# OpenVPN tap connects / ips assigned / but can't ping other

## RayDude

I'm trying to set up openvpn tap so that my machine can connect to home from anywhere and look like its on my intranet.

Here's the openvpn.conf file for the server:

```
port 1194

proto tcp-server

dev tap

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

tls-server

mode server

ifconfig 10.1.10.200 255.255.255.0

ifconfig-pool 10.1.10.201 10.1.10.209 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route-gateway 10.1.10.1"

keepalive 10 120

comp-lzo

# user nobody

# group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3
```

Here's the client side:

```
client

dev tap1

proto tcp

# change this to your servers ip or hostname

remote myserver.com 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert brian.crt

key brian.key

comp-lzo

verb 3
```

Both sides get tap devices and ip addresses assigned. Each can ping his own tap device, but they cannot ping each other and the client cannot ping the intranet of the server.

Any help would be greatly appreciated.

Brian

----------

## bbgermany

Do you have ipforward enabled? Does the intranet know how to reach your openvpn network?

bb

----------

## RayDude

 *bbgermany wrote:*   

> Do you have ipforward enabled? Does the intranet know how to reach your openvpn network?
> 
> bb

 

I did enable ipforward on the server, but that didn't make any difference.

Since the network IP addys that are being assigned are on the same subnet, do I need ipforward?

I think I'm only missing one piece of the puzzle. Still haven't figured it out though.

Thanks for the quick reply.

Brian

PS Just to make sure, I enable ipforward this way:

echo "1" > /proc/sys/net/ipv4/ip_forward

----------

## Simba7

Easy.. I've already did this on 3 remote routers.

Here's my config on the server:

```
port 11194

proto tcp

dev tun

ca myvpn/ca.crt

cert myvpn/server.crt

key myvpn/server.key

dh myvpn/dh2048.pem

server 192.168.0.192 255.255.255.224

client-to-client

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

push "route 192.168.0.0 255.255.255.128"

client-config-dir ccd

#route 192.168.0.0 255.255.255.128

route 192.168.1.0 255.255.255.0

route 192.168.2.0 255.255.255.0

route 192.168.3.0 255.255.255.0
```

..you also have to put in entries to iptables so your firewall doesn't block you.

This works quite well, since I can access any computer on the other networks (monitoring through my local Cacti server).

----------

## RayDude

 *Simba7 wrote:*   

> Easy.. I've already did this on 3 remote routers.
> 
> Here's my config on the server:
> 
> ```
> ...

 

Thanks, but I'm using tap, not tun, the config is a bit different.

I have realized that I don't have routing in my kernel and am adding it, in my copious spare time...

I'll let you guys know if iptables fixes this for me.

Brian

----------

## bbgermany

Hi,

if you are on the same subnet, you should do bridgeing and yes you need ipforwarding enabled, coz your system acts as gateway in this case. If you need help setting up a bridged configuration, just let me know, i have this running at home for several years now an i can provide a working config.

bb

----------

