# openvpn routing question

## saski4711

hi all,

i´m fairly new to vpn and have a simple question:

i´ve managed to get openvpn connection from work to my home network. but i can´t reach any machine at the other end of the tunnel. i guess i have to forward ip packets since my host at work has an ip like this: 140.xxx.xx.24 netmask: 255.255.254.0

and @ home: 192.168.1.1 mask: 255.255.255.0

on the client side tun0 says:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255

can anyone give me a hint what to do in this particular case?

thx in advance

saski

----------

## sschlueter

More information is needed. An ASCII art diagram of the network would be nice  :Smile: 

Or at least the output of ifconfig and route -n from both vpn endpoints. And the openvpn config files from both endpoints.

And, of course, a description of what you've tried to do and what didn't work as expected.

----------

## magic919

Watch out that your OpenVPN addresses are 10.8.0.6 and .5, and the addresses you mention are less important.  You need to give a route to the client machine to tell it to traverse the VPN to reach 192.168.1.x

http://openvpn.net/howto.html#scope

----------

## saski4711

hi,

thanx for the reply. actually i have non idea how to do that. do i need to reduce the mtu somehow?

FYI here is my complete configuration:

server:

------------------------------------------------------------------------

ifconfig says:

(connects my server to ma LAN)

eth0      Link encap:Ethernet  HWaddr 00:04:75:8A:6F:9F

          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:24091 errors:0 dropped:0 overruns:0 frame:0

          TX packets:302243 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:4139018 (3.9 Mb)  TX bytes:433052531 (412.9 Mb)

          Interrupt:16 Base address:0xc000

(connected to my DSL modem)

eth1      Link encap:Ethernet  HWaddr 00:40:F4:C1:22:66

          inet addr:10.64.64.64  Bcast:255.255.255.255  Mask:0.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:12674 errors:0 dropped:0 overruns:0 frame:0

          TX packets:12056 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:5030833 (4.7 Mb)  TX bytes:1415383 (1.3 Mb)

          Interrupt:17 Base address:0x1000

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:67 errors:0 dropped:0 overruns:0 frame:0

          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:7796 (7.6 Kb)  TX bytes:7796 (7.6 Kb)

ppp0      Link encap:Point-to-Point Protocol

          inet addr:212.xxx.xxx.xxx  P-t-P:194.xxx.xxx.1  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:8772 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8150 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:4603657 (4.3 Mb)  TX bytes:1001653 (978.1 Kb)

(i´ve set tun0 to match my subnet. corrent? or is the IP here irrelevant?)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:192.168.1.24  P-t-P:192.168.1.25  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

route -n says:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.25    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

194.231.190.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         194.xxx.xxx.1   0.0.0.0         UG    0      0        0 ppp0

my server config file:

port 443

proto tcp-server

dev tun

ca   boomer/ca.crt

cert boomer/server.crt

key  boomer/server.key  # This file should be kept secret 

dh boomer/dh1024.pem

mode server 

tls-server 

client-to-client 

ifconfig 192.168.1.24 192.168.1.25 

ifconfig-pool 192.168.1.25 192.168.1.254 

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

max-clients 2

persist-key

persist-tun

status openvpn-status.log

log-append  /var/log/openvpn.log

verb 6

now my client:

------------------------------------------------------------------------

ifconfig says:

eth0      Link encap:Ethernet  HWaddr 00:13:CE:E5:AB:8E

          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1946 errors:0 dropped:12 overruns:0 frame:0

          TX packets:2119 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:771741 (753.6 Kb)  TX bytes:254077 (248.1 Kb)

          Interrupt:11 Base address:0x6000 Memory:cdcff000-cdcfffff

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:50 errors:0 dropped:0 overruns:0 frame:0

          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:4028 (3.9 Kb)  TX bytes:4028 (3.9 Kb)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:192.168.1.26  P-t-P:192.168.1.25  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.25    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

and finally ma client.conf

client

dev tun

proto tcp

remote 212.xxx.xxx.xxx 443

keepalive 20 40

nobind

persist-key

persist-tun

http-proxy 138.xxx.xxx.xxx 80

http-proxy-timeout 15

http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1

http-proxy-option VERSION 1.1

ca    /etc/openvpn/boomer/ca.crt

cert /etc/openvpn/boomer/client1.crt

key  /etc/openvpn/boomer/client1.key

comp-lzo

verb 6

hope this is enough info? 

saski

----------

## magic919

That's a load of info, but you really just need to visit the link I posted to find out how.  I'd leave the IP addresses for the VPN as they were.

----------

## sschlueter

And i guess you want to be able to reach the LAN connected to the remote endpoint of the VPN tunnel (and not just the endpoint itself)? 

If that's what you want, you have to set up different subnets for both LANs. Both LANs are using 192.168.1.0/24. That doesn't work, you have to separate the subnets, e.g. 192.168.0.0/24 and 192.168.1.0/24.

----------

## saski4711

ok, suppose i want to keep the 192.168.1.0/24 subnet on my remote LAN side. how do i configure my client to use 191.168.0.0/24 subnet?

i want to be able to connect to any machine in my LAN behind(!) the remote VPN endpoint, e.g. ping 192.168.1.5 in my home LAN.

sorry, i don´t have a clue what to do  :Sad: 

----------

## sschlueter

I really want to help but I'm afraid it's really unclear to me what you want to do.

Can you draw an ascii art diagram of the network? Is there a LAN connected to the OpenVPN server machine? Is there a LAN connected to the OpenVPN client machine?

Make sure that the OpenVPN-client's eth0 uses a different subnet than the OpenVPN-server's eth0.

Make sure that both tun interfaces use ip addresses that are not part of the other subnets, e.g. 10.8.0.1 and 10.8.0.2

If the OpenVPN tunnel is established correctly, you must be able to ping the ip address of the OpenVPN-server's tun interface from the OpenVPN-client machine and vice versa. Check if this works.

If the OpenVPN "push route..." command works, then you should have a routing table entry on the OpenVPN client machine for that subnet. Check if this is true. You must then be able to ping the ip address of the OpenVPN-server's eth0 interface. Check if you can do this.

If "push route.." doesn't work for some reason, you can manually set the routing table entry using the system's route command.

If there's a LAN connected to the OpenVPN-server's eth0 (let's call it ServerLAN) and you want to be able to reach machines on ServerLAN from your OpenVPN-client machine, then the OpenVPN-server machine must have ip-forwarding enabled. Check if this is true. And the traffic must not be blocked by any iptables rules. Check if this is true.

If there's a LAN connected to the OpenVPN-client's eth0 (let's call it ClientLAN) and you want to be able to connect to the OpenVPN-server from a machine on ClientLAN, then the OpenVPN-client machine must have ip-forwarding enabled.

If you want to be able to reach machines from one LAN to the other and vice versa, both VPN endpoint machines must have ip-forwarding enabled and each must have a routing table entry for the remote subnet.

----------

## saski4711

hi sschlueter,

thanks very much for your reply. ok, i´ll try to draw an ASCII diagram. hopefully will help:

my client @ work (eth0: 140.8x.xxx.xxx netmask 255.255.254.0)

    |

    |

    corporate proxy/firewall (open on port 80)

        |

        |          

        the internet  :Smile: 

           |

           |

           my gentoo box @ home (212..168.xxx.xxx, listening on port 443)    

           DSL modem connected to eth1 and my lan is connected @ eth0

               |

               |

               my home network (192.168.1.0/24 255.255.255.0)

now what i want to do is to reach any machine in me home network (192.168.1.0) directly from my client (140.xxx.xxx.xxx). the server uses IP forwarding.

I´ve reconfigured my server config and it looks like this now:

port 443

proto tcp-server

dev tun

tls-server

mode server  

ca   boomer/ca.crt

cert boomer/server.crt

key  boomer/server.key

dh boomer/dh1024.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

auth SHA1 

cipher BF-CBC

user  nobody

group nobody

persist-key

persist-tun

log-append  /var/log/openvpn.log

verb 6

to forward any packet comming from tun0 into my LAN i did this:

iptables -I FORWARD -i tun0 -d 192.168.1.0/255.255.255.0 -j DROP

iptables -A FORWARD -i tun0 -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i eth0 -d 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

the Kernel IP routing table says:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

194.231.190.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         194.231.190.1   0.0.0.0         UG    0      0        0 ppp0

and ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:04:75:8A:6F:9F

         inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:126814 errors:0 dropped:0 overruns:0 frame:0

