|
|
Hi Rida, I just reread the entire thread and am still confused... can you please tell me/us - on which server (incl IP address) the openvpn server is running - what the subnet for the openvpn is (10.1.0.0/24, right?) - what the subnet for vmnet8 is (10.8.0.0/24, right) and/or could you post the output of netstat -rn after the openvpn server has started. cheers, JJK Rida wrote: > Hi, > > Yep, routing is enabled on the server (echo 1 > > /proc/sys/net/ipv4/ip_forward). I understand what you meant by the > route subnet pointing to itself. I removed the routes from the server > configuration (those pushed to the client) and... it still doesn't work. > > Regards, > Rida. > > On Jan 12, 2008 3:09 AM, Jan Just Keijser <janjust@xxxxxxxxx > <mailto:janjust@xxxxxxxxx>> wrote: > > Hi Rida, > > I am not surprised that that route statement did not work: it's a > route > to a subnet pointing to itself! > If the host running the openvpn software is 10.8.0.1 > <http://10.8.0.1/> itself then no > extra route statement should be required. > However, how vmware routes traffic between the different VMs is a > different matter; is routing enabled on the server? > > HTH, > > JJK > > Rida wrote: > > Hi, > > > > Thanks for the quick answer. Actually, i tried to "fix" this > (because > > i've seen the tip in the openvpn faq), but impossible to add the > route > > on the virtual machines. ie "route add -net 10.1.0.0 > <http://10.1.0.0/> <http://10.1.0.0 <http://10.1.0.0/>> > > netmask 255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0 <http://255.255.255.0/>> gw 10.1.0.1 > <http://10.1.0.1/> > > <http://10.1.0.1 <http://10.1.0.1/>>" tells me "Network > unreachable" (but i can ping it > > from there). And yes, there is a default gateway ( 10.8.0.1 > <http://10.8.0.1/> > > <http://10.8.0.1 <http://10.8.0.1/>>) > > > > Regards, > > Rida. > > > > On Jan 11, 2008 2:30 AM, Jan Just Keijser <janjust@xxxxxxxxx > <mailto:janjust@xxxxxxxxx> > > <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>> wrote: > > > > Hi Rida, > > > > this does not sound like an VMware issue but more like a > routing > > issue. > > How would clients in the vmnet8 domain ( 10.8.0.128 > <http://10.8.0.128/> > > <http://10.8.0.128/ >) know where to send > > stuff back to? Do they know that all packets intended for > 10.1.0.6 <http://10.1.0.6/> > > <http://10.1.0.6/> > > should be fed back to the openvpn server? In most cases the > > clients on > > your LAN (vmnet LAN in this case) will not know any route > for the > > 10.1.0 > > net and will return packets thru the default gateway. Again, > in most > > cases that is not what you want ;-) > > > > HTH, > > > > JJK > > > > PS I use a openvpn-on-vmware setup all the time without > problems (tun > > setup). > > > > > > Rida wrote: > > > > > > Hello everybody, > > > > > > I want, first, to say thank you to all openvpn developers > for this > > > very useful > > > piece of software! Happy new year too. > > > > > > So, i got a very strange problem that is getting on my nerve > > because i > > > can't > > > resolve the issue. I got vmware server running on a basic > server ; > > > there is 1 > > > virtual network (in NAT mode). Here are the routes on the > server > > > (after vmware > > > and openvpn are started): > > > > > > 10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2/> > <http://10.1.0.2 <http://10.1.0.2/> < http://10.1.0.2/>> > > dev tun0 proto kernel scope link src > > > 10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1/> < > http://10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1/>> > > > 10.8.0.0/24 <http://10.8.0.0/24> < http://10.8.0.0/24> < > http://10.8.0.0/24> dev > > vmnet8 proto kernel scope link > > > src 10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1/> < > http://10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1/>> > > > <public-ip> dev eth0 proto kernel scope link src > <public-ip> > > > 10.1.0.0/24 <http://10.1.0.0/24> < http://10.1.0.0/24> < > http://10.1.0.0/24> via > > 10.1.0.2 <http://10.1.0.2/> < http://10.1.0.2/> > <http://10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2/>> > > dev tun0 > > > default via 91.121.95.254 <http://91.121.95.254/> > <http://91.121.95.254/> > > <http://91.121.95.254 <http://91.121.95.254/> < > http://91.121.95.254/>> dev eth0 > > > > > > Nothing special then (the only thing to keep in mind is > that vmware > > > uses source > > > routing). I set up an openvpn server on the server (the > one with the > > > public IP), > > > and it is working fine, because i can connect to it and i > got an IP > > > address on > > > windows clients. Here's the server's configuration file: > > > > > > local <public-ip> > > > port 1194 > > > proto tcp > > > dev tun > > > ca keys/ca.crt > > > cert keys/server.crt > > > key keys/server.key > > > dh keys/dh1024.pem > > > server 10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/> < > http://10.1.0.0 <http://10.1.0.0/> > > <http://10.1.0.0/>> 255.255.255.0 <http://255.255.255.0/> < > http://255.255.255.0/> > > <http://255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/>> > > > ifconfig-pool-persist ipp.txt > > > push "route 10.2.0.0 <http://10.2.0.0/> <http://10.2.0.0/ > <http://10.2.0.0/>> <http://10.2.0.0 <http://10.2.0.0/> > > <http://10.2.0.0/>> 255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/> > > > <http://255.255.255.0 <http://255.255.255.0/> < > http://255.255.255.0/>>" > > > push "route 10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/> > < http://10.8.0.0 <http://10.8.0.0/> > > <http://10.8.0.0/>> 255.255.255.0 <http://255.255.255.0/> < > http://255.255.255.0/> > > > <http://255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/>>" > > > push "route-delay 2 600" > > > client-to-client > > > keepalive 10 120 > > > tls-auth keys/ta.key 0 > > > cipher AES-128-CBC # AES > > > comp-lzo > > > max-clients 250 > > > user nobody > > > group nobody > > > persist-key > > > persist-tun > > > status /var/log/openvpn-status.log > > > log-append /var/log/openvpn.log > > > verb 6 > > > mute 20 > > > > > > Now the clients one: > > > > > > client > > > dev tun0 > > > proto tcp > > > remote 91.121.95.16 <http://91.121.95.16/> > <http://91.121.95.16/> < http://91.121.95.16 <http://91.121.95.16/> > > <http://91.121.95.16/>> 1194 > > > resolv-retry infinite > > > nobind > > > persist-key > > > persist-tun > > > ca ca.crt > > > cert client.crt > > > key client.key > > > ns-cert-type server > > > tls-auth ta.key 1 > > > cipher AES-128-CBC # AES > > > comp-lzo > > > verb 3 > > > > > > Still nothing special, these are basic configuration > files. Before > > > i'll "draw" a > > > network topology so you'll have a better idea of how vmware > > implement > > > their NAT > > > (hope there is no error): > > > > > > [Windows client](10.1.0.6/30 <http://10.1.0.6/30> < > http://10.1.0.6/30> > > <http://10.1.0.6/30 > tap) <-> > > > (10.1.0.5/30 <http://10.1.0.5/30> < http://10.1.0.5/30> > <http://10.1.0.5/30> tap gw) > > <-> ( 10.1.0.2/24 <http://10.1.0.2/24> <http://10.1.0.2/24> > > > < http://10.1.0.2/24> vpn > > > real gw) <-> (10.1.0.1/24 <http://10.1.0.1/24> > <http://10.1.0.1/24> < > > http://10.1.0.1/24> tun) [server] > > > (10.8.0.1/24 <http://10.8.0.1/24> < http://10.8.0.1/24 > <http://10.8.0.1/24>> <http://10.8.0.1/24> vmnet8) > > <-> [virtual > > > machine]( 10.8.0.128/24 <http://10.8.0.128/24> > <http://10.8.0.128/24> > > <http://10.8.0.128/24> gw 10.8.0.1/24 <http://10.8.0.1/24> > <http://10.8.0.1/24 <http://10.8.0.1/24>> > > > < http://10.8.0.1/24>) > > > > > > The virtual machine route is just a default gw to > 10.8.0.1/24 <http://10.8.0.1/24> > > <http://10.8.0.1/24> > > > <http://10.8.0.1/24 < http://10.8.0.1/24>>. Routes on the > > > client : > > > > > > Active Routes: > > > Network Destination Netmask Gateway > Interface > > > Metric > > > 0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0/> > <http://0.0.0.0 <http://0.0.0.0/> > > < http://0.0.0.0/>> 0.0.0.0 <http://0.0.0.0/> > <http://0.0.0.0/> > > > < http://0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0/>> > 192.168.0.1 <http://192.168.0.1/> > > < http://192.168.0.1/> <http://192.168.0.1 > <http://192.168.0.1/> <http://192.168.0.1/>> > > 192.168.0.117 <http://192.168.0.117/> <http://192.168.0.117/> > > > < http://192.168.0.117 <http://192.168.0.117/> < > http://192.168.0.117/>> 25 > > > 10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/> < > http://10.1.0.0 <http://10.1.0.0/> > > <http://10.1.0.0/>> 255.255.255.0 > <http://255.255.255.0/> < http://255.255.255.0/> > > > <http://255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/> > > <http://10.1.0.5/> <http://10.1.0.5 <http://10.1.0.5/> > <http://10.1.0.5/ <http://10.1.0.5/>>> > > > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/> > <http://10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>> > > 1 > > > 10.1.0.4 <http://10.1.0.4/> < http://10.1.0.4/> > <http://10.1.0.4 <http://10.1.0.4/> > > <http://10.1.0.4/>> 255.255.255.252 > <http://255.255.255.252/> <http://255.255.255.252/> > > > <http://255.255.255.252 <http://255.255.255.252/> < > http://255.255.255.252/>> > > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/> < > http://10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>> > > > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/ > <http://10.1.0.6/>> < http://10.1.0.6 <http://10.1.0.6/> > > <http://10.1.0.6/>> 30 > > > 10.1.0.6 <http://10.1.0.6/> < http://10.1.0.6/> > <http://10.1.0.6 <http://10.1.0.6/> > > <http://10.1.0.6/>> 255.255.255.255 > <http://255.255.255.255/> <http://255.255.255.255/> > > > <http://255.255.255.255 <http://255.255.255.255/> < > http://255.255.255.255/>> > > 127.0.0.1 <http://127.0.0.1/> <http://127.0.0.1/> < > http://127.0.0.1 <http://127.0.0.1/> <http://127.0.0.1/>> > > > 127.0.0.1 <http://127.0.0.1/> < http://127.0.0.1/> > <http://127.0.0.1 <http://127.0.0.1/> > > <http://127.0.0.1/>> 30 > > > 10.8.0.0 <http://10.8.0.0/> < http://10.8.0.0/> > <http://10.8.0.0 <http://10.8.0.0/> > > <http://10.8.0.0/>> 255.255.255.0 > <http://255.255.255.0/> <http://255.255.255.0/> > > > <http://255.255.255.0 <http://255.255.255.0/> < > http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/> > > <http://10.1.0.5/> < http://10.1.0.5 <http://10.1.0.5/> > <http://10.1.0.5/>> > > > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/ > <http://10.1.0.6/>> < http://10.1.0.6 <http://10.1.0.6/> > > <http://10.1.0.6/>> 1 > > > ... > > > > > > Client's output: > > > > > > Thu Jan 10 00:25:21 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] > [LZO] built > > > on Oct 1 > > > 2006 > > > Thu Jan 10 00:25:21 2008 IMPORTANT: OpenVPN's default port > > number is > > > now 1194, > > > based on an official port number assignment by IANA. OpenVPN > > > 2.0-beta16 and > > > earlier used 5000 as the default port. > > > Thu Jan 10 00:25:21 2008 Control Channel Authentication: using > > > 'ta.key' as a > > > OpenVPN static key file > > > Thu Jan 10 00:25:21 2008 Outgoing Control Channel > Authentication: > > > Using 160 bit > > > message hash 'SHA1' for HMAC authentication > > > Thu Jan 10 00:25:21 2008 Incoming Control Channel > Authentication: > > > Using 160 bit > > > message hash 'SHA1' for HMAC authentication > > > Thu Jan 10 00:25:21 2008 LZO compression initialized > > > Thu Jan 10 00:25:21 2008 Control Channel MTU parms [ > L:1560 D:168 > > > EF:68 EB:0 > > > ET:0 EL:0 ] > > > Thu Jan 10 00:25:21 2008 Data Channel MTU parms [ L:1560 > D:1450 > > EF:60 > > > EB:135 > > > ET:0 EL:0 AF:3/1 ] > > > Thu Jan 10 00:25:21 2008 Local Options hash (VER=V4): > '<hash>' > > > Thu Jan 10 00:25:21 2008 Expected Remote Options hash > (VER=V4): > > '<hash>' > > > Thu Jan 10 00:25:21 2008 Attempting to establish TCP > connection with > > > 91.121.95.16:1194 <http://91.121.95.16:1194/> > <http://91.121.95.16:1194/> > > < http://91.121.95.16:1194 <http://91.121.95.16:1194/> > <http://91.121.95.16:1194/>> > > > Thu Jan 10 00:25:21 2008 TCP connection established with > > <public-ip>:1194 > > > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link local: [undef] > > > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link remote: > <public-ip>:1194 > > > Thu Jan 10 00:25:21 2008 TLS: Initial packet from > <public-ip>:1194, > > > sid=<hash> > > > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=1, <certificate fqn> > > > Thu Jan 10 00:25:22 2008 VERIFY OK: nsCertType=SERVER > > > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=0, <certificate fqn> > > > Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Cipher > 'AES-128-CBC' > > > initialized > > > with 128 bit key > > > Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Using 160 bit > > message > > > hash 'SHA1' > > > for HMAC authentication > > > Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Cipher > 'AES-128-CBC' > > > initialized > > > with 128 bit key > > > Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Using 160 bit > > message > > > hash 'SHA1' > > > for HMAC authentication > > > Thu Jan 10 00:25:25 2008 Control Channel: TLSv1, cipher > TLSv1/SSLv3 > > > DHE-RSA-AES256-SHA, 1024 bit RSA > > > Thu Jan 10 00:25:25 2008 [client] Peer Connection > Initiated with > > > <public-ip>:1194 > > > Thu Jan 10 00:25:27 2008 SENT CONTROL [client]: 'PUSH_REQUEST' > > (status=1) > > > Thu Jan 10 00:25:27 2008 PUSH: Received control message: > > 'PUSH_REPLY,route > > > 10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/> < > http://10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/>> > > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0/> > > > < http://255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/>>,route-delay 2 > > 600,route 10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/> > > > <http://10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/>> > 255.255.255.0 <http://255.255.255.0/> > > <http://255.255.255.0/ <http://255.255.255.0/>> > <http://255.255.255.0 <http://255.255.255.0/> > > <http://255.255.255.0/>>,ping > > > 10,ping-restart 120,ifconfig 10.1.0.6 <http://10.1.0.6/> > <http://10.1.0.6/> < > > http://10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/ > <http://10.1.0.6/>>> 10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/> > > > <http://10.1.0.5 <http://10.1.0.5/> < http://10.1.0.5/>>' > > > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: timers and/or > timeouts > > modified > > > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: --ifconfig/up options > > modified > > > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: route options > modified > > > Thu Jan 10 00:25:27 2008 TAP-WIN32 device [Local Area > Connection 5] > > > opened: > > > \\.\Global\{F71B3A07-5805-4B69-97C9-73926191180F}.tap > > > > <file:////Global/%7BF71B3A07-5805-4B69-97C9-73926191180F%7D.tap> > > > Thu Jan 10 00:25:27 2008 TAP-Win32 Driver Version 8.4 > > > Thu Jan 10 00:25:27 2008 TAP-Win32 MTU=1500 > > > Thu Jan 10 00:25:27 2008 Notified TAP-Win32 driver to set > a DHCP > > > IP/netmask of > > > 10.1.0.6/255.255.255.252 <http://10.1.0.6/255.255.255.252> > < http://10.1.0.6/255.255.255.252> > > <http://10.1.0.6/255.255.255.252> on > > > interface {F71B3A07-5805-4B69-97C9-73926191180F} > > > [DHCP-serv: 10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/> > <http://10.1.0.5 <http://10.1.0.5/> > > <http://10.1.0.5/> >, lease-time: 31536000] > > > Thu Jan 10 00:25:27 2008 Successful ARP Flush on interface [7] > > > {F71B3A07-5805-4B69-97C9-73926191180F} > > > Thu Jan 10 00:25:29 2008 TEST ROUTES: 0/0 succeeded len=3 > ret=0 a=0 > > > u/d=down > > > Thu Jan 10 00:25:29 2008 Route: Waiting for TUN/TAP > interface to > > come > > > up... > > > Thu Jan 10 00:25:31 2008 TEST ROUTES: 3/3 succeeded len=3 > ret=1 > > a=0 u/d=up > > > Thu Jan 10 00:25:31 2008 route ADD 10.8.0.0 > <http://10.8.0.0/> < http://10.8.0.0/> > > <http://10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/>> MASK > > > 255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/> < http://255.255.255.0 <http://255.255.255.0/> > > <http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/> > <http://10.1.0.5/ <http://10.1.0.5/>> > > <http://10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/>> > > > Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded > > > Thu Jan 10 00:25:31 2008 route ADD 10.1.0.0 > <http://10.1.0.0/> < http://10.1.0.0/> < > > http://10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/>> MASK > > > 255.255.255.0 <http://255.255.255.0/> > <http://255.255.255.0/> <http://255.255.255.0 <http://255.255.255.0/> > > < http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/> > <http://10.1.0.5/> > > < http://10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/>> > > > Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded > > > Thu Jan 10 00:25:31 2008 Initialization Sequence Completed > > > > > > Now the issue... From the client, i can ping 10.1.0.5 > <http://10.1.0.5/> > > <http://10.1.0.5/> > > > <http://10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/>> > (tap gw), 10.1.0.1 <http://10.1.0.1/> > > <http://10.1.0.1/ <http://10.1.0.1/>> <http://10.1.0.1 > <http://10.1.0.1/> <http://10.1.0.1/>> (vpn > > > gw), 10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1/> > <http://10.8.0.1 <http://10.8.0.1/> > > <http://10.8.0.1/>> (vmnet8, but on server's side) but not > > > in vmnet8's network > > > ( 10.8.0.128 <http://10.8.0.128/> <http://10.8.0.128/> > <http://10.8.0.128 <http://10.8.0.128/> > > <http://10.8.0.128/>> for example). > > > > > > I've tried everything.... Here are some: > > > * Set up a virtual interface (on eth0:0) with IP 10.1.0.1 > <http://10.1.0.1/> > > <http://10.1.0.1/> > > > < http://10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1/>>, > > > * Put the openvpn network in vmware's network subnet (i think > > openvpn > > > won't > > > understand, well it didn't work anyway), > > > * pushed gw for routes to the client (the client is slow > to connect > > > and tells me > > > that the gw doesn't exists) > > > > > > I'm lost. Please help. > > > > > > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |