|
|
We have found that if a machine on the vpn server LAN pings the client, then gets the icmp redirect, the client can then access that machine. Not before. How can I fix this? On 10/9/06, J. Patrick Campbell <patrick@xxxxxxxxxxxxxxxxxx> wrote: > The remote client can't ping behind the server, but clients behind the > server can ping the remote client. > my lan setup: > 10.74.78.0/24 > > 10.74.78.160 vpn server > 10.74.78.1 ipcop firewall/router with a static route pointing vpn > subnet to vpn server > 10.74.0.0/24 vpn subnet > > > Win xp client is behind a linksys router, subnet 192.168.1.1/24 > he dials in to the vpn and gets ip of 10.74.0.6 > > when i ask him to tracert to any machine behind the openvpn server, he > gets this: > Tracing route to 10.74.78.111 over a maximum of 30 ho > > > > 1 27 ms 23 ms 21 ms 10.74.0.1 > > 2 * * * Request timed out. > > 3 * * * Request timed out. > > > I think the problem lies there, in that he should be seeing 10.74.0.5 > as his first hop, not 10.74.0.1 but I cannot figure out where this ip > is coming from. > > here is his routing table > > =========================================================================== > Interface List > 0x1 ........................... MS TCP Loopback interface > 0x2 ...00 ff d5 f0 48 cc ...... TAP-Win32 Adapter V8 > 0x10004 ...00 07 e9 09 c7 2c ...... Intel(R) PRO/1000 MT Desktop Adapter > =========================================================================== > =========================================================================== > Active Routes: > Network Destination Netmask Gateway Interface Metric > 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.245 10 > 10.74.0.1 255.255.255.255 10.74.0.5 10.74.0.6 1 > 10.74.0.4 255.255.255.252 10.74.0.6 10.74.0.6 30 > 10.74.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30 > 10.74.78.0 255.255.255.0 10.74.0.5 10.74.0.6 1 > 10.255.255.255 255.255.255.255 10.74.0.6 10.74.0.6 30 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 > 192.168.1.0 255.255.255.0 192.168.1.245 192.168.1.245 10 > 192.168.1.245 255.255.255.255 127.0.0.1 127.0.0.1 10 > 192.168.1.255 255.255.255.255 192.168.1.245 192.168.1.245 10 > 224.0.0.0 240.0.0.0 10.74.0.6 10.74.0.6 30 > 224.0.0.0 240.0.0.0 192.168.1.245 192.168.1.245 10 > 255.255.255.255 255.255.255.255 10.74.0.6 10.74.0.6 1 > 255.255.255.255 255.255.255.255 192.168.1.245 192.168.1.245 1 > Default Gateway: 192.168.1.1 > =========================================================================== > Persistent Routes: > None > > here's my server config > vpn openvpn # cat lowmips.conf > # Which local IP address should OpenVPN > # listen on? (optional) > ;local a.b.c.d > > # Which TCP/UDP port should OpenVPN listen on? > # If you want to run multiple OpenVPN instances > # on the same machine, use a different port > # number for each one. You will need to > # open up this port on your firewall. > port 53500 > > # TCP or UDP server? > ;proto tcp > proto udp > > # "dev tun" will create a routed IP tunnel, > # "dev tap" will create an ethernet tunnel. > # Use "dev tap0" if you are ethernet bridging > # and have precreated a tap0 virtual interface > # and bridged it with your ethernet interface. > # If you want to control access policies > # over the VPN, you must create firewall > # rules for the the TUN/TAP interface. > # On non-Windows systems, you can give > # an explicit unit number, such as tun0. > # On Windows, use "dev-node" for this. > # On most systems, the VPN will not function > # unless you partially or fully disable > # the firewall for the TUN/TAP interface. > ;dev tap > dev tun > > # Windows needs the TAP-Win32 adapter name > # from the Network Connections panel if you > # have more than one. On XP SP2 or higher, > # you may need to selectively disable the > # Windows firewall for the TAP adapter. > # Non-Windows systems usually don't need this. > ;dev-node MyTap > > # SSL/TLS root certificate (ca), certificate > # (cert), and private key (key). Each client > # and the server must have their own cert and > # key file. The server and all clients will > # use the same ca file. > # > # See the "easy-rsa" directory for a series > # of scripts for generating RSA certificates > # and private keys. Remember to use > # a unique Common Name for the server > # and each of the client certificates. > # > # Any X509 key management system can be used. > # OpenVPN can also use a PKCS #12 formatted key file > # (see "pkcs12" directive in man page). > ca /etc/openvpn/easy-rsa/keys/ca.crt > cert /etc/openvpn/easy-rsa/keys/server.crt > key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret > > # Diffie hellman parameters. > # Generate your own with: > # openssl dhparam -out dh1024.pem 1024 > # Substitute 2048 for 1024 if you are using > # 2048 bit keys. > dh /etc/openvpn/easy-rsa/keys/dh1024.pem > > # Configure server mode and supply a VPN subnet > # for OpenVPN to draw client addresses from. > # The server will take 10.8.0.1 for itself, > # the rest will be made available to clients. > # Each client will be able to reach the server > # on 10.8.0.1. Comment this line out if you are > # ethernet bridging. See the man page for more info. > server 10.74.0.0 255.255.255.0 > > # Maintain a record of client <-> virtual IP address > # associations in this file. If OpenVPN goes down or > # is restarted, reconnecting clients can be assigned > # the same virtual IP address from the pool that was > # previously assigned. > ifconfig-pool-persist ipp.txt > > # Configure server mode for ethernet bridging. > # You must first use your OS's bridging capability > # to bridge the TAP interface with the ethernet > # NIC interface. Then you must manually set the > # IP/netmask on the bridge interface, here we > # assume 10.8.0.4/255.255.255.0. Finally we > # must set aside an IP range in this subnet > # (start=10.8.0.50 end=10.8.0.100) to allocate > # to connecting clients. Leave this line commented > # out unless you are ethernet bridging. > ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 > > # Push routes to the client to allow it > # to reach other private subnets behind > # the server. Remember that these > # private subnets will also need > # to know to route the OpenVPN client > # address pool (10.74.0.0/255.255.255.0) > # back to the OpenVPN server. > push "route 10.74.78.0 255.255.255.0" > ;push "route 192.168.20.0 255.255.255.0" > > # To assign specific IP addresses to specific > # clients or if a connecting client has a private > # subnet behind it that should also have VPN access, > # use the subdirectory "ccd" for client-specific > # configuration files (see man page for more info). > > # EXAMPLE: Suppose the client > # having the certificate common name "Thelonious" > # also has a small subnet behind his connecting > # machine, such as 192.168.40.128/255.255.255.248. > # First, uncomment out these lines: > ;client-config-dir ccd > ;route 192.168.40.128 255.255.255.248 > # Then create a file ccd/Thelonious with this line: > # iroute 192.168.40.128 255.255.255.248 > # This will allow Thelonious' private subnet to > # access the VPN. This example will only work > # if you are routing, not bridging, i.e. you are > # using "dev tun" and "server" directives. > > # EXAMPLE: Suppose you want to give > # Thelonious a fixed VPN IP address of 10.9.0.1. > # First uncomment out these lines: > ;client-config-dir ccd > ;route 10.9.0.0 255.255.255.252 > # Then add this line to ccd/Thelonious: > # ifconfig-push 10.9.0.1 10.9.0.2 > > # Suppose that you want to enable different > # firewall access policies for different groups > # of clients. There are two methods: > # (1) Run multiple OpenVPN daemons, one for each > # group, and firewall the TUN/TAP interface > # for each group/daemon appropriately. > # (2) (Advanced) Create a script to dynamically > # modify the firewall in response to access > # from different clients. See man > # page for more info on learn-address script. > ;learn-address ./script > > # If enabled, this directive will configure > # all clients to redirect their default > # network gateway through the VPN, causing > # all IP traffic such as web browsing and > # and DNS lookups to go through the VPN > # (The OpenVPN server machine may need to NAT > # the TUN/TAP interface to the internet