Re: Passing remote routes

Jeff,

Comments inline...

Jeff Borders <jeff@xxxxxxxxxxxxxxx> said:

> Hello,
> 
> I'm using OpenVPN 2.0_beta5 and trying to setup a server mode VPN using
> tap.  From a remote laptop, I can ping the VPN endpoints and the
> internal nic on the Fedora box.  I can even ping other vpn clients.
> 
> But I can't ping my remote nets.
> 
> laptop endpoint 10.8.0.4
> laptop pub ip 4.3.2.1
> ---internet---
> server pub ip 1.2.3.4
> server endpoint 10.8.0.1      *can ping.
> server priv nic 192.168.10.6  *can ping.
> 
> internal cisco switch 192.168.10.1    *can't ping
> whole slew of nets 192.168.20-80.0    *can't ping
> 
> What am I missing.  iroute?

iroute would only work if you are using a tun-based virtual network, i.e.
--dev tun rather than --dev tap.

In --dev tap mode, OpenVPN implements an internal ethernet bridge that
currently does not handle IPv4 routing.

You would only need iroute if the OpenVPN clients also have subnets behind
them which need to join the VPN.

If the clients are individual machines (such as laptops connecting over the
internet) and all the private subnets which need explict routing are behind
the server, you don't need iroute.

> I need to use remote
> control software on the remote nets.  Am I pushing the correct gw
> address to the client?  I've also tried connecting with another linux
> box and get the same behavior.
> 
> And yes, I plan to generate real certs after I get everything working.
> 
> Thank you.  jeff <at> jeffborders dot com
> 
> ########################################
> # Server openvpn.conf file
> ########################################
> port 5000
> dev tap
> tls-server 
> ca sample-keys/tmp-ca.crt
> cert sample-keys/server.crt
> key sample-keys/server.key
> dh sample-keys/dh1024.pem
> mode server
> ifconfig 10.8.0.1 255.255.255.0
> ifconfig-pool 10.8.0.4 10.8.0.255
> push "route 192.168.10.0 255.255.255.0 10.8.0.1"
> push "route 192.168.20.0 255.255.255.0 10.8.0.1"
> push "route 192.168.30.0 255.255.255.0 10.8.0.1"
> push "route 192.168.40.0 255.255.255.0 10.8.0.1"
> push "route 192.168.50.0 255.255.255.0 10.8.0.1"
> push "route 192.168.60.0 255.255.255.0 10.8.0.1"
> push "route 192.168.70.0 255.255.255.0 10.8.0.1"
> push "route 192.168.80.0 255.255.255.0 10.8.0.1"
> client-to-client
> duplicate-cn
> ping 10
> ping-restart 120
> push "ping 10"
> push "ping-restart 60"
> user nobody
> group nobody
> verb 4
> #########################################
> # Client openvpn.ovpn file
> #########################################
> port 5000
> dev tap
> remote 1.2.3.4
> tls-client
> ca sample-keys/tmp-ca.crt
> cert sample-keys/client.crt
> key sample-keys/client.key
> pull
> verb 3
> ########################################
> # acme.sh in /etc/openvpn on server
> ########################################
> iptables -A INPUT -i tap+ -j ACCEPT

You probably also want:

iptables -A FORWARD -i tap+ -j ACCEPT

James



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com