          TX packets:951926 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:21189285 (20.2 Mb)  TX bytes:1329764980 (1268.1 Mb)

          Interrupt:16 Base address:0xc000

eth1      Link encap:Ethernet  HWaddr 00:40:F4:C1:22:66

          inet addr:10.64.64.64  Bcast:255.255.255.255  Mask:0.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:74560 errors:0 dropped:0 overruns:0 frame:0

          TX packets:72133 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:56732985 (54.1 Mb)  TX bytes:10804248 (10.3 Mb)

          Interrupt:17 Base address:0x1000

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:98 errors:0 dropped:0 overruns:0 frame:0

          TX packets:98 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:13492 (13.1 Kb)  TX bytes:13492 (13.1 Kb)

ppp0      Link encap:Point-to-Point Protocol

          inet addr:212.xxx.xxx.xxx  P-t-P:194.231.190.1  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:65965 errors:0 dropped:0 overruns:0 frame:0

          TX packets:63534 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:54765983 (52.2 Mb)  TX bytes:8890490 (8.4 Mb)

tun0      Link encap:UNSPEC  HWaddr 

00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

on my client side my config now looks like this:

tls-client

dev tun

proto tcp-client

remote 212.168.183.241 443

keepalive 20 40

user nobody

group nobody

persist-key

persist-tun

http-proxy 138.3.236.164 80

tls-client

ca    /etc/openvpn/boomer/ca.crt

cert /etc/openvpn/boomer/client1.crt

key  /etc/openvpn/boomer/client1.key

auth SHA1

cipher BF-CBC

verb 6

pull

route -n says:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0

192.168.1.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0

140.86.212.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         140.xxx.xxx.xx    0.0.0.0         UG    0      0        0 eth0

iptables are configured this way:

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             192.168.1.0/24

ACCEPT     all  --  192.168.1.0/24       anywhere

ACCEPT     all  --  anywhere             192.168.1.0/24

eth0      Link encap:Ethernet  HWaddr 00:0E:7B:44:28:9A

          inet addr:140.xxx.xxx.xx  Bcast:140.xx.xxx.xxx  Mask:255.255.254.0

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:71166 errors:0 dropped:0 overruns:0 frame:0

          TX packets:40157 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:99950663 (95.3 Mb)  TX bytes:3452830 (3.2 Mb)

          Interrupt:10

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:336 (336.0 b)

after connecting to my vpn server the client log output shows:

Thu Apr 13 08:30:02 2006 us=121786 OPTIONS IMPORT: timers and/or timeouts modified

Thu Apr 13 08:30:02 2006 us=121799 OPTIONS IMPORT: --ifconfig/up options modified

Thu Apr 13 08:30:02 2006 us=121811 OPTIONS IMPORT: route options modified

Thu Apr 13 08:30:02 2006 us=122236 TUN/TAP device tun0 opened

Thu Apr 13 08:30:02 2006 us=122260 TUN/TAP TX queue length set to 100

Thu Apr 13 08:30:02 2006 us=122287 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500

Thu Apr 13 08:30:02 2006 us=174617 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.5

Thu Apr 13 08:30:02 2006 us=181221 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5

Thu Apr 13 08:30:02 2006 us=182921 GID set to nobody

Thu Apr 13 08:30:02 2006 us=183040 UID set to nobody

Thu Apr 13 08:30:02 2006 us=183127 Initialization Sequence Completed

so far i´m NOT able to ping the endpoint (10.8.0.1 or 10.8.0.2) nor any other ip in my home LAN  :Sad:  i also cannot ping my client´s tun0 inet address but i can ping the p-t-p address!  strange  :Sad: 

hopefully i could shed some light on my problem?

saski

----------

## sschlueter

Due to time constraints, I can just write a quick answer at the moment.

If the log does not say "peer connection initiated with...", then it's not working at all!

You can savely allow tun interfaces in iptables. So I suggest that you remove all tun-related rules and insert these instead:

```
iptables -I INPUT -i tun+ -j ACCEPT

iptables -I FORWARD -i tun+ -j ACCEPT

iptables -I FORWARD -o tun+ -j ACCEPT

iptables -I OUTPUT -o tun+ -j ACCEPT

```

And for all other rules: If you use DROP or REJECT somewhere, make sure that you log those packets.

----------

## saski4711

sorry, forgot to include this line into my post. client says:

hu Apr 13 11:09:06 2006 us=564918 [server] Peer Connection Initiated with 138.xxx.xxx.xxx:80 (thats the company proxy)

on my client side i do not drop or reject any packages. but at least i show be able to ping the vpn servers ip, right? (10.8.0.1) with yout new iptable roules i can now ping my clients tun0 interface. but everything on the server side is not reachable.

----------

## sschlueter

So, pinging the other side's tun0 ip address works, but pinging the other side's eth0 ip address doesn't work?

Then I guess the required routing table entry is not there.

You can check this if you open three shells:

First shell: # ping <ip>

Second shell: # tcpdump -p -i eth0 -n icmp

Third shell: # tcpdump -p -i tun0 -n icmp

If tun0 is used, the routing table entry is correct. If eth0 is used, the routing table entry is probably missing.

----------

## saski4711

no, i cannot ping any point on the other end of the tunnel, although the tunnel seems to be in place.

for example: my remote tunnel end is 10.8.0.1 

and my local tunnel start is 10.8.0.6

a tcpdump -i tun0 on my client side produces the following:

listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

14:18:17.529499 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 33329, seq 8, length 64

14:18:18.529570 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 33329, seq 9, length 64

a request is being sent but no ICMP reply. the same thing if i try to ping a machine behind the remote vpn access point:

a "ping 192.168.1.5" results in:

14:21:10.390545 IP 10.8.0.6 > boomer: ICMP echo request, id 38193, seq 1, length 64

14:21:11.400581 IP 10.8.0.6 > boomer: ICMP echo request, id 38193, seq 2, length 64

i´m starting to go crazy about this   :Evil or Very Mad: 

----------

## sschlueter

Is it possible for you to log into both machines at once? This ways you could check with tcpdump if these packets reach their destination.

----------

## saski4711

since i´m @ work right now and have no access to my remote server  :Rolling Eyes: , i´ll do that in a few hours @home.

thanks so far for all your help!

----------

## saski4711

well, here i am again with the same problem  :Sad: .

this time i´ve bypassed the corporate proxy/firewall end even the internet by building the vpn tunnel in my own LAN.

the strucutre now looks like this:

```

my client (eth0: 192.168.1.6 tun0: 10.8.0.5) 

 | 

 | 

 my gentoo box @ home (eth0: 192.168.1.5, tun0: 10.8.0.1, listening on port 443) 

```

i´ve tweaked the server and client config:

```

port 443

proto tcp-server

dev tun

tls-server

mode server

ca   boomer/ca.crt

cert boomer/server.crt

key  boomer/server.key

dh boomer/dh1024.pem

server 10.8.0.0 255.255.255.0

#push "route 192.168.1.0 255.255.255.0"

#client-to-client

keepalive 10 120

auth SHA1

cipher BF-CBC

user  nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

log-append  /var/log/openvpn.log

verb 9

```

my server route:

```

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

```

ifconfig:

```

eth0    Link encap:Ethernet  HWaddr 00:04:75:8A:6F:9F

          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:148565 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1301261 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:25099242 (23.9 Mb)  TX bytes:1835687384 (1750.6 Mb)

          Interrupt:16 Base address:0xc000

tun0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:21 errors:0 dropped:0 overruns:0 frame:0

          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:1764 (1.7 Kb)  TX bytes:252 (252.0 b)

```

on the client side the conf looks like this:

```

dev tun

proto tcp-client

remote 192.168.1.5 443

keepalive 20 40

user nobody

group nobody

persist-key

persist-tun

tls-client

ns-cert-type server 

ca    /etc/openvpn/boomer/ca.crt

cert /etc/openvpn/boomer/client1.crt

key  /etc/openvpn/boomer/client1.key

auth SHA1

cipher BF-CBC

log-append  /var/log/openvpn.log

verb 9

pull

```

```

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0

10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0

192.168.1.0     *               255.255.255.0   U     0      0        0 eth1

loopback        *               255.0.0.0       U     0      0        0 lo

default         boomer          0.0.0.0         UG    0      0        0 eth1

```

```

eth0      Link encap:Ethernet  HWaddr 00:13:CE:E5:AB:8E

          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2033 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1726 errors:0 dropped:0 overruns:0 carrier:1

          collisions:0 txqueuelen:1000

          RX bytes:658043 (642.6 Kb)  TX bytes:179390 (175.1 Kb)

          Interrupt:11 Base address:0x6000 Memory:cdcff000-cdcfffff

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:168 (168.0 b)  TX bytes:1764 (1.7 Kb)

```

now if i try to ping the tunnel endpoint with ping 10.8.0.1 the emdpoint receives packages but the client gets no icmp reply.

client:

tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

16:44:03.636568 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 43036, seq 1, length 64

16:44:04.636109 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 43036, seq 2, length 64

server:

tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

16:43:13.822204 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 41756, seq 1, length 64

16:43:14.831835 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 41756, seq 2, length 64

why cant i ping at least the tunnel endpoint?

please help!

----------

## sschlueter

I would suggest that you try to ping again and this time sniff both tun0 and eth0 interfaces. Can you see the icmp echo replies? Are they leaving the wrong interface?

Does the machine respond to icmp echo requests anyway? Maybe /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1. Maybe they are blocked by iptables. Have you set up LOG rules for every REJECT and DENY rules? Have you checked the iptables logs?

Have you checked the OpenVPN log files? Are there any error messages?

If nothing works, then I can only sugest that you try a really simple OpenVPN config. 

server:

```
dev tun

ifconfig 10.8.0.1 10.8.0.2

verb 5
```

client:

```
remote <ip>

dev tun

ifconfig 10.8.0.2 10.8.0.1

verb 5
```

----------

## magic919

I'm watching this with interest.  VPNs seem to be a common thing to struggle with.

I'd strongly suggest you go the Gentoo way and have Gentoo create the TUN or TAP interfaces.  You can then use OpenVPN to config the interface.  It's all covered in /etc/conf.d/net.example .  Make sure you note the package needed to support the TUN/TAP.  Refer to the interface as tap0 in the OpenVPN config rather than just tap.

Consider bridging the VPN and the LAN interface.  Use a TAP rather than TUN and bridge it to eth0.  Then give the bridge the IP address that eth0 was using.  This way your VPN client will get an IP address for the 'home' LAN and be able to work as if on the LAN.

Starting with the minimal config is the best starting point.

----------

## saski4711

hey folks,

thanks for all your help and advice!!!! strange as it sounds but compiling the tun/tap as kernel module and not compiling it into the kernel did the job. maybe some issue with 2.6.16 - i don´t know.

now comes my next question before i try something stupid:

what do i have to do to reach not only the vpn endpoint but also the lan behind the endpoint? i guess there is some forwarding necessary between tun0 end eth0 on the server and client side? the scenario is described as diagram in my prevoius post, tunneling from work trough a proxy to my lan @ home. 

and here another question:

unfortunately i cannot connect from my corporate network the next days (easter holidays  :Wink:  ) so i want to check reaching my private lan trough the tunnel from within the same lan @ home (both vpn endpoints are in the same local subnet (192.168.1.0/24). is there some way/trick to accomplish that? the tunnel now works and i can ping both endpoints. but because both endpoints use the same subnet (192.168.1.0/24) there is a conflict, right?

happy easter and thanks very much again for all your help!!!

saski

----------

## sschlueter

 *saski4711 wrote:*   

> 
> 
> what do i have to do to reach not only the vpn endpoint but also the lan behind the endpoint?
> 
> 

 

IP forwarding and routing table entries. See my previous posts.

 *saski4711 wrote:*   

> 
> 
> unfortunately i cannot connect from my corporate network the next days (easter holidays  ) so i want to check reaching my private lan trough the tunnel from within the same lan @ home (both vpn endpoints are in the same local subnet (192.168.1.0/24). is there some way/trick to accomplish that? the tunnel now works and i can ping both endpoints. but because both endpoints use the same subnet (192.168.1.0/24) there is a conflict, right?
> 
> 

 

Yes, this is not possible.

----------

## saski4711

hi folks,

thanks again for all you help. i finally got it to work, except one quirk.

saski

----------

