Re: Routing between multipule Tunnels

On Wed, 30 Jun 2004, Murray Thomson wrote:

> I am using 1.6.0. I have listed routes to all servers from all servers. I 
> also have routes listed to each server on server A. If I do a trace route 
> from B to C (Uo to the central server and back out again) all that I get back 
> are the address of the other side of the first tunnel. Then it stalls.
>
> On server A ther are routes to all other servers. I can forward traffic to 
> them fine. the Romote servers gan ping the servers and any on their subnets.. 
> The only place where it goes wrong is when I need to go to server A then back 
> out to one of the remote ones.

Okay, well OpenVPN does not care about what subnets is on what side of the 
VPN, like ipsec does, so if the routing is setup correctly it should work.

And routing is enabled, and there is no firewalls running on the machines 
that could be blocking the traffic?

Use a packet sniffer to see how far your packets get.

/Mathias

> Mathias Sundman wrote:
>
> > On Wed, 30 Jun 2004, Murray Thomson wrote:
> >
> > > I want to  set up a spider topology with OpenVPN. OpenVPN server A has 
> > > an OpenVPN tunnel to each of Servers B, C and D each with their own 
> > > subnet.
> > >
> > > The problem is that from Server B,C or D I can not communicate with any 
> > > server other thatn A. From A however I can reach S,C and D and any 
> > > station on their respective subnets. Also from a station on subnet A I 
> > > can also get to B, C and D and also on their respective subnets.
> > >
> > > For some reason I cannot get from one of the arms streight through the 
> > > main server and back out again.
> > >
> > > Does anyone know it this is not a workable topology or is there 
> > > something else I need to do to make this fly.
> >
> >
> > Yes, that should be no problem. What version of OpenVPN are you using?
> >
> > If you are using 2.0 in server mode you need to use the option 
> > --client-to-client to allow internal routing between the clients. You 
> > probably also need to use --iroute in each client config file.
> >
> > If you're not using v2.0 you probably just don't have the routing setup 
> > correctly in your systems.
> >
> > Is the OpenVPN machines the default gateway on each network? If not, you 
> > need to make sure that EVERY machine on each network knows that is should 
> > reach ALL the other networks through the openvpn machine.
> >
> > In B, do you have a route to the network behind C and D through your 
> > TUN/TAP interface? Same thing applies for C and D ofcource, they need 
> > routes to the other "client networks" through the VPN.
> >
> > If you still can't get the routing working, please post your configs, and 
> > we can probably see what routes you're missing.

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com