|
|
john@xxxxxxxxx wrote: > I recently set up openvpn between two lans and wanted clients on both sides > to have full access to either side. I used the tun setup, server - client > with persistent key and tun settings and topology subnet. Both the client > and server are linux boxes, each have windows XP boxes behind them as well > as two internal servers on the server side. I had to add routes to the > openvpn server on the two internal servers and add a couple of iptable > directives to get it all to work smoothly, including the samba servers on > either side. > > Additionally I also add proxy_arp directives > (/proc/sys/net/conf/tun0/proxy_arp and /proc/sys/net/conf/eth1/proxy_arp > were changed to ones - the eth1 interface is the internal eth that openvpn > listens on) The proxy_arp directive cleared some issues both with samba and > asterisk voip on both networks. Now internal clients on both side can > successfully arping clients on the other side. > > The server side also needed an additional route - the client side internal > is 192.168.xxx.0/24 and the route added on the server is -net > 192.168.xxx.0/24 gw client side tun0 address. The client side needed no > additional routing to the 4 internal lans on the server side since they were > pushed from the server. > > for iptables on both sides I opened the outside eth to port 1194, both > inputs and outputs, to the outside address of the other end, and also I > added input, output, and forward for tun+. > > It took a few days to figure this all out, but it all seems to work as > smooth as pie now. The first critical steps for me were switching to subnet > topology and adding the route from the server to the client side tunnel. > After that things just sorta fell into place. > > I hope the above isn't too confusing :-) > > Thanks for the reply. My openvpn server config follows - I think it's fairly straightforward: server 172.27.0.0 255.255.0.0 tls-server local 192.168.0.222 port 1195 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 keepalive 10 120 persist-key ifconfig-pool-persist /etc/openvpn/customers-ip.txt client-config-dir /etc/openvpn/ccd status customers.log log-append /var/log/openvpn-customers.log verb 3 replay-window 72 30 comp-lzo # route to a remote lan on a client route 10.4.1.0 255.255.255.0 Then the server's routing table: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 VPN clients and the VPN server communicate without any problem. I can see the routes for the tun interface on the server - everything looks right to me. On a server-side LAN client, I add a route to the VPN. For a Windows client, I would execute: route add 172.27.0.0 mask 255.255.0.0 192.168.0.71 And then test the connection. I can ping the VPN server at 172.27.0.1 without problem. But I can't ping the VPN clients. Is an iptables rule required for this step? ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |