4

I am currently trying to configure OpenVPN to access our company network remotely.

I was able to establish a connection and ping the server at the configured address (10.8.0.1), but I was not able to access the network at the server side from clients.

The server is configured to push routes to the server with:

push "route 155.0.0.0 255.255.0.0 10.8.0.1 1"

where 155.0.0.0/16 is the server side network.

That did not work so I added

push "route 155.0.0.68 255.255.255.255 net_gateway 1"

because I read somewhere that it can be problematic if all packets including the ones to the server (155.0.0.68) are routed through the tunnel, but that still doesn't work. I am not able to ping any address on the server's network. Not even the server itself on 155.0.0.68.

What am I doing wrong?

Additional info: Client and server run windows and OpenVPN runs in tun mode with the udp protocol. Firewalls are turned off on the client and the server.

I already asked this question on Network Engineering, but I was told ServerFault would be a better place for a problem like that.

Karsten
  • 141
  • 1
  • 1
  • 3
  • if you try to ping a pc in the vpn server side, how the pc knows how to reach the vpn client? for that i tell, you need a route in others pc too – c4f4t0r Nov 21 '14 at 12:05

3 Answers3

2

Routes on both sides of the VPN tunnel are required.

Also IP Routing must be enabled on the server. For example on Windows 7:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"IPEnableRouter"=dword:00000001

Lets assume the following IPs and subnets:

  • Client side subnet 192.168.0.0/24
  • Client IP 192.168.0.2
  • Client VPN IP 10.8.0.2
  • Server side subnet 155.0.0.0/16
  • Server IP 155.0.0.68
  • Server VPN IP 10.8.0.1

Keys

Create a set of keys for the server and clients. Check the README in the OpenVPN installation dir ..\OpenVPN\easy-rsa\README.txt for instructions how to generate those.

Server side configuration

Add the following lines to the server config file:

port 1194
proto udp
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir C:\\OpenVPN\\config\\ccd
route 192.168.0.0 255.255.255.0 10.8.0.2
ca C:\\OpenVPN\\config\\ca.crt
cert C:\\OpenVPN\\config\\server.crt
key C:\\OpenVPN\\config\\server.key
dh C:\\OpenVPN\\config\\dh1024.pem
keepalive 10 60
comp-lzo
persist-key
persist-tun
status C:\\OpenVPN\\config\\openvpn-status-tun.log 20
log C:\\OpenVPN\\config\\openvpn-tun.log
verb 3

Replace the paths with the respective installation directory.

Add a custom client config file on the server:

Create a directory ccd in the same directory as the server config file and in there a config file named after the CN (Common Name) of the client's certificate.

Check the client certificate and look for this line (CN=<client_name>):

Subject: C=CH, ST=State, L=City, O=org, OU=unit, CN=client1/name=EasyRSA/emailAddress=root@localhost

In this example the file will be named client1 (without an extension), add the following lines to the file:

ifconfig-push 10.8.0.2 255.255.255.0
push "route 155.0.0.0 255.255.0.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0
  • ifconfig-push will give a static IP to this client
  • push "route ..." pushes the route to reach the server side subnet to the client
  • iroute generates an internal route in OpenVPN to the client's subnet

Client side configuration

Add the following lines to the client config file:

client
dev tun
proto udp
remote 155.0.0.68 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ca C:\\OpenVPN\\config\\client1.crt
cert C:\\OpenVPN\\config\\client1.crt
key C:\\OpenVPN\\config\\client1.key
remote-cert-tls server

Replace the paths with your installation directory.

Additional Routes

This setup works if the server running OpenVPN is also a router and set as the default-gateway on all the clients on the server-side subnet.

In the case a dedicated router exists, add the following static routes to it (or add them on all of the clients) to reach the VPN subnet and the subnet of client1.

Static server-side subnet routes:

Destination        Gateway             Genmask
192.168.0.0        155.0.0.68          255.255.255.0
10.8.0.0           155.0.0.68          255.255.255.0

For additional hints on this topic, see this answer.

Community
  • 1
rda
  • 1,947
  • 1
  • 13
  • 22
0

Because your clean doesn't know, how to reach the other side, you need something like this:

vpn client:

route add -net 192.168.0.0/24 gw 10.8.0.1 1 #in this way, the client knows, how to reach the other side.

remote lan(server side), if i want to reach a pc in the side of my vpn server:

route add -net 10.0.0/16 gw "192.168.0.100(local lan ip of my vpn server)"` #in this way, the other pc knows, where to route the traffic for the vpn network

Sorry, if for the commands, but i don't use windows

c4f4t0r
  • 5,301
  • 3
  • 31
  • 42
  • I don't really understand what you mean by that. Isn't that what push "route..." is for? The routes that I pushed end up in the clients routing table, but they don't seem to work properly. When I ping some address at the server it is not routed through the tunnel. – Karsten Nov 21 '14 at 07:58
0

If your client is running Windows 7 then you have to run the open vpn clients with admin rights otherwise the routing tables would not get populated and you may not be able to ping the hosts on the server network.

Umair Naqvi
  • 29
  • 7