It is currently 23.06.2017 19:08


All times are UTC




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: [SOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 15.09.2009 15:42 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
*9/16/09 EDIT: Having issues again - Please see post below.
*9/17/09 EDIT: Solved and OpenVPN is now working FLAWLESSLY, but don't understand what I did right/wrong.

First and foremost, my genuine thanks to everyone who takes the time to read and perhaps offer help - I very truly appreciate any information anyone can offer!

I have been struggling with setting up ZERINA OpenVPN with IPcop for over a month, even after thoroughly reading & following directions from a number of online tutorials and posts on this forum.

I am using the OpenVPN GUI for Windows ( http://openvpn.se/ ), can connect to the VPN server, and it assigns me an IP, but I cannot ping nor access any host on the GREEN network.

Currently I have IPcop 1.4.20 with ZERINA 0.9.7a14.

This is my network setup:

RED: Dynamic from ISP
GREEN: 10.10.16.0/255.255.254.0
GREEN GATEWAY: 10.10.16.61
OPENVPN: 10.10.17.0/255.255.255.0

This is the routing table IPcop shows:
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
blng-dsl-gw04-1 *               255.255.255.255 UH    0      0        0 ppp0
10.10.17.2      *               255.255.255.255 UH    0      0        0 tun0
10.10.17.0      10.10.17.2      255.255.255.0   UG    0      0        0 tun0
1.1.1.0         *               255.255.255.0   U     0      0        0 eth1
10.10.16.0      *               255.255.254.0   U     0      0        0 eth0
default         blng-dsl-gw04-1 0.0.0.0         UG    0      0        0 ppp0


These are the actions I have done:
  • Fresh install IPcop 1.4.20
  • Transfer ZERINA 0.9.7a14 package to IPcop with WinSCP
  • Edit install script to check for 1.4.20
  • Successfully install ZERINA
  • Access 'OpenVPN' tab in IPcop web-based interface
  • Generated root & host certificates
  • Input settings on 'OpenVPN' tab:
    • OpenVPN on Red: Checked
    • Local VPN Hostname: vpn.mydomainname.com ( RED Hostname )
    • OpenVPN Device: TUN
    • Protocol: UDP
    • MTU Size: 1400
    • LZO Compression: Checked
    • OpenVPN Subnet: 10.10.17.0/255.255.255.0
    • Destination Port: 1194
    • Encryption: AES-128-CBC
    • ADVANCED SERVER OPTIONS:
      • Additional Push Route 1: 10.10.17.0/255.255.255.0 to 10.10.16.0/255.255.254.0
      • Additional Push Route 2: 10.10.16.0/255.255.254.0 to 10.10.17.0/255.255.255.0
    • Generated RoadWarrior Client certificates
    • Unzipped OpenVPN Roadwarrior client package into Program Files\OpenVPN\config folder

Again, I can successfully connect to OpenVPN and get a 10.10.17.X IP address,
but cannot ping or access any host on the GREEN LAN ( 10.10.16.X ).

I am unsure of how to proceed from here - Again, any help that can be offered is very truly appreciate - Thank you to all who respond! :D


Last edited by mworks on 17.09.2009 17:19, edited 3 times in total.

Top
Offline Profile  
Reply with quote  
 Post subject: Re: Please Help - OpenVPN TUN unable to access GREEN LAN
PostPosted: 15.09.2009 18:00 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
mworks wrote:
First and foremost, my genuine thanks to everyone who takes the time to read and perhaps offer help - I very truly appreciate any information anyone can offer!

I have been struggling with setting up ZERINA OpenVPN with IPcop for over a month, even after thoroughly reading & following directions from a number of online tutorials and posts on this forum.

I am using the OpenVPN GUI for Windows ( http://openvpn.se/ ), can connect to the VPN server, and it assigns me an IP, but I cannot ping nor access any host on the GREEN network.

Currently I have IPcop 1.4.20 with ZERINA 0.9.7a14.

This is my network setup:

RED: Dynamic from ISP
GREEN: 10.10.16.0/255.255.254.0
GREEN GATEWAY: 10.10.16.61
OPENVPN: 10.10.17.0/255.255.255.0

This is the routing table IPcop shows:

o.k.
Quote:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
blng-dsl-gw04-1 *               255.255.255.255 UH    0      0        0 ppp0
10.10.17.2      *               255.255.255.255 UH    0      0        0 tun0
10.10.17.0      10.10.17.2      255.255.255.0   UG    0      0        0 tun0
1.1.1.0         *               255.255.255.0   U     0      0        0 eth1
10.10.16.0      *               255.255.254.0   U     0      0        0 eth0
default         blng-dsl-gw04-1 0.0.0.0         UG    0      0        0 ppp0


These are the actions I have done:
  • Fresh install IPcop 1.4.20 o.k.
  • Transfer ZERINA 0.9.7a14 package to IPcop with WinSCP o.k.
  • Edit install script to check for 1.4.20 o.k.
  • Successfully install ZERINA o.k.
  • Access 'OpenVPN' tab in IPcop web-based interface o.k.
  • Generated root & host certificates o.k.
  • Input settings on 'OpenVPN' tab:
    • OpenVPN on Red: Checked o.k.
    • Local VPN Hostname: vpn.mydomainname.com ( RED Hostname ) o.k.
    • OpenVPN Device: TUN o.k.
    • Protocol: UDP o.k.
    • MTU Size: 1400 o.k.
    • LZO Compression: Checked o.k.
    • OpenVPN Subnet: 10.10.17.0/255.255.255.0 o.k.
    • Destination Port: 1194 o.k.
    • Encryption: AES-128-CBC o.k.
    • ADVANCED SERVER OPTIONS: o.k. but first time not needed
      • Additional Push Route 1: 10.10.17.0/255.255.255.0 to 10.10.16.0/255.255.254.0 why ?
      • Additional Push Route 2: 10.10.16.0/255.255.254.0 to 10.10.17.0/255.255.255.0 why ?
    • Generated RoadWarrior Client certificates o.k.
    • Unzipped OpenVPN Roadwarrior client package into Program Files\OpenVPN\config folder o.k.

Again, I can successfully connect to OpenVPN and get a 10.10.17.X IP address,
but cannot ping or access any host on the GREEN LAN ( 10.10.16.X ).

I am unsure of how to proceed from here - Again, any help that can be offered is very truly appreciate - Thank you to all who respond! :D

Additional routes not needed. Here I never did!

The simpliest way :
- set you IPCop to standardgateway for all green-net-machines
- if not : set a route like route add -net 10.10.17.0/24 gw GREEN_INTERFACE
- you should set a push route 10.10.16.0/255.255.255.0 in server.conf
(clients will know the "green net")
and , if you prefer a redirect... set a push redirect..... if all client-traffic should be tunneled..

and client.conf has an client or pull entry

traceroute should show:
10.10.17.6 -> 10.10.17.1-> (10.10.16.61 ) -> 10.10.16.92
and a ping from 10.10.16.92 to 10.10.17.6 should run backwards..
please push only the green net
you may push a redirect
you may push a DNS-Option (address = green-net-name-resolver)

my client.conf
Code:
#OpenVPN Client conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote 88.88.88.88 1194
pkcs12 myself.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server


server.conf

Code:
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare ZERINA for listening on blue and orange
;local 192.168.168.168
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
ca /var/ipcop/ovpn/ca/cacert.pem
#OpenVPNcert /var/ipcop/ovpn/certs/servercert.pem
key /var/ipcop/ovpn/certs/serverkey.pem
dh /var/ipcop/ovpn/ca/dh1024.pem
server 10.10.10.0 255.255.255.0
push "route 192.168.168.0 255.255.255.0"
client-to-client  ??
keepalive 10 60
status-version 1   ??
status /var/log/ovpnserver.log 30   
cipher BF-CBC
comp-lzo
push "redirect-gateway def1"    ??
push "dhcp-option DOMAIN mydoamin.tld"   ??
push "dhcp-option DNS 192.168.168.80"  ??
max-clients 100                                  ??
client-config-dir /var/ipcop/ovpn/ccd     ??
ccd-exclusive                                   ??
mtu-disc yes
tls-verify /var/ipcop/ovpn/verify
crl-verify /var/ipcop/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3


all lines with two question-marks you do not need ...
I hope. it shows most openVPN-Server local IP here given as 192.168.168.168
my (local) Nameserver given as 192.168.168.80

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Please Help - OpenVPN TUN unable to access GREEN LAN
PostPosted: 15.09.2009 18:14 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
Going to give this a shot - Will post back and let you know what happens.

Thank you for your help! :-)


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Please Help - OpenVPN TUN unable to access GREEN LAN
PostPosted: 15.09.2009 20:57 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
@dl5ym

First of all, THANK YOU for your help & information - Thanks to you, I was able to verify all of my settings were correct (except the "Additional Push Route" part) & resolve the issue. :klatsch

The settings in my server.conf ( /var/ipcop/ovpn/server.conf ) and client.conf ( which on Windows is actually C:\Program Files\OpenVPN\config\whatever.ovpn ) were mostly okay.

As it turns out, the problem was actually the OpenVPN client I was using - The OpenVPN GUI provided at http://openvpn.se/ wasn't working on Windows XP, Vista, or Windows 7, so I uninstalled it, and got the OpenVPN 2.1 RC19 one from Openvpn.net:

http://openvpn.net/release/openvpn-2.1_rc19-install.exe

On Windows XP, no special settings are needed to install this. However, on Windows Vista and Windows 7, the installer needs to be set to 'Windows Vista' compatibility mode and 'Run As Administrator' before running it.

Once installed, I had to do one additional thing: Open my client.conf file ( or C:\Program Files\OpenVPN\config\whatever.ovpn ) and add this line to the end of it:

Code:
 redirect-gateway def1


One last note: On Windows Vista & Windows 7, the OpenVPN GUI must be run as Administrator, or it will fail at establishing routes.

Voila! :dance: As soon as I did all of that, I could hit everything on the GREEN network just fine.

I just wanted to express my appreciation for your help, dl5ym, and describe the process that made the OpenVPN ZERINA addon work me - Thanks again! :D


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [UNSOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 16.09.2009 17:29 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
Well, suddenly I've realized I cannot ping or access a lot of hosts on the 10.10.16.0/255.255.254.0 network. :-( I'm able to connect with certain ones (i.e. 10.10.16.204) but others don't reply at all (i.e. 10.10.16.208).

I can connect to the VPN server just fine, can access IPcop's web-based interface, and can even open my web browser and surf the web through their Internet connection, but many hosts on the GREEN network are simply "Destination Unreachable".

I am noticing a number of WARNINGS in the OpenVPN client connection log, notably ones that state possible conflicts between local & remote subnets.

Below is is the log from the OpenVPN client:
(Note: For security purposes, the OpenVPN hostname / RED WAN interface is VPN.MYNETWORKDOMAIN.COM with 999.999.999.999 IP )

Code:
[vpn.MYNETWORKDOMAIN.com] Peer Connection Initiated with 999.999.999.999:1194
SENT CONTROL [vpn.MYNETWORKDOMAIN.com]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 10.10.16.0 255.255.254.0 10.10.16.61,redirect-gateway def1,route 10.10.17.1,ping 10,ping-restart 60,ifconfig 10.10.17.6 10.10.17.5'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
WARNING: potential TUN/TAP adapter subnet conflict between local LAN [10.0.0.0/255.0.0.0] and remote VPN [10.10.17.6/255.255.255.255]
ROUTE default_gateway=10.10.12.1
TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{354B1408-834D-48CC-BA5F-43F9D1D58009}.tap
TAP-Win32 Driver Version 9.6
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.17.6/255.255.255.252 on interface {354B1408-834D-48CC-BA5F-43F9D1D58009} [DHCP-serv: 10.10.17.5, lease-time: 31536000]
Successful ARP Flush on interface [27] {354B1408-834D-48CC-BA5F-43F9D1D58009}
TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
C:\WINDOWS\system32\route.exe ADD 999.999.999.999 MASK 255.255.255.255 10.10.12.1
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.10.17.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.10.17.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.0.0.0] and remote VPN [10.10.16.0/255.255.254.0]
C:\WINDOWS\system32\route.exe ADD 10.10.16.0 MASK 255.255.254.0 10.10.16.61
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.0.0.0] and remote VPN [10.10.17.1/255.255.255.255]
C:\WINDOWS\system32\route.exe ADD 10.10.17.1 MASK 255.255.255.255 10.10.17.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed

For those who don't want to read my previous post, I have GREEN network 10.10.16.0/255.255.254.0 and OpenVPN (TUN) network 10.10.17.0/255.255.255.0 - After connecting, I can reach the GREEN gateway (10.10.16.61) and certain GREEN network hosts (i.e. 10.10.16.204) but many others (i.e. 10.10.16.180 - 10.10.16.199) will not respond.

This is my current routing table:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
blng-dsl-gw04-1 *               255.255.255.255 UH    0      0        0 ppp0
10.10.17.2      *               255.255.255.255 UH    0      0        0 tun0
10.10.17.0      10.10.17.2      255.255.255.0   UG    0      0        0 tun0
1.1.1.0         *               255.255.255.0   U     0      0        0 eth1
10.10.16.0      *               255.255.254.0   U     0      0        0 eth0
default         blng-dsl-gw04-1 0.0.0.0         UG    0      0        0 ppp0


Again, any help or insights anyone can offer are very, VERY much appreciated - Thanks again to all who take the time to consider my issue and reply!


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [UNSOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 16.09.2009 18:04 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
mworks wrote:
Well, suddenly I've realized I cannot ping or access a lot of hosts on the 10.10.16.0/255.255.254.0 network. :-( I'm able to connect with certain ones (i.e. 10.10.16.204) but others don't reply at all (i.e. 10.10.16.208).

I can connect to the VPN server just fine, can access IPcop's web-based interface, and can even open my web browser and surf the web through their Internet connection, but many hosts on the GREEN network are simply "Destination Unreachable".

[..........]
Quote:
For those who don't want to read my previous post, I have GREEN network 10.10.16.0/255.255.254.0 and OpenVPN (TUN) network 10.10.17.0/255.255.255.0 - After connecting, I can reach the GREEN gateway (10.10.16.61) and certain GREEN network hosts (i.e. 10.10.16.204) but many others (i.e. 10.10.16.180 - 10.10.16.199) will not respond.



...and you have realized
1) all default gateways (of unreachables) are pointing to VPN server ?
or
2) the have instead of a (own permanent) routing entry
like ... " route add -net 10.10.17.0/24 gw $GREEN_IP "


...but this routing question was not discussed in the messeages before ;-)
(it is never a problem, if ZERINA is running on IPCop and IPCop is standardgateway for the whole net )
my machines have some additional routing entries - one for each VPN-net.

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [UNSOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 17.09.2009 15:03 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
dl5ym, thank you again for trying to help me. I apologize, but I may not be understanding what you are trying to tell me.

Quote:
1) all default gateways (of unreachables) are pointing to VPN server ?

Yes, all hosts/devices on the GREEN network have their gateway set as 10.10.16.61 (Green network default gateway) - Should this be different?

Quote:
2) the have instead of a (own permanent) routing entry
like ... " route add -net 10.10.17.0/24 gw $GREEN_IP "

I tried adding this route you have suggested (route add -net 10.10.17.0/24 gw 10.10.16.61) and then I could not communicate with any GREEN network host.

Currently, when I run a TRACEROUTE from my OpenVPN connection to the GREEN gateway, it indicates 1 hop to 10.10.16.61. When I run a TRACEROUTE to one of the GREEN network hosts (i.e. 10.10.16.204) it indicates two hops: 10.10.17.1 -> 10.10.16.204.

I am sorry that I do not understand what I am doing wrong, or why I can ping a 10.10.16.204 host (an HP printer) but not a 10.10.16.208 host (a Windows XP computer) :-(

I would like to learn - If you have time, could you walk me through exactly what I should be doing to correct this issue?

Thank you again for any help you can offer.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [SOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 17.09.2009 17:30 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
Well, I still don't understand why my initial setup did not work, but I now have everything working without issue.

Here's my final working setup:

RED: Dynamically assigned from ISP
GREEN: 10.10.16.0 / 255.255.254.0
GREEN GATEWAY: 10.10.16.61
OpenVPN: 10.10.18.0 / 255.255.254.0

Using OpenVPN for Windows v2.1 RC19 ( http://openvpn.net/release/openvpn-2.1_rc19-install.exe ) on Windows XP, Windows Vista and Windows 7

Also, I removed the following line from both /var/ipcop/ovpn/server.conf and C:\Program Files\OpenVPN\config\myusername.ovpn , and also unchecked it on the OpenVPN 'Advanced Server Options' page:

Code:
redirect-gateway def1


All hosts (computers, printers, etc.) on GREEN can now be pinged and accessed, and I can surf the Internet as well through the GREEN gateway.

Still, I don't understand why my initial setup didn't work, and I really feel like an idiot. :?

I thought that by creating the GREEN network as 10.10.16.0 / 255.255.254.0 (510 hosts, Range 10.10.16.0 - 10.10.17.253 ) and the OpenVPN network as 10.10.17.0 / 255.255.255.0, the GREEN network & OpenVPN network would be able to communicate because they were in the same IP range. Obviously I was wrong, and I don't understand why.

In any case, I again want to express my thanks to dl5ym and everyone else who took the time to read through my posts and try to offer advice - I'm just not feeling confident that I could do this again, or that I have a good understanding of how networks/subnets/routing really work. :-( Guess it's time for me to start reading up on more of this stuff.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [SOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 17.09.2009 17:44 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
may be one explanation:
Code:
#  ADVANCED SERVER OPTIONS:

    * Additional Push Route 1: 10.10.17.0/255.255.255.0 to 10.10.16.0/255.255.254.0
    * Additional Push Route 2: 10.10.16.0/255.255.254.0 to 10.10.17.0/255.255.255.0



tells the System: 10.10.17 should be routed to 10.10.16.and 10.10.16 again ti 10.10.17 and 10.10.17 again to 10.10.16 and........

if you imagine the route a a tube, packets will sent through...
or imageine squareroot( minus 1 ) ;-))

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [SOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 17.09.2009 18:36 
DES
DES

Joined: 27.08.2009 19:05
Posts: 8
dl5ym wrote:
may be one explanation:
Code:
#  ADVANCED SERVER OPTIONS:

    * Additional Push Route 1: 10.10.17.0/255.255.255.0 to 10.10.16.0/255.255.254.0
    * Additional Push Route 2: 10.10.16.0/255.255.254.0 to 10.10.17.0/255.255.255.0



tells the System: 10.10.17 should be routed to 10.10.16.and 10.10.16 again ti 10.10.17 and 10.10.17 again to 10.10.16 and........


I removed those a few posts ago ( when I still had OpenVPN network set as 10.10.17.0/255.255.255.0 ) because you noted "why?" by them - I can see what you mean, though. :-) Having those routes would send traffic in an "infinite loop," yes?


Top
Offline Profile  
Reply with quote  
 Post subject: Re: [SOLVED] OpenVPN TUN unable to access GREEN LAN
PostPosted: 03.11.2011 13:21 
DES
DES

Joined: 03.11.2011 13:20
Posts: 1
I have exactly the same problem with Windows7 64bit not working but copied exact config from WinXP which worked.

On XP I could see network machines and drives, on Windows7 I can't. Logs on connect and route table looks fine under Windows7 - but somehow network machine information is not passing through the TUN device despite routes.

I tried manually adding exact routes but still no luck. It seem Microsoft have change how networking name resolution works.


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net