Find the answer to your Linux question:
Results 1 to 2 of 2
I have a Redhat linux box set up as a OpenVPN server. It has 2 NICs and the tunnel interface. One NIC is for the internal subnet and the second ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2005
    Posts
    2

    OpenVPN Issue


    I have a Redhat linux box set up as a OpenVPN server. It has 2 NICs and the tunnel interface. One NIC is for the internal subnet and the second for the public interenet. I have an Ubuntu client that connects via OpenVPN. The connection comes up but the client cannot connect to any IP addresses on the server or on the internal subnet. I fired up wireshark. The OpenVPN server is seeing the packets from the client but it's sending ARP whois packets for the clients IP address. Only problem being that it's sending them on the internal subnet NIC rather than the tunnel interface so it's not getting any replies. The server's default route goes to a separate firewall router on the internal subnet that also accesses the public internet. Not sure if thats part of the problem but I don't see how it would be.

    The ultimate goal is for the client to have complete access to the server internal subnet. Currently I have the firewall pretty much shut off on both the internal and tunnel interfaces. Below is all the configuration info I think is pertinent.

    The big question is why the ARP packets are being broadcast on the internal subnet NIC when there is a route going over the tunnel interface for the IP address of the client.

    Not sure what the hell I've got screwed up. Any hints would be greatly appreciated.

    ************************************************** ********************
    OpenVPN server
    --------------
    Internal subnet:
    eth0 Link encap:Ethernet HWaddr 00:22:15:7F:76:95
    inet addr:10.91.91.10 Bcast:10.91.91.255 Mask:255.255.255.0
    inet6 addr: fe80::222:15ff:fe7f:7695/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4565330 errors:0 dropped:0 overruns:0 frame:0
    TX packets:3888446 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:521713805 (497.5 MiB) TX bytes:7145436968 (6.6 GiB)
    ------------------------------------------------------------------------

    Public subnet (Public IP redacted):
    eth1 Link encap:Ethernet HWaddr 00:22:15:7F:76:C9
    inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0
    inet6 addr: 1::2:3:4:5/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:187173 errors:0 dropped:0 overruns:0 frame:0
    TX packets:19175 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:12531332 (11.9 MiB) TX bytes:2582328 (2.4 MiB)
    ------------------------------------------------------------------------
    Interrupt:248 Base address:0xc000

    Tunnel interface:
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.91.92.1 P-t-P:10.91.92.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:6679 errors:0 dropped:0 overruns:0 frame:0
    TX packets:3597 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:750902 (733.3 KiB) TX bytes:1602243 (1.5 MiB)
    ------------------------------------------------------------------------

    netstat -r (Public IP redacted):
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    10.91.92.2 * 255.255.255.255 UH 0 0 0 tun0
    1.2.3.0 * 255.255.255.0 U 0 0 0 eth1
    10.91.91.0 * 255.255.255.0 U 0 0 0 eth0
    10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0 0 eth0
    10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0 0 tun0
    192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
    169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
    default 10.91.91.1 0.0.0.0 UG 0 0 0 eth0
    ------------------------------------------------------------------------

    IP Forwarding:
    sysctl -a|egrep 'ipv4.*forward'
    net.ipv4.conf.eth1.mc_forwarding = 0
    net.ipv4.conf.eth1.forwarding = 1
    net.ipv4.conf.eth0.mc_forwarding = 0
    net.ipv4.conf.eth0.forwarding = 1
    net.ipv4.conf.tun0.mc_forwarding = 0
    net.ipv4.conf.tun0.forwarding = 1
    net.ipv4.conf.virbr0.mc_forwarding = 0
    net.ipv4.conf.virbr0.forwarding = 1
    net.ipv4.conf.lo.mc_forwarding = 0
    net.ipv4.conf.lo.forwarding = 1
    net.ipv4.conf.default.mc_forwarding = 0
    net.ipv4.conf.default.forwarding = 1
    net.ipv4.conf.all.mc_forwarding = 0
    net.ipv4.conf.all.forwarding = 1
    net.ipv4.ip_forward = 1


    ************************************************** ********************
    Client System
    -------------
    Internal subnet:
    eth1 Link encap:Ethernet HWaddr 00:1d:7d:95:b5:a9
    inet addr:192.168.91.201 Bcast:192.168.91.255 Mask:255.255.255.0
    inet6 addr: fe80::21d:7dff:fe95:b5a9/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:45639 errors:0 dropped:0 overruns:0 frame:0
    TX packets:39144 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:33860135 (33.8 MB) TX bytes:15047149 (15.0 MB)
    Interrupt:24 Base address:0xe000
    ------------------------------------------------------------------------

    Tunnel interface:
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.91.92.10 P-t-P:10.91.92.9 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:5976 (5.9 KB)
    ------------------------------------------------------------------------

    netstat -r:
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    10.91.92.9 * 255.255.255.255 UH 0 0 0 tun0
    10.91.91.0 10.91.92.9 255.255.255.0 UG 0 0 0 tun0
    10.91.92.0 10.91.92.9 255.255.255.0 UG 0 0 0 tun0
    192.168.91.0 * 255.255.255.0 U 0 0 0 eth1
    link-local * 255.255.0.0 U 0 0 0 eth1
    default usr8200a.anywhe 0.0.0.0 UG 0 0 0 eth1
    ------------------------------------------------------------------------

    ************************************************** ********************
    OpenVPN conf
    ------------
    Server:
    cat server.conf|egrep -v '^#'

    ;local a.b.c.d

    port 11194

    ;proto tcp
    proto udp

    ;dev tap
    dev tun

    ;dev-node MyTap

    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/elephant.crt
    key /etc/openvpn/keys/elephant.key # This file should be kept secret

    dh /etc/openvpn/keys/dh2048.pem

    server 10.91.92.0 255.255.255.0

    ifconfig-pool-persist ipp.txt

    ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

    push "route 10.91.91.0 255.255.255.0"
    ;push "route 192.168.20.0 255.255.255.0"


    ;client-config-dir ccd
    ;route 192.168.40.128 255.255.255.248

    ;client-config-dir ccd
    ;route 10.9.0.0 255.255.255.252

    ;learn-address ./script


    push "dhcp-option WINS 10.91.91.10"

    client-to-client

    ;duplicate-cn

    keepalive 10 120

    ;tls-auth ta.key 0 # This file is secret

    ;cipher BF-CBC # Blowfish (default)
    ;cipher AES-128-CBC # AES
    ;cipher DES-EDE3-CBC # Triple-DES

    comp-lzo

    max-clients 10

    user nobody
    group nobody

    persist-key
    persist-tun

    status openvpn-status.log

    ;log openvpn.log
    log-append /var/log/openvpn.log

    verb 4

    ;mute 20

    ------------------------------------------------------------------------
    Client (server domain redacted):
    cat client.conf|egrep -v '^#'

    client

    ;dev tap
    dev tun

    ;dev-node MyTap

    ;proto tcp
    proto udp

    remote openvpn.nowhere.com 11194
    ;remote my-server-2 1194

    ;remote-random

    resolv-retry infinite

    nobind

    user nobody
    group nogroup

    persist-key
    persist-tun

    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    ;mute-replay-warnings

    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/snowman.crt
    key /etc/openvpn/keys/snowman.key

    ns-cert-type server

    ;tls-auth ta.key 1

    ;cipher x

    comp-lzo

    log-append /var/log/openvpn.log

    verb 6

    ;mute 20

  2. #2
    Just Joined!
    Join Date
    Feb 2005
    Posts
    2
    Quote Originally Posted by greenbird View Post
    10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0 0 eth0
    10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0 0 tun0
    It was these duplicate routes for the 10.91.92.0 subnet.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •