It is currently 23.09.2017 00:13


All times are UTC




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 09:41 
DES
DES

Joined: 11.03.2011 09:02
Posts: 4
Hello,

I recently started using OpenVPN and the configuration went flawlessly : i can easily connect to my VPN Server from anymwhere. I'm using the TUN mode (not ethernet bridge) My problem is i can only reach my VPN server and not the other hosts in its LAN.

Here is my configuration :

Image

LAN Network :
192.168.10.0 /24
VPN Server IP : 192.168.10.35 (eth0) - A Netgear ReadyNas Duo (Debian Sarge)
Default Gateway : 192.168.10.1


OpenVPN tunnel :
192.168.64.0/24
VPN Server IP : 192.168.64.1 (tun0)


What i did :
on my server.conf : i push only one route : 192.168.10.0/24
on my lan default gateway : i added a static route to 192.168.64.0

From my remote client (Win7 pro) :
i can ping VPN Server on both IPs (LAN + VPN) but i can not ping other hosts.

On my VPN client a "route print" show this :
Code:
    192.168.10.0    255.255.255.0     192.168.64.5     192.168.64.6     31
    192.168.64.1  255.255.255.255     192.168.64.5     192.168.64.6     31
    192.168.64.4  255.255.255.252         On-link      192.168.64.6    286
    192.168.64.6  255.255.255.255         On-link      192.168.64.6    286
    192.168.64.7  255.255.255.255         On-link      192.168.64.6    286


On my VPN Server :
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.64.2    *               255.255.255.255 UH    0      0        0 tun0
192.168.64.0    192.168.64.2    255.255.255.0   UG    0      0        0 tun0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth0
default         192.168.10.1    0.0.0.0         UG    0      0        0 eth0



Do you have any idea for me ? I don't know what i'm missing here and it drives me nuts :/

PS : sorry for my mistakes, english is not my mother tongue but i'll do my best


Last edited by zakapatul on 11.03.2011 10:57, edited 1 time in total.

Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 10:02 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2185
zakapatul wrote:
...

Do you have any idea for me ? I don't know what i'm missing here and it drives me nuts :/

PS : sorry for my mistakes, english is not my mother tongue but i'll do my best

1. hmm .. it is called : technical english :)

2. I am nut sure, but.. it one of the oldest FAQ.

I would say ( no , I am not friendly today ..) :
a bad planned (chaos design ?) networkdesign.
may be (simplier) only a forgotten routing (problem).
I look on you network(desingn) = network topologie would help.

Discribe the pakets ways (dont forget answer packets) and lokk on each interface for known rules - were to deliver...
Do it all for the realtime used IPs

F.
ps: to much? to complicate ? use easier questions :)


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 11:03 
DES
DES

Joined: 11.03.2011 09:02
Posts: 4
First, thank you for your help ! i already checked the FAQ before, if i found my answer i would'nt bother you with my problem...

dl5ym wrote:
2. I am nut sure, but.. it one of the oldest FAQ.

I would say ( no , I am not friendly today ..) :
a bad planned (chaos design ?) networkdesign.
may be (simplier) only a forgotten routing (problem).
I look on you network(desingn) = network topologie would help.


I added an image link to a quick schema of my configuration if that helps.

dl5ym wrote:
Discribe the pakets ways (dont forget answer packets) and lokk on each interface for known rules - were to deliver...
Do it all for the realtime used IPs

F.
ps: to much? to complicate ? use easier questions :)


I'm not a network guru, so i'm looking for an efficient way to troubleshoot my configuration. Ping is a basic tool, maybe you know another tool/command for *nix or windows which show the way followed by my packets ?


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 12:46 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Hello,

According to your tests, the problem may be:
1. Wrong route on your default gateway.
2. Gateway doesn't forward packets for foreign networks (firewall configuration)
3. Server doesn't forward packets for VPN (firewall configuration)
4. Target blocks ICMP/Ping (firewall configuration)

If you have easy access to a machine in the server network, you may try to add the same route you already added to the default gateway. If that works, the problem is related to your default gateway.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 12:53 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2185
zakapatul wrote:
First, thank you for your help ! i already checked the FAQ before, if i found my answer i would'nt bother you with my problem...


I added an image link to a quick schema of my configuration if that helps.

I'm not a network guru, so i'm looking for an efficient way to troubleshoot my configuration. Ping is a basic tool, maybe you know another tool/command for *nix or windows which show the way followed by my packets ?


not seen the Link.. would be helpful

I am not a Guru too, but... doing that job for a couple of years :)
So I have some basics in my mind ([correct] plan before install ), what makes it easier and quick [sometimes quick& dirthy :( ]
F.

simple ASCII graphics is enough; or to discribe the packet ways...each case


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 13:04 
DES
DES

Joined: 11.03.2011 09:02
Posts: 4
Here is the link i told about : http://www.hostingpics.net/viewer.php?id=928760homenetwork.jpg

Really, with the hardware i own, i tried to make the most efficient configuration :) But of course, i can fail :/

I'm suspecting my lan default gateway to block my packets, which is one provided by my ISP provider (not know for the quality of its material :D).

I'm gonna try the test given by note (Thank you by the way !).

I'll be back as soon i find something to add :)


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 11.03.2011 14:13 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2185
hallo,
o.k.
we take the picture...we take the machine 192.168.10.5
and look for its routing table.
That machine must know the way to 192.168.64.6 [better: 192.168.64. ] - if not - an answer will never come ! (time out) and by the way even 192.168.64.6 must know the way to 192.168.10. [typical by set a route in server.conf]

All routes you gave us .. concerning only VPN-client and VPN-server . [a working connction]. btw. portforward on server is active.
Do not forget... the VPN-client ist only using its openVPN-IP ...
One way: all machines to be connect get an routing entry - to be able to answer :)
second way: to change netdesign (openVPN-Server-machine ist always standardgate)

I hope you can follow my intentions and manage it yourself now ....
If not -> next question :)

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 14.03.2011 09:03 
DES
DES

Joined: 11.03.2011 09:02
Posts: 4
After running some tests this weekend i managed to get it working !

1) Pinging my remote clients from my LAN hosts show me the route was correct (with a hop by my VPN server) but i wasn't able to reach my target !

2) After some research, i suspected a problem on my VPN server... The packets were not forwarded between my tunnel (tun0) and my ethernet interface (eth0). Since i enabled ipforwarding, everything is working fine !

If someone is facing the same problem, you can check the state of ip forwarding with the following command on *nix :
Code:
cat /proc/sys/net/ipv4/ip_forward

The result should be 1.

If not, you can enter this command to temporarly enable it :
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward

An to get it persistent after reboot, edit the /etc/sysctl.conf file and add this line :
Code:
net.ipv4.ip_forward = 1


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Can not reach my lan hosts from my remote clients
PostPosted: 14.03.2011 11:32 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2185
Again:
we take the picture...we take the machine 192.168.10.5
and look for its routing table.
That machine must know the way to 192.168.64.6 [better: 192.168.64. ] - if not - an answer will never come ! (time out) and by the way even 192.168.64.6 must know the way to 192.168.10. [typical by set a route in server.conf]

same text above...
your last message here told only about internal of the openVPN server.
the can not reach [if tunnel exists] is mostly a routing problem. and - what to do - is depending on your network design/layout.
there is not one-click solution for all possible cases.
F.
ps: same as note said in number 1


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net