Openvpn, FreeBSD, Linux and routing

Question

There is a network in the office. There are a router powered by FreeBSD in the network and a server powered by CentOS outside.

Task: provide an access from anywhere to the network in the office.

Data: network — 192.168.0.0 behind FreeBSD with bge0(192.168.0.111) and re0(192.168.1.2 — in the modem's subnet). Outside server — xx.xx.xx.xx. The FreeBSD in the OpenVPN net is 192.168.255.6, CentOS server address is 192.168.255.1

Trouble: there's no access to the inside network from the outside server (I can access FreeBSD router), but I can access outside server from my network. I need to access inside network from the outside server.

Outside CentOS server's OpenVPN config:

dev tun 
port 1194 
proto udp 
mode server 
tls-server 
server 192.168.255.0 255.255.255.0 
push "route 192.168.255.0 255.255.255.0" 
route 192.168.0.0 255.255.255.0 192.168.255.2 
push "dhcp-option DNS 192.168.255.1" 
client-config-dir /etc/openvpn/ccd 
client-to-client 
ifconfig-pool-persist addr_list 
comp-lzo 
tun-mtu 1500 
keepalive 10 60 
persist-key 
persist-tun 
cipher DES-EDE3-CBC 
ca /etc/openvpn/ca.crt 
cert /etc/openvpn/server.crt 
key /etc/openvpn/server.key 
dh /etc/openvpn/dh1024.pem 
tls-auth /etc/openvpn/ta.key 0 
status openvpn-status.log 
log /var/log/openvpn/openvpn.log 
verb 4

FreeBSD's config:

client 
proto udp 
dev tun 
remote xx.xx.xx.xx 1194 
comp-lzo 
resolv-retry infinite 
persist-tun 
persist-key 
ca /usr/local/etc/openvpn/ca.crt 
cert /usr/local/etc/openvpn/freebsd-client.crt 
key /usr/local/etc/openvpn/freebsd-client.key 
dh /usr/local/etc/openvpn/dh1024.pem 
tls-auth /usr/local/etc/openvpn/ta.key 1 
tls-client 
cipher DES-EDE3-CBC # Triple-DES 
verb 4 
route-method exe 
route-delay 2 
ping 100 
ping-restart 200

/etc/openvpn/ccd/freebsd-client contents:

push "route 192.168.255.0 255.255.255.0" 
iroute 192.168.0.0 255.255.255.0

On FreeBSD:

# ps aux | grep natd
/sbin/natd -n re0 
/sbin/natd -n tun0 -p 8669

# ipfw show 
00039   12203     876046 fwd 192.168.0.111,80 tcp from 192.168.0.0/24 to 192.168.0.111 dst-port 80 
00040  322269   40046856 fwd 192.168.0.111,3128 tcp from 192.168.0.0/24 to any dst-port 80,433,8080 
00050 2885463 1611968772 divert 8668 ip4 from any to any via re0 
00060    5675    1094008 divert 8669 ip from any to any via tun0 
00100   28440    2126360 allow ip from any to any via lo0 
00200       0          0 deny ip from any to 127.0.0.0/8 
00300       0          0 deny ip from 127.0.0.0/8 to any 
65000 4241769 2426143908 allow ip from any to any 
65535       1         78 deny ip from any to any

# netstat -nr -finet 
Routing tables 

Internet: 
Destination        Gateway            Flags    Refs      Use  Netif Expire 
default            192.168.1.1        UGS        22  3312575    re0 
127.0.0.1          link#4             UH          0    56564    lo0 
192.168.0.0/24     link#1             U           3 166750211   bge0 
192.168.0.111      link#1             UHS         0       12    lo0 
192.168.1.0/24     link#2             U           1   235840    re0 
192.168.1.2        link#2             UHS         0       36    lo0 
192.168.255.0/24   192.168.255.5      UGS         0       20   tun0 
192.168.255.5      link#5             UH          0        0   tun0 
192.168.255.6      link#5             UHS         0        0    lo0

On CentOS:

$ route 
Kernel IP routing table 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
192.168.255.2   *               255.255.255.255 UH    0      0        0 tun0 
xx.xx.xx.0    *               255.255.255.0   U     0      0        0 eth0 
xx.xx.yy.0    *               255.255.255.0   U     0      0        0 eth0 
192.168.0.0     192.168.255.2   255.255.255.0   UG    0      0        0 tun0 
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0 
192.168.255.0   192.168.255.2   255.255.255.0   UG    0      0        0 tun0 
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0 
default         xx.xx.xx.1    0.0.0.0         UG    0      0        0 eth0



$ ip route get 192.168.0.111 
192.168.0.111 via 192.168.255.2 dev tun0  src 192.168.255.1 
    cache  mtu 1500 advmss 1460 hoplimit 64

I ping the 192.168.0.111 from CentOS and get this:

On CentOS:

$ tcpdump -i tun0 
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 
11:34:48.963629 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 1, length 64 
11:34:49.973944 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 2, length 64 
11:34:50.974007 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 3, length 64 
11:34:51.974075 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 4, length 64

And silence on FreeBSD:

tcpdump -i tun0 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes

Can anybody help me?

Answer 1

Are you sure that the routing between the interfaces is activate ? /proc/sys/net/ipv4/ip_forward

Try to ping the VPN before trying to go outside of the VPN.

Answer 2

If I was you, I would take a look at ClearOS. It's a CentOS based system with an exceptional web based GUI, it can do what you want it to do in about 15 mins. It doesn't have to be your gateway, and judging by your question, I'm sure you'll be able to configure it as a device on your net. It can provide, PPTP, and OpenVPN, should in case you have windows users who also need to gain access.