Thursday, February 3, 2011

Client can only access the server hosting OpenVPN, not the servers subnet

I have a peculiar problem with a OpenVPN tunnel on my Linux-server (RoadWarrior config). I can login perfectly with Tunnelblick 3.0 on my Mac, I can access all services on the server hosting the OpenVPN daemon, however, I am unable to access any other machine on the server's subnet.

I am pushing the route to the client and netstat -rn shows that the route exists.

My client-config is as following

port 500
dev tun
remote {secret} 

tls-client
ca ca.crt
cert client.crt
key client.key

comp-lzo

pull

verb 4

and the server's configuration is following

port 500
dev tun

local 10.81.0.2

tls-server 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

mode server

ifconfig 10.84.0.1 10.84.0.2
ifconfig-pool 10.84.0.4 10.84.0.255

route 10.84.0.0 255.255.255.0

push "route 10.84.0.1 255.255.255.255"
push "route 10.81.0.0 255.255.255.0"

comp-lzo

keepalive 10 60
inactive 600

user vpndaemon
group vpndaemon

persist-tun
persist-key

verb 4

I can't find any obvious mistake and I also verified that there are no IP clashes on the client-side.

Any hints or ideas are greatly appreciated!

From serverfault sicn

  • You probably need to setup your Firewall to do MASQ for your VPN IP addresses.

    -A POSTROUTING -s 10.84.0.0/255.255.255.0 -o eth0 -j MASQUERADE

    in your iptables config should do the trick.

    sicn : My server is behind an existing firewall that also performs NAT and as such, IPTABLES is turned off on the server. Is this a requirement?
    GruffTech : If you plan on routing packets through your VPN Server to other servers on the network, you'll need a method to do that. IPTables is not the only, but perhaps the simplest method of accomplishing this. Also -- Just because your server is protected from the world, doesn't necessarily mean its a great idea to turn off iptables. Just my 2c.
    From GruffTech

  • And you need to enable kernel IP packet forwarding (routing between tun interfaces and eth):

    uncomment or insert the following line in your /etc/sysctl.conf:

    net.ipv4.ip_forward=1

    and run:

    sudo sysctl -p
    From patate
Posted by Mu Cat at 8:50 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)