2

I have two Debian boxes sitting on two separate networks. I am trying to set up an OpenVPN link across the internet between the two and I've hit a little roadblock. I would like to set this up so that all of my home IPs are accessible from work, and vice-versa. No internet traffic needs to go over this VPN link, only the local network traffic.

I have successfully connected the two boxes as such

172.16.130.2 internal addy (10.9.8.1 vpn addy) - server vpn address (work)
172.16.120.2 internal addy (10.9.8.2 vpn addy) - client vpn address (home)

I am able to ping the client and server's VPN from the terminal on both boxes, no problems there- the vpn works well. So I can ping 10.9.8.1 from my home server.

I set up a static route on my home server for 172.16.130.0/24 with gateway 10.9.8.1, and vice versa on the work server and I am now able to ping my work server's internal ip of 10.16.130.2. That works too.

So now I try to ping my work server's router @ 172.16.130.1, or any of the client IPs on my work network 172.16.130.x and no dice. What would be the next step to get my work network visible to my home server? I'm thinking I don't need to do anything on my routers yet, but I might be wrong.

womble
  • 96,255
  • 29
  • 175
  • 230
muncherelli
  • 759
  • 1
  • 4
  • 22

2 Answers2

2

In order for machines on different networks to successfully talk to each other, both ends need to know how to route traffic to the other end. Normally, this is easily done on a simple enduser LAN because there's usually only two destinations: "the local network" and "everywhere else". Traffic to the local network is just sent directly to the destination, while traffic to everywhere else is sent to the default gateway ("router") and it handles it (by passing it to your upstream ISP, which has far more knowledge about where to send traffic to the many destinations that make up the Internet).

By placing a VPN into the mix, you're complicating things somewhat. By making the VPN endpoints machines within a LAN, rather than making the default gateways the endpoints, you're complicating things greatly.

What you need to do is add routes to allow traffic to go to the right places. You can either do this on every machine in both LANs, or just add it to the default gateway. The latter is far easier, but slightly less efficient (traffic will have an extra "hop", going via the gateway, which shouldn't be a major inconvenience in most cases).

Without knowing what your gateways actually are, I can't tell you how to configure them, but the routes basically need to be:

  • On gateway for 172.16.130.0/24:
    • Route all traffic destined for 172.16.120.0/24 via 172.16.130.2
  • On gateway for 172.16.120.0/24:
    • Route all traffic destined for 172.16.130.0/24 via 172.16.120.2

There's also all sorts of firewalling stuff you might have to do, both on the gateways and the VPN endpoints, and you might have to turn on IP forwarding on the endpoints, but it's all fairly straightforward network configuration stuff.

And next time: just put the VPN endpoints on the default gateway. It's so much easier.

womble
  • 96,255
  • 29
  • 175
  • 230
  • Thanks for the background info. I actually did add the static routes on both of my routers, and I'm only able to ping the actual internal address of the other endpoint, not anything else on either network. Do I need to install iptables to NAT the request out to the router first? Something is not routing my packets to the router, but I can't really figure out what it is. – muncherelli Aug 28 '11 at 09:12
  • (and i'd love to put the endpoints on the gateways, but my routers are not powerful enough to run the OpenVPN clients on themselves as they are just normal routers running DD-WRT) – muncherelli Aug 28 '11 at 09:15
  • There's no such thing as a "normal router", there are a large variety of devices available with widely disparate feature sets and hardware; as far as not having enough power, I used to run OpenVPN on a WRT54 and it worked fine. You shouldn't have to NAT, because you're not routing outside your own administrative domain and don't have to deal with any of the situations that NAT is supposed to be used for. – womble Aug 28 '11 at 09:20
0

One of the gotchas we ran into is that you need IP forwarding turned on, on both machines. This link helpfully explains how to enable it.

/proc/sys/net/ipv4/ip_forward should be "1" when forwarding is on.

Ben Beige
  • 1
  • 1