# Howto OpenVPN?

## antares2001

Hello!

I have already read through the Howto on gentoo-wiki, but I did not manage to connect to the network behind my OpenVPN server.

Here at first my configuration:

Server:

```
dev tun

ifconfig 172.16.1.1 172.16.1.2  // IP of the local tun device and its peer

secret /etc/openvpn/lan/key.txt

comp-lzo

user nobody

group nobody

comp-lzo

keepalive 10 60

ping-timer-rem

persist-tun

persist-key

user nobody

group nobody

```

And here the Client config:

```
remote myserver.dyndns.org

dev tun

ifconfig 172.16.1.2 172.16.1.1  // IP of the local tun device and its peer

secret /etc/openvpn/lan/key.txt

comp-lzo

user nobody

group nobody

comp-lzo

keepalive 10 60

ping-timer-rem

persist-tun

persist-key

user nobody

group nobody

route 192.168.1.0 255.255.255.0

```

So far so good... my infrastructure is the following:

Server: two ethernet cards; eth0 with IP 192.168.0.99 connected to an ADSL modem establishing the internet connection and eth1 with IP 192.168.1.1 connected to the LAN with 192.168.1.x/255.255.255.0

Client: one ethernet card, connected to LAN 192.168.10.x and DSL router 192.168.10.250 (so no IP conflict)

With the above configuration files, I am able to establish a connection to the server and get access over the IP 192.168.1.1 for example on the samba shares on it. Unfortunately I cannot connect to a computer in the server's LAN with the IP 192.168.1.120. I am sure it is just another small hop, but I do not get it.

The routes on the server are:

 *Quote:*   

> Kernel IP Routentabelle
> 
> Ziel            Router          Genmask         Flags Metric Ref    Use Iface
> 
> bos01.ip.t-com.     *               255.255.255.255 UH    0      0        0 ppp0
> ...

 

Client:

 *Quote:*   

> Kernel IP Routentabelle
> 
> Ziel            Router          Genmask         Flags Metric Ref    Use Iface
> 
> 172.16.1.1      *               255.255.255.255 UH    0      0        0 tun0
> ...

 

Could somebody help me on this last step? I do not use bridge interfaces.

Thanks a lot in advance.

----------

## JRV

Check two things:

1) Do you have ip_forward enabled on your server?

```
$ echo 1 > /proc/sys/net/ipv4/ip_forward
```

2) Do the hosts on your server's LAN have a route back to your client (for example if your server is the default gw of those hosts, they would already have the necessary route back)?

JRV

----------

## antares2001

Hello! Thank you for your answer.

Yes, I forgot that the server is the internet gateway for the clients. They are connected to the 192.168.1.1 interface, which forwards to 192.168.0.99 and thus to the internet...

The client computers are windows clients I need to administrate via VNC.

This is done on the server:

```
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

```

What do you exactly mean by "Do the hosts on your server's LAN have a route back to your client?" I mean they enter the internet via the server. The dhcpcd.conf is this:

```

option domain-name "internal";

option domain-name-servers 192.168.1.251;

option routers 192.168.1.1;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {

  range 192.168.1.100 192.168.1.148;

}

ddns-update-style none;

```

So any (other) idea?

----------

## JRV

 *antares2001 wrote:*   

> So any (other) idea?

 

Hm, not really  :Sad: 

The obvious thing to do now would be to see how far your packets get on their round trip to see where they are dropped. Do they arrive at the hosts behind the VPN server (sniff it with ethereal)? Do the hosts send out return packets?

----------

## pteppic

Do you have rules in the servers firewall to allow/block forwarding of tun0 traffic?

You obviously don't have any blocking it on input/output  but.....

----------

## antares2001

Hi!

No I tried with no firewall. Just the rules I described above. Perhaps some config files can help you!? Just tell me which you would need.

Again: eth0: 192.168.0.99 -> ppp0 -> connected to internet

eth1: 192.168.1.1 -> connected to local lan

forward rules just as above.

----------

## pteppic

I may be barking up the wrong tree, but all your routing tables look correct, and if there are no DROP or MASQUERADE rules affecting the tun0 interaface....

I digress, with ipsec tunnels you have to turn off masquerading on the public output interface for the desination network at the other end of the tunnel, or obviously iptables changes the source address and the replies get sent out into the internet looking for your public ip instead of being routed through the tunnel, and dropped at your firewall as they are effectively unsolicited.

Now I originally thought this was a special case for ipsec as no one made any mention of it with pptp tunnels etc, but the symptoms you are describing do lead me to think this is what is happening. Try being more explicit with the MASQUERADE rules on the severs end

```
iptables -t nat -R POSTROUTING 1 -o eth0 -d ! 172.16.1.0 -j MASQUERADE
```

or if you can afford the downtime flush the POSTROUTING rules alltogether, then re-establish the tunnel and try again.

After that fails it's down to tcpdump and watching the packets fly about, trying to work out when they are being altered or not...

----------

