[TriLUG] SOLVED Re: routing question in openvpn

Joseph Mack NA3T jmack at wm7d.net
Wed May 16 09:50:10 EDT 2012 

On Wed, 9 May 2012, Joseph Mack NA3T wrote:

> Problem: my openvpn client can connect to the internal IP 
> of the openvpn server, but not to other boxes on the same 
> internal network.
>
> Here's the setup
>
> ----------------
> | client       |
> | tun0=10.8.0.6|
> ----------------
>       | eth0=55.50.x.x
>       |
>       | eth2=55.50.y.y
> ----------------                       --------------
> | tun0=10.8.0.1|     192.168.2.253=eth1|            |
> | vpn server   |-----------------------|random box  |
> |              |eth1=192.168.2.252     |            |
> ----------------                       --------------
>                                       route to 10.8.0.0/24
>                                       via 192.168.2.252

The solution was to add

iptables -A FORWARD -i tun0 -j ACCEPT

on the vpn server.

I had this correct:

o On the vpn server I was nat'ing out the connections to the 
internet (through eth2) from the boxes at home (server 
network). I was also allowing connections between the vpn 
client and the vpn server through tun0.

I had this wrong

o For the other boxes on the home network to connect to the 
vpn client throught the vpn server, there has to be a 
FORWARD rule going out tun0 on the vpn server. I didn't have 
this rule.

I had thought that there was a problem with configuring 
openvpn (there wasn't). I didn't test connecting to the 
other machines on the server network till I had the firewall 
in place. When I did, I assumed the firewall was right (it 
wasn't). I realised that the firewall was the problem by 
turning it off and finding I could connect to the other 
machines on the server network from the client.

Something else I found out: Only the first ping is NEW. All 
other pings are RELATED (presumably hence the sequence 
numbers on the ping replies). I tried debugging the problem 
by pinging from the client and didn't see any DROP'ed 
packets in the logs at the vpn server. It turns out that 
only the first ping packet is ACCEPT'ed. All other ping 
packets were being ACCEPT'ed by the RELATED rule and weren't 
LOGed. It turns out I wasn't logging the DROP'ed NEW ping 
packet, due to my ignorance of iptables.

Thanks to Alan for discussions about this problem. Alan has 
his clients talking to all machines on the vpn server 
network, working without doing anything special, This was 
the hint that the problem wasn't with openvpn.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the TriLUG mailing list