in > # order for this to work properly). > # CAVEAT: May break client's network config if > # client's local DHCP server packets get routed > # through the tunnel. Solution: make sure > # client's local DHCP server is reachable via > # a more specific route than the default route > # of 0.0.0.0/0.0.0.0. > ;push "redirect-gateway" > > # Certain Windows-specific network settings > # can be pushed to clients, such as DNS > # or WINS server addresses. CAVEAT: > # http://openvpn.net/faq.html#dhcpcaveats > ;push "dhcp-option DNS 10.8.0.1" > ;push "dhcp-option WINS 10.8.0.1" > > # Uncomment this directive to allow different > # clients to be able to "see" each other. > # By default, clients will only see the server. > # To force clients to only see the server, you > # will also need to appropriately firewall the > # server's TUN/TAP interface. > ;client-to-client > > # Uncomment this directive if multiple clients > # might connect with the same certificate/key > # files or common names. This is recommended > # only for testing purposes. For production use, > # each client should have its own certificate/key > # pair. > # > # IF YOU HAVE NOT GENERATED INDIVIDUAL > # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, > # EACH HAVING ITS OWN UNIQUE "COMMON NAME", > # UNCOMMENT THIS LINE OUT. > ;duplicate-cn > > # The keepalive directive causes ping-like > # messages to be sent back and forth over > # the link so that each side knows when > # the other side has gone down. > # Ping every 10 seconds, assume that remote > # peer is down if no ping received during > # a 120 second time period. > keepalive 10 120 > > # For extra security beyond that provided > # by SSL/TLS, create an "HMAC firewall" > # to help block DoS attacks and UDP port flooding. > # > # Generate with: > # openvpn --genkey --secret ta.key > # > # The server and each client must have > # a copy of this key. > # The second parameter should be '0' > # on the server and '1' on the clients. > ;tls-auth ta.key 0 # This file is secret > > # Select a cryptographic cipher. > # This config item must be copied to > # the client config file as well. > ;cipher BF-CBC # Blowfish (default) > ;cipher AES-128-CBC # AES > ;cipher DES-EDE3-CBC # Triple-DES > > # Enable compression on the VPN link. > # If you enable it here, you must also > # enable it in the client config file. > comp-lzo > > # The maximum number of concurrently connected > # clients we want to allow. > ;max-clients 100 > > # It's a good idea to reduce the OpenVPN > # daemon's privileges after initialization. > # > # You can uncomment this out on > # non-Windows systems. > user nobody > group nobody > > # The persist options will try to avoid > # accessing certain resources on restart > # that may no longer be accessible because > # of the privilege downgrade. > persist-key > persist-tun > > # Output a short status file showing > # current connections, truncated > # and rewritten every minute. > status openvpn-status.log > > # By default, log messages will go to the syslog (or > # on Windows, if running as a service, they will go to > # the "\Program Files\OpenVPN\log" directory). > # Use log or log-append to override this default. > # "log" will truncate the log file on OpenVPN startup, > # while "log-append" will append to it. Use one > # or the other (but not both). > log openvpn.log > ;log-append openvpn.log > > # Set the appropriate level of log > # file verbosity. > # > # 0 is silent, except for fatal errors > # 4 is reasonable for general usage > # 5 and 6 can help to debug connection problems > # 9 is extremely verbose > verb 3 > > # Silence repeating messages. At most 20 > # sequential messages of the same message > # category will be output to the log. > ;mute 20 > ------------------------------------------------------------------------------------------------------------------- > > please let me know if you need any more information. > > Thanks, > > Patrick > > -- > http://patrickcampbell.us/ > Visit for my Blog, Photos and More! > -- http://patrickcampbell.us/ Visit for my Blog, Photos and More! ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |