It is currently 14.12.2017 02:20


All times are UTC




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: LAN behind the openVPN server on Windows os
PostPosted: 07.09.2009 09:02 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Hello, everyone

I have a problem to configurate my openvpn tunel, i manage to connect server with client but i cant accees LAN network behind the openVPN server. The situation look like this:

I have small network behind router(LinkSyS BEFSX41, ip adress 10.0.0.1), computers in this network obtain an ip adress automatically from range 10.0.0.100 to 10.0.0.124 . One computer is a physical server and runs on Windows Server 2003 os and has a static IP: 10.0.0.254 and on it i installed an openVPN server. I set up a port range forwarding on router. The client will be run on Winows XP SP 2. And like i said before i have connected client to server, i can ping server on ip 10.0.0.254 but i cant enter the server resoruces by start>run>\\10.0.0.254 and cant ping another stations in LAN network. I dont know where its a soruce of my problem, i would be thankful for any help.

This is the server config:
Code:
local 10.0.0.254
port 1194
proto udp
dev tun
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ca  "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.96.23.225"
push "dhcp-option DNS 217.96.23.251"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4
status openvpn-status.log
status "C:\\Program Files\\OpenVPN\\log\\status.log"


and this is a client cfg:
Code:
client
dev tun
proto udp
remote 82.x.x.x 1194 #my router static ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\ao1.crt"
key "C:\\Program Files\\OpenVPN\\config\\ao1.key"
comp-lzo
verb 4
;remote-cert-tls server
;ns-cert-type server
 


Best Regards
kaszewczyk

PS
I am sorry for my broken english its not my national language :)
PS2
I attach the log file of server and client


Attachments:
client.log [21.01 KiB]
Downloaded 135 times
server.log [22.59 KiB]
Downloaded 166 times
Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 07.09.2009 09:35 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
Hmmm lets try first... FAQ !!!
are you sure, that routes back to the clients exists ?
(exampla: clienet (192.192.192.192.) sends a ping to 10.0.0.99
192.192.192.192 -> 10.0.1.6 -> 10.0.1.1( -> 10.0.0.254 )->10.0.0.99 is the way forward.
are you sure that all machines (you want) knows the way back ?

alternating: is 10.0.0.254 is you standardgateway ?

and - second:
Code:
push "dhcp-option DNS 217.96.23.225"
push "dhcp-option DNS 217.96.23.251"

you have not any local name resolution? typical the pushed DNS is a local DNS, knows all local machines (needed)

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 14.09.2009 08:09 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Hello,
thanks for response,

I had to jump on another work, so i left openvpn issue behind, but now is on top again.

I went through the FAQ, and i manage to get access to resources on machine where openvpn server is installed (switched off openvpn intrface in firewall settings), i can see shared folders, upload files, but i cant download from them.
My gateway is router with local ip address 10.0.0.1 and public 82.x.x.x, the 10.0.0.254 is physical server where i run openvpn server.

Im not sure how to do those routes back? For example if i wanna ping from client(192.192.192.192), machine in LAN network behind openvpn server with address 10.0.0.107 in my case shoud be something like this:
client(192.192.192)->
router(with public ip 82.x.x.x where i enable port forwarding [port 1194 to 10.0.0.254)->
server(10.0.0.254 here is installed the openvpn server, so now the push "route 10.0.0.0 255.255.255.0" command should give to client(192.192.192.192) the local address for example 10.0.0.112)->
client(with new ip 10.0.0.112)->
local machine(10.0.0.107)

right?

so to set up routes back, i have to add a route in my default gateway (router?) for the VPN network IP subnet pointing to the OpenVPN machine,

I thought to go to router setup > advance routing > static routing > and fill up fields
[destination ip address] 10.1.0.1 openvpn server adress
[subnet mask] 255.255.255.0
[gateway] 10.0.0.1 router lan address
[hop count] 1 no idea what is it
[interface] LAN
but i dont know if its right?

Code:
push "dhcp-option DNS 217.96.23.225"
push "dhcp-option DNS 217.96.23.251"


i copy the DNS from my router settings (internet connecting type)

I would be really grateful for any help.

Best Regards
lost kaszewczy


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 14.09.2009 09:11 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
you did use traceroute (instead of ping) to see the ping-packets...?


at all,
Quote:
My gateway is router with local ip address 10.0.0.1 and public 82.x.x.x, the 10.0.0.254 is physical server where i run openvpn server.
is not a simple solution....
well - you may
1.) add to all machines (you need) in 10.0.0 a routing entry for 10.1.0.0 net
2.) you can set all machines (via DHCP) 10.0.0.254 as standardgateway
3.) you can set on standardgateway a routing entry to to real openVPN-server address with device
like: route add -net 10.1.0.0/24 gw 10.0.0.254 eth2 ..or so

push route only says to the client - where to route to ...
anyway ..the wanted targets must know what way to send (answer)packets back.
All unknown nets will be handled by the standardgateway.. thats why standard...

you should sometimes better use a DNS in the 10.0.0 net (a simple DNS, perhaps only with etc/hosts .. resolving) or you can only connect by IP-numbers...

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 15.09.2009 10:15 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Hello,
i have added to machines in local network routing entry with gateway 10.0.0.254 which is the machine where openvpn server runs.
Code:
route add 10.1.0.0 mask 255.255.255.0 10.0.0.254


but after that im getting on server status mssage with error:
Code:
Tue Sep 15 10:23:13 2009 us=218000 ao1/89.174.27.233:1215 MULTI: bad source address from client [x.x.x.x], packet dropped

when i try to access resourses.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 15.09.2009 10:39 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
ther will be x.x.x.x (??) wrong forwarded...

it is a typical warning on tunnel-start, until a windows-delayed-route-set will work.
You have 2..3..4 wrong routed packets, until correct route setted on client.
Especially on WinXP-SP3 ..it is need to delay route seetings.

Otherwise - something (really) wrong - if it is an permanent message.

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 15.09.2009 11:58 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Im gotting it only few times, so its ok but...

After i added a route entry
Code:
route add 10.1.0.0 mask 255.255.255.0 10.0.0.254

on local machines in 10.0.0.0 network i still cant ping them :(

the tracert 10.0.0.254 (local network machine address where run openvpn server) says:
Code:
1     28ms  31ms  31ms    10.0.0.254

the tracert 10.1.0.1 (openvpn server address) says:
Code:
1     43ms  31ms  30ms    10.1.0.1


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 15.09.2009 12:59 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
and the error occurs permanently ?
or only (?) 2..3..4..5 times on tunnel start ?

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 16.09.2009 07:46 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
What i notice about this error is:

its only showing up when i want to access resourses or ping machine where openvpn server runs, but the pings coming back and i can see the shared folders while this error occurs.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 16.09.2009 10:03 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
Interesting
- what route table the client has
- were the packet is comming from
you may increase loglevel to see more infos

first idea was : wrong routed packets...
typical the openVPN server gets "private" packets... they will not be routable via standardgateway ( the internet does not route packets from all private nets) and there ist no routing entry existing...
so interested what your x.x.x.x adddress is ?! is it an internet.address or an private address. (I think a private net)...
F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 17.09.2009 07:48 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Hello, again
route print
Code:
Active routes:
Target place       network mask      gate      Interfece      Metric

          0.0.0.0          0.0.0.0     89.174.25.98    89.174.25.98       1
          0.0.0.0          0.0.0.0     192.168.16.1  192.168.16.219       21
         10.0.0.0    255.255.255.0         10.1.0.5        10.1.0.6       1
         10.1.0.1  255.255.255.255         10.1.0.5        10.1.0.6       1
         10.1.0.4  255.255.255.252         10.1.0.6        10.1.0.6       30
         10.1.0.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255         10.1.0.6        10.1.0.6       30
     89.174.25.98  255.255.255.255        127.0.0.1       127.0.0.1       50
     89.174.184.1  255.255.255.255     89.174.25.98    89.174.25.98       1
   89.255.255.255  255.255.255.255     89.174.25.98    89.174.25.98       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.16.0    255.255.255.0   192.168.16.219  192.168.16.219       20
   192.168.16.219  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.16.255  255.255.255.255   192.168.16.219  192.168.16.219       20
        224.0.0.0        240.0.0.0         10.1.0.6        10.1.0.6       30
        224.0.0.0        240.0.0.0   192.168.16.219  192.168.16.219       20
        224.0.0.0        240.0.0.0     89.174.25.98    89.174.25.98       1
  255.255.255.255  255.255.255.255         10.1.0.6        10.1.0.6       1
  255.255.255.255  255.255.255.255     89.174.25.98    89.174.25.98       1
  255.255.255.255  255.255.255.255   192.168.16.219  192.168.16.219       1
Defaoult gateway:     89.174.25.98.
===========================================================================
Static routes:
  Lack


i have tracert public ip of router from client computer
Code:
 1    13 ms    15 ms    15 ms  89.174.184.1
  2    15 ms    15 ms    15 ms  85.219.193.21
  3    15 ms    15 ms    15 ms  157.25.248.81
  4    15 ms    15 ms    15 ms  taro-dbp1-so-0-0-0-0.net.ipartners.pl [157.25.4.
237]
  5    15 ms    15 ms    15 ms  157.25.248.62
  6    15 ms    15 ms    15 ms  tktelekom-lim.wix.net.pl [195.85.195.25]
  7    15 ms    15 ms    15 ms  88-199-220-134.tktelekom.pl [88.199.220.134]
  8    15 ms    15 ms    15 ms  88-199-220-134.tktelekom.pl [88.199.220.134]
  9    31 ms    31 ms    31 ms  80.50.134.114
 10    31 ms    31 ms    31 ms  mediator.stella.net.pl [80.48.136.253]
 11     *        *        *     Limit of time of demand has expired.
 12     *        *        *     Limit of time of demand has expired.
 13     *        *        *     Limit of time of demand has expired.
 14     *        *        *     Limit of time of demand has expired.
 15     *        *        *     Limit of time of demand has expired.
 16     *        *        *     Limit of time of demand has expired.
 17     *        *        *     Limit of time of demand has expired.
 18     *        *        *     Limit of time of demand has expired.
 19     *        *        *     Limit of time of demand has expired.
 20     *        *        *     Limit of time of demand has expired.
 21     *        *        *     Limit of time of demand has expired.
 22     *        *        *     Limit of time of demand has expired.
 23     *        *        *     Limit of time of demand has expired.
 24     *        *        *     Limit of time of demand has expired.
 25     *        *        *     Limit of time of demand has expired.
 26     *        *        *     Limit of time of demand has expired.
 27     *        *        *     Limit of time of demand has expired.
 28     *        *        *     Limit of time of demand has expired.
 29     *        *        *     Limit of time of demand has expired.
 30     *        *        *     Limit of time of demand has expired.


an x.x.x.x is private address of client computer given by isp.

Regards
kaszewczyk


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 17.09.2009 12:20 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
wrong idea ... the traceroute only shows public traffic.....

well: you decided:
a tunnel
and all other traffic will be sent to internet...

Code:
Tue Sep 15 10:23:13 2009 us=218000 ao1/89.174.27.233:1215 MULTI: bad source address from client [x.x.x.x], packet dropped


shows you a "wrong" packet..may be misrouted from 89.174.27.233 to 89.174.25.98
why it will be transmitted on wrong way or wrong route ?
often it helps to see few lines before in the log too....

on solution might be to change ping-times (keepalive)...
I suggest to set lovlevel to 4 and read logs in the next future.. very often it explains itself

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: LAN behind the openVPN server on Windows os
PostPosted: 23.09.2009 11:28 
DES
DES

Joined: 07.09.2009 08:02
Posts: 7
Hello, i have not solved this problem yet, im fed up with it right now :(
the picture below showing topology of my network
Image
so i think the packages should go from client through Internet to my router where they will be forwarded to openvpn server (machine ip:10.0.0.254), next pushed back to router to receive local address (push"route 10.0.0.0 255.255.255.0") that they can access computers in LAN am i right?
i think that problem is somewhere among 10.0.0.254->10.0.0.1 but im not sure if im right and how to solve it :(

best regards
kaszewczyk


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net