,route 192.168.11.0 255.255.255.0,route 145.253.90.32 255.255.255.224,ping 3,ping-restart 20,ifconfig 10.8.0.10 10.8.0.9'
Thu Sep 14 22:21:27 2006 us=493023 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 14 22:21:27 2006 us=493048 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 14 22:21:27 2006 us=493069 OPTIONS IMPORT: route options modified
Thu Sep 14 22:21:27 2006 us=494656 TUN/TAP device tun0 opened
Thu Sep 14 22:21:27 2006 us=494764 TUN/TAP TX queue length set to 100
Thu Sep 14 22:21:27 2006 us=494825 /sbin/ifconfig tun0 10.8.0.10 pointopoint 10.8.0.9 mtu 1500
Thu Sep 14 22:21:27 2006 us=509825 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.9
Thu Sep 14 22:21:27 2006 us=520439 /sbin/route add -net 192.168.11.0 netmask 255.255.255.0 gw 10.8.0.9
Thu Sep 14 22:21:27 2006 us=530775 /sbin/route add -net 145.253.90.32 netmask 255.255.255.224 gw 10.8.0.9
Thu Sep 14 22:21:27 2006 us=543085 Initialization Sequence Completed
WWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrThu Sep 14 22:21:47 2006 us=893680 [server] Inactivity timeout (--ping-restart), restarting

The WWrWr.... indicate that the client sends packets which never arrives. Remember, there is no firewall active!

Hope this helps now.

Regards,
Thomas

-----Ursprüngliche Nachricht-----
Von: Erich Titl [mailto:erich.titl@xxxxxxxx]
Gesendet: Do 14.09.2006 20:24
An: Thomas Heidemann; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: [Openvpn-users] Problem with multiple push "route..."

Thomas Heidemann wrote:
> Hi!
> After the connection is initialised I can see outgoing packets on the ethernet interface from the client and from the server but no responses (not from the client and not from the server). So each party want to reach the other - with no success.
>
> In /proc/sys/net/ipv4/conf/tun0/rp_filter (of the server) I do have the value 0 (before connection and during the connection).
>
> I think that I do not have to iroute the 192.168.1.0/24 network. This will be NATed and it's not a network behind my client.

So your omitted the NAT box in your diagram?

Is your diagram about this right?

Client 192.168.1.100
|
192.168.1.1
NAT BOX
xx.xx.xx.xx
|
yy.yy.yy.yy
OpenVPN Server
192.168.a.1
|
192.168.a.x
gateway
10.1.b.1
|
----- remote subnet

It's the network where the client is in! So the source address (from the
view of the server) is the NAT box which protects my private network at
home.
> But what I get are these messages:
> MULTI: bad source address from client [192.168.1.100], packet dropped

This packet does not appear to be NATed then, why?

> Which makes sense (somehow) because the initial connection came from my nat box (from the view of the server).

You should _never_ see a packet with a 192.168.1.x address arrive at the
OpenVPN server if they are NATed.

It might make a lot of sense if you revealed your real network topology
and some dumps. Hide and seek is no fun in this environment.

>
> Do I have to set the iroute statement to 192.168.1.0/24? I think I have not to because the client (roadwarrior) can be in every subnet or network which NAT boxes. The very strange thing about that is, that when I use a http proxy within the connection, everything is working like a charm. No problem with connection loss, no problem with multiple route statemens!?

You don't.

Erich

-------------------------------------------------------------------------
Get stuff done quickly with pre-integrated technology to make your job easier

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl

References:
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Thomas Heidemann
- Re: [Openvpn-users] Problem with multiple push "route..."
  - From: Erich Titl

Prev by Date: [Openvpn-users] Open VPN on Windows XP
Next by Date: Re: [Openvpn-users] Problem with multiple push "route..."
Previous by thread: Re: [Openvpn-users] Problem with multiple push "route..."
Next by thread: Re: [Openvpn-users] Problem with multiple push "route..."
Index(es):
- Date
- Thread