# VPN routing / packet forwarding

## The Mad Crapper

i setup a VPN tunnel between our office and our colo and i can ping the end points of the tunnel from one another, but can't get either end point to forward traffic to either network. I am using OpenVPN

HostA is on the 192.168.5.0/24 network with address 192.168.5.22(eth0) and has a vpn adapter address of 192.168.15.2(tun0)

HostB is on the 192.168.1.0/24 network with address 192.168.1.22(eth0) and has a vpn adapter address of 192.168.15.1(tun0)

The routing table on HostA (office)

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.15.1    *               255.255.255.255 UH    0      0        0 tun0

192.168.5.0     *               255.255.255.0   U     0      0        0 eth0

192.168.1.0     192.168.15.1    255.255.255.0   UG    0      0        0 tun0

default         192.168.5.253   0.0.0.0         UG    0      0        0 eth0

```

The routing table on HostB (colo)

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.15.2    *               255.255.255.255 UH    0      0        0 tun0

192.168.5.0     192.168.15.2    255.255.255.0   UG    0      0        0 tun0

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

```

And iptables (same on both hosts)

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

i have checked that ip_forward is turned on more then a few times

```

cat /proc/sys/net/ipv4/ip_forward

1

```

What am i missing?!?! why can't a get any data to pass through either host? if i ping something on the 192.168.5.0/24 network from HostB or the 192.168.1.0/24 network from HostA, i get nothing..

Thanks guys..

----------

## hilbert_space

Without any additional config, you should be able to ping from each computer the two ends of the vpn-tunnel, in your case 192.168.15.x. If this is not the case:

Does the openvpn daemons find each other? Look into the system log, if they are connecting to each other, you will see something like this:

```
Aug 30 14:55:56 neo openvpn[8111]: [psi] Peer Connection Initiated with 85.214.19.126:1194
```

If this is not the case, any errors?

What's your openvpn config on both sides? Are the settings with the ips correct? Did you bind the right device?

Is there anything in the networking which could block the port (default 1194 udp)?

-Thomas

----------

## The Mad Crapper

the VPN is connecting. I can ping either end point from the other. From HostA i can ping 192.168.15.1 and from HostB i can ping 192.168.15.2.

Yes, the logs do show them connecting. Before i started it up with the init script, i started the end points with the openvpn command so i could see everything. 

I will have to post the configs tomorrow when i get into the office.

----------

## xtlosx

let me know if you get it to work, i had the exact same situation as you... the endpoints can ping eachother, but the machines behind them can't..

----------

## The Mad Crapper

here is the office (HostA) the config is 

```

dev tun0

ifconfig 192.168.15.2 192.168.15.1

#verb 9

secret vpn.key

ping 5

```

and at the colo (HostB)

```

remote 69.15.62.58

dev tun0

ifconfig 192.168.15.1 192.168.15.2

#verb 9

secret vpn.key

ping 5

```

----------

## The Mad Crapper

oh my desktop, i added a route to the 192.168.1.0 network via this end poing as the gateway. and when i try to ping something at the other end...

```
ping 192.168.1.53

PING 192.168.1.53 (192.168.1.53) 56(84) bytes of data.

From 192.168.5.22: icmp_seq=1 Redirect Host(New nexthop: 192.168.5.253)

64 bytes from 192.168.1.53: icmp_seq=1 ttl=60 time=17.3 ms

64 bytes from 192.168.1.53: icmp_seq=2 ttl=60 time=5.15 ms

64 bytes from 192.168.1.53: icmp_seq=3 ttl=60 time=5.76 ms

64 bytes from 192.168.1.53: icmp_seq=4 ttl=60 time=5.78 ms

64 bytes from 192.168.1.53: icmp_seq=5 ttl=60 time=5.86 ms

```

this end poing (HostA) is redirecting me out the default gateway.. It won't forward the packet..

This doesn't seem like it should be this difficult to make linux do packet forwarding...

----------

## Ast0r

Are you sure that you have IPV4 Packet Forwarding enabled in the kernels (enabled "full NAT support")?

If not, compile the support into your kernel and check /etc/sysctl.conf for this line

```
net.ipv4.ip_forward = 1
```

I had the same problem with not being able to get the endpoints to forward packets (do routing) until I fixed that in /etc/sysctl.conf. Good luck.

----------

## The Mad Crapper

cat /proc/sys/net/ipv4/ip_forward returns '1' on both hosts.

----------

## hilbert_space

Paket forwarding should be not necessary to ping the two ends of the tunnel, a good route config will do it. I communicate via VPN with my server (productive web/mail/xy-server).

My vpn config (all the certificate stuff should be not neccassary at this time):

server

```

proto udp

dev tun

local 85.214.19.126

ca /etc/openvpn/ca.crt

cert /etc/openvpn/psi.crt

key /etc/openvpn/psi.key

dh /etc/openvpn/dh1024.pem

tls-auth /etc/openvpn/ta.key 0

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/ipp.txt

keepalive 10 120

#cipher AES-256-CBC

comp-lzo

user openvpn

group openvpn

persist-key

persist-tun

resolv-retry infinite

status /etc/openvpn/openvpn-status.log

chroot /etc/openvpn/chroot

push "route 85.214.19.0 255.0.0.0"
```

client

```
remote 85.214.19.126

local 192.168.178.150

client

proto udp

dev tun

ca /etc/openvpn/ca.crt

cert /etc/openvpn/neo.crt

key /etc/openvpn/neo.key

tls-auth /etc/openvpn/ta.key 1  # "0" beim VPN-Server, "1" bei VPN-Clients

keepalive 10 120

#cipher BF-CBC  (=Default; sehr schnell)

#cipher AES-128-CBC (sicherer)

#cipher AES-256-CBC (am sichersten)

comp-lzo

user openvpn

group openvpn

persist-key

persist-tun

resolv-retry infinite

status /etc/openvpn/openvpn-status.log

chroot /etc/openvpn/chroot

verb 3

ns-cert-type server

tls-remote psi

```

An important line is the push-route line at the server config, this can be perhaps the reason for you problems.

A lot of information about the config stuff is available here:

http://openvpn.net/howto.html

-Thomas

----------

## The Mad Crapper

 *hilbert_space wrote:*   

> Paket forwarding should be not necessary to ping the two ends of the tunnel, a good route config will do it. ... 

 

i can ping either end of the tunnel.. but nothing behind the end points.. they are not forwarding the traffic  :Sad: 

----------

## The Mad Crapper

ok, on the machine here i put 

```
push "route 192.168.5.0 255.255.255.0"
```

 and at the machine at the colo i put 

```
push "route 192.168.1.0 255.255.255.0"
```

 in the configs. I also changed iptables 

```
iptables -A INPUT -i tun+ -j ACCEPT
```

 and i still am getting no love! If i do a trace route, i can see the traffic goto the VPN end point and no futher.. 

 :Twisted Evil: 

----------

## hilbert_space

Let's check the result of your route-config, here are my routing tables on both maschines:

server:

```
thgersdorf ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0

85.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         85.214.18.1     0.0.0.0         UG    0      0        0 eth0
```

client:

```
neo # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0

192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth0

```

VPN wasn't complex to configure at my setup, there must me a little problem that we overlook.   :Sad: 

----------

## The Mad Crapper

ok.. i THINK i might have it working.. I think i may have just needed to make sure to have the return route configured as well.

I would ping a machine at the other end and it wouldn't come back.. Until i got on the host i was trying to ping and changed its routing table to make it use the VPN to send back replies. 

In the end, i think it was the iptables magic. I think i needed to change the forward and accept policy (i am not an iptables expert). Once i have to chance to try and bring the tunnel back up again i will know more.

Thank you all for your time, i will be sure to update this thread with anything i find.

----------

## cswbww

Hi, do you find the solution yet?

----------

