Routing problem to a remote location

[jahlives]

Hello

I'm stuck at connecting to a remote location. I have a OpenVPN setup to connect different locations to my server at home. Now I have a new server which is connected to the OpenVPN on tun0 with IP 10.66.77.254 Behind this server there is another server on a private LAN IP (IP 192.168.201.201)

So I setup a route on my homeserver which runs the OpenVPN-server as follows
$ route add -net 192.168.201.0/24 10.66.77.254 which should imho route the traffic to the remote gateway via OpenVPN. Now if I try to ping from my home-LAN to the IP 192.168.201.201, I can see pakets going out direction remote side with tcpdump

17:46:58.034693 IP 10.66.77.1 > 192.168.201.201: ICMP echo request, id 12647, seq 211, length 72
17:47:01.639323 IP 10.66.77.1 > 192.168.201.201: ICMP echo request, id 12647, seq 212, length 72
17:47:05.639702 IP 10.66.77.1 > 192.168.201.201: ICMP echo request, id 12647, seq 213, length 72

10.66.77.1 is my homeservers OpenVPN-ipaddress. The routing table shows that the route is being used properly

192.168.201.0/24   10.66.77.254       UGS         0      122   tun0

But I cannot see one paket arriving on the remote location. If I perform a $ tcpdump -i tun0 -n icmp on the remote gateway I cannot see one paket going through. So they must be dropped somewhere but I have to idea where. I set enable_gateway="YES" on all the servers involved via their /etc/rc.conf

 

[Crest]

Does OpenVPN connect successfully? Can you paste tcpdump -ni $tun on both tun interfaces?

 

[throAU]

Not sure in your particular case, but if you added a static route at one end of the link, make sure there is an appropriate reverse direction route on the other end of the link as well.

So many times I have been bitten by this when using static routes - it is easy to forget and you won't necessarily see it if you're sitting on one end of the link looking at the routing table wondering why it looks correct and doesn't work.

Also: I'm not familiar with OpenVPN, but if it is anything like IPSEC tunnels (which I use regularly) then if the network doesn't match the list of traffic OpenVPN is configured to encrypt, it may not go through the tunnel, and will be dropped.

Check whether your OpenVPN will route this traffic, or drop it because it doesn't match the definition of what traffic it is configured to encrypt.

e.g., if IPsec is configured to encrypt between say, 1.1.1.0/24 and 2.2.2.0/24, then if you add a third network behind 1.1.1.0/24 of say 3.3.3.0/24, traffic from 2.2.2.0/24 to 3.3.3.0/24 will be dropped by the tunnel, unless you update the crypto map on both ends of the link to include the 3.3.3.0/24 network. OpenVPN may be doing the same thing.

 

[jahlives]

SOLVED: missing routes in OVPN configuration

Thanks for your tips. The problem was (again) 30cm in front of the display

I had to add a route statement on the OpenVPN-client side. I'm using ccd files for the network config of the OpenVPN-clients and in the file of the remote gateway (10.66.77.254) I had to add

iroute 192.168.201.0 255.255.255.0

and in the server conf (/usr/local/etc/openvpn/openvpn.conf) I had to add

route 192.168.201.0 255.255.255.0

After a $ /usr/local/etc/rc.d/openvpn restart everything worked like charme

Thanks again for tips and hints

tobi

 

[jahlives]

I forgot to post the link that solved my problem: http://openvpn.net/index.php/open-source/documentation/howto.html#scope in paragraph Including multiple machines on the client side when using a routed VPN (dev tun)