[CentOS] Openvpn problem not able to access the other machines on remote subnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



hey friends,

I have installed OpenVPN 2.0.7 (i386-redhat-linux-gnu [SSL] [LZO]
[EPOLL] built on Apr 29 2006) on Centos4.0 through rpm (diag
repository). The network scenario of my office is below


Remote Client ---->   Internet   <------->  Cisco Pix Firewall
(Gateway) <---->  VPN Server

                                    & LAN Clients

                                    (192.168.5.0/24)

Cisco Pix Firewall:  Having a static public ip address and a LAN
Address of 192.168.5.5 and it is also acting as gateway for the LAN

VPN Server: 192.168.5.20 and this is also a server on LAN
                   running few more services for the clients in LAN.

LAN Clients:  192.168.5.0/24

VPN Server port that is 1194 is open on Firewall. This is a test
scenario and I was able to connect to the VPN Server from my home
machine but I was not able to browse the clients or servers in the
network range of 192.168.5.0/24.

Routing table on the client machine. The client machine is having
static ipaddress of 172.19.112.154( dsl connection)

10.1.1.5         0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.5.0     10.1.1.5         255.255.255.0   UG    0      0        0 tun0
10.1.1.0        10.1.1.5        255.255.255.0    UG    0      0        0 tun0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0          255.0.0.0       U     0      0        0 lo
0.0.0.0         172.19.0.1      0.0.0.0         UG    0      0        0 eth0


Tue Aug  1 23:10:55 2006 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug  1 23:10:55 2006 Restart pause, 2 second(s)
Tue Aug  1 23:10:57 2006 IMPORTANT: OpenVPN's default port number is now 1194,
based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
Tue Aug  1 23:10:57 2006 Re-using SSL/TLS context
Tue Aug  1 23:10:57 2006 LZO compression initialized
Tue Aug  1 23:10:57 2006 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0
ET:0 EL:0 ]
Tue Aug  1 23:10:57 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Tue Aug  1 23:10:57 2006 Local Options hash (VER=V4): '504e774e'
Tue Aug  1 23:10:57 2006 Expected Remote Options hash (VER=V4): '14168603'
Tue Aug  1 23:10:57 2006 UDPv4 link local: [undef]
Tue Aug  1 23:10:57 2006 UDPv4 link remote: xx.xx.xx.xx:1194   --->>
public ip address on pix firewall
Tue Aug  1 23:11:21 2006 TLS: Initial packet from xx.xx.xx.xx:1194,
---->> public ip address on pix firewall
sid=7c6f6585 62ec6b5f
Tue Aug  1 23:11:21 2006 VERIFY OK: depth=1,
/C=IN/ST=DE/L=ND/O=OpenVPN-TEST/OU=VPN_Server/CN=
server1.test.net/emailAddress=postmater@xxxxxxxxxxxxxxxxxxxxx
Tue Aug  1 23:11:21 2006 VERIFY OK: nsCertType=SERVER
Tue Aug  1 23:11:21 2006 VERIFY OK: depth=0,
/C=IN/ST=DE/O=OpenVPN-TEST/OU=VPN_Server/CN=server1.test.net/emailAddress=postmater@xxxxxxxxxxxxxxxxxxxxx
Tue Aug  1 23:11:23 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Aug  1 23:11:23 2006 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug  1 23:11:23 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Aug  1 23:11:23 2006 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Aug  1 23:11:23 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug  1 23:11:23 2006 [server1.test.net] Peer Connection Initiated
with xx.xx.xx.xx:1194
Tue Aug  1 23:11:25 2006 SENT CONTROL [server1.test.net ]:
'PUSH_REQUEST' (status=1)
Tue Aug  1 23:11:25 2006 PUSH: Received control message: 'PUSH_REPLY,route
192.168.5.0 255.255.255.0,dhcp-option DNS  192.168.5.10,route 10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6  10.1.1.5'
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: route options modified
Tue Aug  1 23:11:25 2006 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Tue Aug  1 23:11:25 2006 TUN/TAP device tun0 opened
Tue Aug  1 23:11:25 2006 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug  1 23:11:25 2006 /sbin/ip addr add dev tun0 local 10.1.1.6 peer
10.1.1.5
Tue Aug  1 23:11:25 2006 /sbin/ip route add  192.168.5.0/24 via 10.1.1.5
Tue Aug  1 23:11:25 2006 /sbin/ip route add 10.1.1.0/24 via 10.1.1.5
Tue Aug  1 23:11:25 2006 Initialization Sequence Completed

ifconfig on server
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:173 errors:0 dropped:0 overruns:0 frame:0
         TX packets:145 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:14052 (13.7 KiB)  TX bytes:12192 ( 11.9 KiB)


ifconfig on client
tun0      Link encap:Point-to-Point Protocol
         inet addr:10.1.1.6  P-t-P:10.1.1.5  Mask: 255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:143 errors:0 dropped:0 overruns:0 frame:0
         TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:12024 (11.7 Kb)  TX bytes:14112 (13.7 Kb)


Tue Aug  1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug  1 23:01:10 2006 202.149.50.30:1030 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug  1 23:01:10 2006  202.149.50.30:1030 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug  1 23:01:10 2006 202.149.50.30:1030 [clien1.test.net ] Peer
Connection Initiated with 202.149.50.30:1030
Tue Aug  1 23:01:10 2006 clien1.test.net/202.149.50.30:1030 MULTI:
Learn:  10.1.1.6 -> clien1.test.net/202.149.50.30:1030
Tue Aug  1 23:01:10 2006 clien1.test.net/202.149.50.30:1030  MULTI:
primary virtual IP for clien1.test.net/202.149.50.30:1030: 10.1.1.6
Tue Aug  1 23:01:11 2006  clien1.test.net/202.149.50.30:1030 PUSH:
Received control message: 'PUSH_REQUEST'
Tue Aug  1 23:01:11 2006 clien1.test.net/202.149.50.30:1030 SENT
CONTROL [ clien1.test.net]: 'PUSH_REPLY,route 192.168.5.0
255.255.255.0,dhcp-option DNS 192.168.5.10,route  10.1.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5'
(status=1)
Tue Aug  1 23:34:41 2006  clien1.test.net/202.149.50.30:1030
[clien1.test.net] Inactivity timeout (--ping-restart), restarting
Tue Aug  1 23:34:41 2006  clien1.test.net/202.149.50.30:1030
SIGUSR1[soft,ping-restart] received, client-instance restarting


iptables -L on VPN Server
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.1.1.0/24           192.168.5.0/24

One setting is missing in client.conf that is  "route 192.168.5.0 255.255.255.0"

These entries are also added to iptables on VPN Server
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT


# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT


IP Forwarding is enable on the VPN Server.

But still I am not able to access the machines/clients in subnet
192.168.5.0/24. I am attaching the server.conf(openvpnserver.conf)
file with this emai.

What more iptables entries needs to be added ? Please let me know if
you need any further inputs.

Thanks & Regards

Ankush Grover

Attachment: openvpnserver.conf
Description: Binary data

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux