openVPN on debian Lenny

[astalavista2000]

Hi. I'm setting up a VPN with openVPN on a debian lenny server. I successfully installed it in the server, then created the certificates and both client (winXP) and server config files. For the client I use openVPN gui. I tested the tunnel and everything went just fine. I even can ping the openVPN server from the XP client.
But that´s all. I can't ping any machine behind the openvpn server.
Some facts that you may find useful to help me with this issue are:

- The openVPN server is not the default gateway of the LAN. The dg is a pfsense server
- I don´t have iptables enabled (policy of all chains are ACCEPT).
- I have configured ip forwarding (echo "1" >/proc/sys/net/ipv4/ip_forward)
- I my server.conf I have the line: push route "192.168.1.0 255.255.255.0")
- My openVPN server has two NIC's. One connected to the LAN, and the other to the WAN.
I have checked and all seems to be OK. I think that the problem is connected with routing the traffic from the vpn to my LAN but I don't know how to do that (besides the push route line in the server.conf).

I Hope you can help me!
Thanks!

[JosePF]

Hi,
The problem is that your 192.168.1.0 machines doest reach foreigh machine. You have to give him the route to foreigh machine.
Openvpn HowTo:
"# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0""

"You must set up a route on the server-side LAN gateway to route the VPN client subnet (10.x.x.x/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

I guess that you could do this with:
route add -net "VPN net" netmask 255.255.255.0 gw "VPN server" in your gateway.

I have attached a litle diagram because i'm not good in english.

Regards!

[astalavista2000]

Hi JosePF. Thank you very much for the explanation. Let me say that your diagram is even clear than your english.
I followed your instructions. I run
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1 in the pfsense default gateway bu I got a "route: netmask: bad address netmask" error. Of course, I´m logged in as root. I´m not sure why is happening this.
Thanks again for your help.
Regards

[JosePF]

Hi,
sorry, maybe i was wrong. Try:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.1(your IP VPN server).

Anyway, output error is very "rare" because say that problem is netmask but nonetheless it should say that error is a the ip address.

Regards

[astalavista2000]

Hi,
sorry, maybe i was wrong. Try:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.1(your IP VPN server).

Anyway, output error is very "rare" because say that problem is netmask but nonetheless it should say that error is a the ip address.

Regards

Thanks for the correction. I have modified the route in pfsense but I'm still in the same situation. I'm not sure why is the mask incorrect (10.8.0.0 is "C" class, and dnetmask for that is 255.255.255.0, isn't it?)

[JosePF]

Hi,
route add -net 10.8.0.0/24 gw 192.168.0.1(your IP VPN server).

because it does not let us put the netmask, we delete it...
hopefully get lucky!

[astalavista2000]

Man, I have come to a solution with this

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source ipVPNinLAN

Now I can ping my LAN's devices. The last thing I would like to know is how to configure or set permissions to the users in order to let them connect, for example, to a file server shared diredctory.
Thanks a lot for the time you are spending in helping me!!!!

[JosePF]

Hi,
It is a pleasure to help you (well, i did nothing)
by the way, nice solution!

What system will use to connect?
Do you mean the permissions on the server or shared through samba?, for example.

Regards

[astalavista2000]

The remote clients (laptops) that I'm planning to use to connect through the VPN are mostly windows Xp/Vista machines (except from mine which has ubuntu & a manager's apple macbook) . As you know, my openvpn server is a debian lenny. And the file servers in the LAN are windows 2000/2003 machines.
I don´t know how to use SAMBA here because I have both windows machines in the end of the connection. The only linux machine is the openVPN server (which is in the middle).