openVPN + routing problems

Lou Kamenov lou.kamenov at aeye.net
Fri Dec 13 11:28:49 GMT 2002


In some email I received from "William Cooper"
<williamcooper at data-storm.net> on Fri, 13 Dec 2002 11:10:30 -0000 :



> Morning folks, hope we are all well and such.
> 
> Right this morning me and a friend of mine have decided to setup a VPN
> between our networks over the internet, we went for openVPN, after
> scratching our heads for a while and shouting we got a link working
> between our networks.
> 
> Anyway heres a pretty diagram to show our setup:
> 
> 
> 
> 
> ME						   friend
> 
> gateway       -------internet--------   gateway
> 192.168.0.4                             10.0.0.254
>    |					             |
>    |					             |
>  [switch]				          [switch]
>    | \					       | \
>    |  \VPN client			             |  \VPN server
>    |   192.168.0.10			       |   10.0.0.99
>    |					             |
> clients				          clients
> 192.168.0.*                             10.0.0.*
> 
> Right so when I'm on the VPN client (FreeBSD 4.6 stable), I can ping
> 10.0.0.99 get into its services etc.
> 
> and on the VPN server (FreeBSD 4.7 release), my friend can ping
> 192.168.0.10 and get into its services.
> 
> Our problem is we want clients on both networks to be able to contact
> each other, so 192.168.0.1 can ping/contact 10.0.0.1 with no problem.
> 
> 
> What we have done so far is this, the gateway on my side routes
> traffic to other networks (the internet), and we wanted the gateway to
> send traffic for 10.0.0.* to the VPN client, so we added these two
> lines to the rc.conf on the GATEWAY:
> 
> static_routes="friend"
> route_friend="10.0.0.0/24 192.168.0.10"
> 
> (Please note we aren_t networking geniuses)
> 
> So in theory traffic for 10.0.0.* goes to 192.168.0.10, next I added
> this line to the VPN client in rc.conf:

Try natting and then adding the gw? Also, consider using IPSec
it`s much secure.
This paper might give you some hints why it doesnt work.
http://rr.sans.org/firewall/IPSec_VPN.php

And yes, read it - i`m sure you wont be disappointed.
 
> gateway_enable="YES"
> 
> Thinking it would route the traffic down the VPN and reach its
> destination, well No that didn_t happen, when trying to ping 10.0.0.99
> from 192.168.0.1 (windows 2000 professional) I get:
> 
> Pinging 10.0.0.99 with 32 bytes of data:
> 
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.

no wonder the router doesnt now what to do with the packet.
 
> Please point me into the right direction.


HTH,

cheers,
-lou


----

Lou Kamenov	lou at freebsd-bg.org		lou.k at hq.aeye.net
FreeBSD BGUG	http://www.freebsd-bg.org	http://www.aeye.net
Key Fingerprint - 936F F64A AD50 2D27 07E7  6629 F493 95AE A297 084A
One advantage of talking to yourself is that you know at least
somebody's listening. - Franklin P. Jones 




More information about the Ukfreebsd mailing list