Find the answer to your Linux question:
Results 1 to 9 of 9
Hi. I'm setting up a VPN with openVPN on a debian lenny server. I successfully installed it in the server, then created the certificates and both client (winXP) and server ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2010
    Posts
    11

    openVPN on debian Lenny


    Hi. I'm setting up a VPN with openVPN on a debian lenny server. I successfully installed it in the server, then created the certificates and both client (winXP) and server config files. For the client I use openVPN gui. I tested the tunnel and everything went just fine. I even can ping the openVPN server from the XP client.
    But thatīs all. I can't ping any machine behind the openvpn server.
    Some facts that you may find useful to help me with this issue are:

    - The openVPN server is not the default gateway of the LAN. The dg is a pfsense server
    - I donīt have iptables enabled (policy of all chains are ACCEPT).
    - I have configured ip forwarding (echo "1" >/proc/sys/net/ipv4/ip_forward)
    - I my server.conf I have the line: push route "192.168.1.0 255.255.255.0")
    - My openVPN server has two NIC's. One connected to the LAN, and the other to the WAN.
    I have checked and all seems to be OK. I think that the problem is connected with routing the traffic from the vpn to my LAN but I don't know how to do that (besides the push route line in the server.conf).

    I Hope you can help me!
    Thanks!

  2. #2
    Linux Newbie JosePF's Avatar
    Join Date
    Jun 2010
    Posts
    225
    Hi,
    The problem is that your 192.168.1.0 machines doest reach foreigh machine. You have to give him the route to foreigh machine.
    Openvpn HowTo:
    "# Push routes to the client to allow it
    # to reach other private subnets behind
    # the server. Remember that these
    # private subnets will also need
    # to know to route the OpenVPN client
    # address pool
    (10.8.0.0/255.255.255.0)
    # back to the OpenVPN server.
    ;push "route 192.168.10.0 255.255.255.0"
    ;push "route 192.168.20.0 255.255.255.0""

    "You must set up a route on the server-side LAN gateway to route the VPN client subnet (10.x.x.x/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

    I guess that you could do this with:
    route add -net "VPN net" netmask 255.255.255.0 gw "VPN server" in your gateway.

    I have attached a litle diagram because i'm not good in english.

    Regards!
    Attached Images Attached Images
    Last edited by JosePF; 09-10-2010 at 05:58 PM.

  3. #3
    Just Joined!
    Join Date
    Mar 2010
    Posts
    11
    Hi JosePF. Thank you very much for the explanation. Let me say that your diagram is even clear than your english.
    I followed your instructions. I run
    route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1 in the pfsense default gateway bu I got a "route: netmask: bad address netmask" error. Of course, Iīm logged in as root. Iīm not sure why is happening this.
    Thanks again for your help.
    Regards

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie JosePF's Avatar
    Join Date
    Jun 2010
    Posts
    225
    Hi,
    sorry, maybe i was wrong. Try:
    route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.1(your IP VPN server).

    Anyway, output error is very "rare" because say that problem is netmask but nonetheless it should say that error is a the ip address.

    Regards
    There are people trying to avoid mistakes and another that tries to target.

  6. #5
    Just Joined!
    Join Date
    Mar 2010
    Posts
    11
    Quote Originally Posted by JosePF View Post
    Hi,
    sorry, maybe i was wrong. Try:
    route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.1(your IP VPN server).

    Anyway, output error is very "rare" because say that problem is netmask but nonetheless it should say that error is a the ip address.

    Regards
    Thanks for the correction. I have modified the route in pfsense but I'm still in the same situation. I'm not sure why is the mask incorrect (10.8.0.0 is "C" class, and dnetmask for that is 255.255.255.0, isn't it?)

  7. #6
    Linux Newbie JosePF's Avatar
    Join Date
    Jun 2010
    Posts
    225
    Hi,
    route add -net 10.8.0.0/24 gw 192.168.0.1(your IP VPN server).

    because it does not let us put the netmask, we delete it...
    hopefully get lucky!
    There are people trying to avoid mistakes and another that tries to target.

  8. #7
    Just Joined!
    Join Date
    Mar 2010
    Posts
    11
    Man, I have come to a solution with this

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    echo "1" > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source ipVPNinLAN

    Now I can ping my LAN's devices. The last thing I would like to know is how to configure or set permissions to the users in order to let them connect, for example, to a file server shared diredctory.
    Thanks a lot for the time you are spending in helping me!!!!

  9. #8
    Linux Newbie JosePF's Avatar
    Join Date
    Jun 2010
    Posts
    225
    Hi,
    It is a pleasure to help you (well, i did nothing)
    by the way, nice solution!

    What system will use to connect?
    Do you mean the permissions on the server or shared through samba?, for example.

    Regards
    There are people trying to avoid mistakes and another that tries to target.

  10. #9
    Just Joined!
    Join Date
    Mar 2010
    Posts
    11
    The remote clients (laptops) that I'm planning to use to connect through the VPN are mostly windows Xp/Vista machines (except from mine which has ubuntu & a manager's apple macbook) . As you know, my openvpn server is a debian lenny. And the file servers in the LAN are windows 2000/2003 machines.
    I donīt know how to use SAMBA here because I have both windows machines in the end of the connection. The only linux machine is the openVPN server (which is in the middle).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •