hey friends, I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag repository). The network scenario of my office is below Remote Client ----> Internet <-------> Cisco Pix Firewall (Gateway) <----> VPN Server & LAN Clients (192.168.5.0/24) Cisco Pix Firewall: Having a static public ip address and a LAN Address of 192.168.5.5 and it is also acting as gateway for the LAN VPN Server: 192.168.5.20 and this is also a server on LAN running few more services for the clients in LAN. LAN Clients: 192.168.5.0/24 VPN Server port that is 1194 is open on Firewall. This is a test scenario and I was able to connect to the VPN Server from my home machine but I was not able to browse the clients or servers in the network range of 192.168.5.0/24. Routing table on the client machine. The client machine is having static ipaddress of 172.19.112.154( dsl connection) 10.1.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.5.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0 10.1.1.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 172.19.0.1 0.0.0.0 UG 0 0 0 eth0 Tue Aug 1 23:10:55 2006 SIGUSR1[soft,tls-error] received, process restarting Tue Aug 1 23:10:55 2006 Restart pause, 2 second(s) Tue Aug 1 23:10:57 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Aug 1 23:10:57 2006 Re-using SSL/TLS context Tue Aug 1 23:10:57 2006 LZO compression initialized Tue Aug 1 23:10:57 2006 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Tue Aug 1 23:10:57 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Aug 1 23:10:57 2006 Local Options hash (VER=V4): '504e774e' Tue Aug 1 23:10:57 2006 Expected Remote Options hash (VER=V4): '14168603' Tue Aug 1 23:10:57 2006 UDPv4 link local: [undef] Tue Aug 1 23:10:57 2006 UDPv4 link remote: xx.xx.xx.xx:1194 --->> public ip address on pix firewall Tue Aug 1 23:11:21 2006 TLS: Initial packet from xx.xx.xx.xx:1194, ---->> public ip address on pix firewall sid=7c6f6585 62ec6b5f Tue Aug 1 23:11:21 2006 VERIFY OK: depth=1, /C=IN/ST=DE/L=ND/O=OpenVPN-TEST/OU=VPN_Server/CN= server1.test.net/emailAddress=postmater@xxxxxxxxxxxxxxxxxxxxx Tue Aug 1 23:11:21 2006 VERIFY OK: nsCertType=SERVER Tue Aug 1 23:11:21 2006 VERIFY OK: depth=0, /C=IN/ST=DE/O=OpenVPN-TEST/OU=VPN_Server/CN=server1.test.net/emailAddress=postmater@xxxxxxxxxxxxxxxxxxxxx Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:11:23 2006 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:11:23 2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:11:23 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Aug 1 23:11:23 2006 [server1.test.net] Peer Connection Initiated with xx.xx.xx.xx:1194 Tue Aug 1 23:11:25 2006 SENT CONTROL [server1.test.net ]: 'PUSH_REQUEST' (status=1) Tue Aug 1 23:11:25 2006 PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5' Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: timers and/or timeouts modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ifconfig/up options modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: route options modified Tue Aug 1 23:11:25 2006 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Aug 1 23:11:25 2006 TUN/TAP device tun0 opened Tue Aug 1 23:11:25 2006 /sbin/ip link set dev tun0 up mtu 1500 Tue Aug 1 23:11:25 2006 /sbin/ip addr add dev tun0 local 10.1.1.6 peer 10.1.1.5 Tue Aug 1 23:11:25 2006 /sbin/ip route add 192.168.5.0/24 via 10.1.1.5 Tue Aug 1 23:11:25 2006 /sbin/ip route add 10.1.1.0/24 via 10.1.1.5 Tue Aug 1 23:11:25 2006 Initialization Sequence Completed ifconfig on server tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:173 errors:0 dropped:0 overruns:0 frame:0 TX packets:145 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:14052 (13.7 KiB) TX bytes:12192 ( 11.9 KiB) ifconfig on client tun0 Link encap:Point-to-Point Protocol inet addr:10.1.1.6 P-t-P:10.1.1.5 Mask: 255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:143 errors:0 dropped:0 overruns:0 frame:0 TX packets:174 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:12024 (11.7 Kb) TX bytes:14112 (13.7 Kb) Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Aug 1 23:01:10 2006 202.149.50.30:1030 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Aug 1 23:01:10 2006 202.149.50.30:1030 [clien1.test.net ] Peer Connection Initiated with 202.149.50.30:1030 Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI: Learn: 10.1.1.6 -> clien1.test.net/202.149.50.30:1030 Tue Aug 1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI: primary virtual IP for clien1.test.net/202.149.50.30:1030: 10.1.1.6 Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 PUSH: Received control message: 'PUSH_REQUEST' Tue Aug 1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 SENT CONTROL [ clien1.test.net]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.10,route 10.1.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5' (status=1) Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030 [clien1.test.net] Inactivity timeout (--ping-restart), restarting Tue Aug 1 23:34:41 2006 clien1.test.net/202.149.50.30:1030 SIGUSR1[soft,ping-restart] received, client-instance restarting iptables -L on VPN Server Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.1.1.0/24 192.168.5.0/24 One setting is missing in client.conf that is "route 192.168.5.0 255.255.255.0" These entries are also added to iptables on VPN Server # Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun+ -j ACCEPT # Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun+ -j ACCEPT # Allow TAP interface connections to OpenVPN server iptables -A INPUT -i tap+ -j ACCEPT # Allow TAP interface connections to be forwarded through other interfaces iptables -A FORWARD -i tap+ -j ACCEPT IP Forwarding is enable on the VPN Server. But still I am not able to access the machines/clients in subnet 192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf) file with this emai. What more iptables entries needs to be added ? Please let me know if you need any further inputs. Thanks & Regards Ankush Grover
Attachment:
openvpnserver.conf
Description: Binary data
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos