Openvpn clients can not connect to advertised networks

[azop]

I'm using Openvpn on Hardy beta.  I have the following setup in ebox's configuration:

VPN network address: 10.10.2.0
VPN network subnet: 10.10.0.0
Protocol: TCP
Client authorization by common name: no
Allow client-to-client connections:   Unchecked
Allow eBox-to-eBox tunnels:    Unchecked
eBox-to-eBox tunnel password:    set (but I don't think this is a issue)
Listen on: eth0

I have the following "Advertised Networks":

10.10.5.0      255.255.255.0      
10.10.10.0    255.255.255.0    

I can connect to openvpn and authenticate:

Sat Apr 12 17:24:33 2008 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{B8CD89A3-8922-4161-9DB3-9A14923CF7FE}.tap
Sat Apr 12 17:24:33 2008 TAP-Win32 Driver Version 8.1
Sat Apr 12 17:24:33 2008 TAP-Win32 MTU=1500
Sat Apr 12 17:24:33 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.2.2/255.255.255.0 on interface {B8CD89A3-8922-4161-9DB3-9A14923CF7FE} [DHCP-serv: 10.10.2.0, lease-time: 31536000]
Sat Apr 12 17:24:33 2008 Successful ARP Flush on interface [327686] {B8CD89A3-8922-4161-9DB3-9A14923CF7FE}
Sat Apr 12 17:24:33 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:33 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:34 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:34 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:36 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:36 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:37 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:37 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:38 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Apr 12 17:24:38 2008 route ADD 10.10.5.0 MASK 255.255.255.0 10.10.2.1
Sat Apr 12 17:24:38 2008 Route addition via IPAPI succeeded
Sat Apr 12 17:24:38 2008 route ADD 10.10.10.0 MASK 255.255.255.0 10.10.2.1
Sat Apr 12 17:24:38 2008 Route addition via IPAPI succeeded
Sat Apr 12 17:24:38 2008 Initialization Sequence Completed

However I can not ping or access any host in 10.10.5.0/24 or 10.10.10.0/24 (specifically 10.10.10.250)

I _can_ ping 10.10.10.251 (eth1 internal IP).  I thought it was a firewall issue...but I don't see anything in the ebox configuration that would be dening this...everything is set to allow all.

Any ideas would be great..

[javi]

Your VPN network subnet (netmask) is wrong, it shoud be 255.255.255.0

If you still have issues we'd need more info, tell us your network configuration, external and internal interfaces, gateways...

[azop]

It was setup correctly...I just miss typed it.  But here's the current configuration:

VPN network address: 10.10.2.0
VPN network subnet: 255.255.255.0
Protocol: TCP
Client authorization by common name: no
Allow client-to-client connections:   Unchecked
Allow eBox-to-eBox tunnels:    Unchecked
eBox-to-eBox tunnel password:   
Listen on: eth0

I have the following "Advertised Networks":

10.10.5.0      255.255.255.0     
10.10.10.0    255.255.255.0   

-----------

eth0 is a public ip address set to 'external' in the network configuration with a 255.255.255.252

eth1      Link encap:Ethernet  HWaddr 00:1e:c9:3b:00:0b
          inet addr:10.10.10.251  Bcast:10.10.10.255  Mask:255.255.255.0

tap0      Link encap:Ethernet  HWaddr 00:ff:cd:f6:e5:ad
          inet addr:10.10.2.1  Bcast:10.10.2.255  Mask:255.255.255.0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
71.86.31.152    0.0.0.0         255.255.255.252 U     0      0        0 eth0
10.10.2.0       0.0.0.0         255.255.255.0   U     0      0        0 tap0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0

running tcpdump -n -i tap0 I see:

09:38:56.951966 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 11, length 40
09:38:58.950841 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 267, length 40
09:39:02.451496 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 523, length 40
09:39:04.452512 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 779, length 40

on eth1 I see:

09:40:54.122521 IP 10.10.10.250 > 10.10.10.251: ICMP echo request, id 55329, seq 49232, length 64
09:40:54.122541 IP 10.10.10.251 > 10.10.10.250: ICMP echo reply, id 55329, seq 49232, length 64
09:40:55.122551 IP 10.10.10.250 > 10.10.10.251: ICMP echo request, id 55329, seq 49233, length 64
09:40:55.122569 IP 10.10.10.251 > 10.10.10.250: ICMP echo reply, id 55329, seq 49233, length 64


I think it's a route issue now...but I'm not sure the correct route command to throw at it. 

Thanks

Your VPN network subnet (netmask) is wrong, it shoud be 255.255.255.0

If you still have issues we'd need more info, tell us your network configuration, external and internal interfaces, gateways...

[javi]

Does the internal machine (the one you are pinging from the vpn) have set eBox as its gateway?

If not, you can try this to see if works:

sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE

[azop]

Great...that worked.  I did change one of the servers to the correct gateway and went ahead and added the iptables rule so I could access another server.

Is there a way I can add that rule into the firewall template so when ebox's firewall restarts I won't have to manually redo the rule?

Also...I don't believe I'm seeing SMB broadcasts...and I can't access \\domainname..however I can if I do \\ipaddress.

Any suggestions or should I just add that domain to the client's hosts file?

Does the internal machine (the one you are pinging from the vpn) have set eBox as its gateway?

If not, you can try this to see if works:

sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE

[javi]

You can edit the file /usr/share/perl5/EBox/Iptables.pm

Add the line pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
within sub start() function after the call to setStructure, it should look like this:

Code: [Select]

sub start
{
        my $self = shift;

        $self->_loadIptModules();

        $self->setStructure();

        pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';

        my @dns = @{$self->{net}->nameservers()};
        foreach (@dns) {
                $self->setDNS($_);
        }

Save the file and run the following command to check there isn't any syntax error:

Code: [Select]

perl -c /usr/share/perl5/EBox/Iptables.pm
If everything looks ok, restart the firewall by executing:

Code: [Select]

/etc/init.d/ebox firewall restart

Regarding the SMB thing, you are saying that you are actually seeing SMB broadcast packets and stuff on your VPN client interface, right?

[azop]

I can connect to a samba share with the ip address so everything _should_ working.

Thanks

You can edit the file /usr/share/perl5/EBox/Iptables.pm

Add the line pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
within sub start() function after the call to setStructure, it should look like this:

Code: [Select]

sub start
{
        my $self = shift;

        $self->_loadIptModules();

        $self->setStructure();

        pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';

        my @dns = @{$self->{net}->nameservers()};
        foreach (@dns) {
                $self->setDNS($_);
        }

Save the file and run the following command to check there isn't any syntax error:

Code: [Select]

perl -c /usr/share/perl5/EBox/Iptables.pm
If everything looks ok, restart the firewall by executing:

Code: [Select]

/etc/init.d/ebox firewall restart

Regarding the SMB thing, you are saying that you are actually seeing SMB broadcast packets and stuff on your VPN client interface, right?

[javi]

by the way, is your samba server running in eBox or on another machine within your LAN?

[azop]

Currently running with ebox...however I may remove the module and edit the configuration file myself I'm not sure yet

by the way, is your samba server running in eBox or on another machine within your LAN?

[Saturn2888]

Doesn't setting up static routes in eBox modify these IP table rules or should I just go ahead and do sudo iptables -t nat -I POSTROUTING -s IP_ADDRESS/SUB -o eth0 -j MASQUERADE? If I get an update to the firewall module, doesn't that mean it'll overwrite this change in Iptables.pm?

azop said he could doing \\10.10.2.6 for instance and s/he could access Samba shares, but doing \\hostname would not work. I'm experimenting with different settings to get this to work, but do you have any suggestions?

[sulazhy]

Javi, I need help in my OpenVPN. My OpenVPN connection is working, but I can ping or connect to clients in my internal network. I added the iptables line u posted in your above reply, but still doesnt work.
When I ping, it tells me.... Destination host unreachable.
Any help will be appreciated.
Thanks

[Saturn2888]

sulazhy, what's your issue? A lot of us on the forums seemed to have solved our OpenVPN issues by editing the script file eBox loads to create the OpenVPN.conf file. While the changes don't stay if you upgrade OpenVPN or to a new eBox version that has a new OpenVPN, but you can copy and paste it back in regardless.

[Javier Amor Garcia]

shulazy, I think that you mean you can _not_ ping or connect to clients in oyur internal network.

Do you have your internal network advertides?. If not or do you not know you can see in the server list, 'Advertised networks' cell

[sulazhy]

Hi Javi and Saturn,

thanks for the concern. Here is my situation..

OpenVPN Network = 10.0.2.0/24
OpenVPN Client = 10.0.2.2
eBox (Gateway) = 195.148.173.50 (Ext Interface) AND 10.0.1.0 (Internal Interface with DHCP)
Tap0 = 10.0.2.1/24

The situation now is:

OpenVPN Client: Can ping Tap0 and eBox External Interface, but can not ping any client in the internal network with eBox as gateway.

eBox (Gateway): Can ping OpenVPN Client and Tap0.

Internal Network Computers: Can not ping OpenVPN Client.

I ran  sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE on command line, but still doesnt solve my problem.
But I will like to know if am to include the line in some configuration file.

Your help will be appraciated.

[Javier Amor Garcia]

The internalnetwork is advertised? Which netmask  it uses?
What is the routing table of your client?