Topic: OpenVPN Server-Bridge

[elysium]

Hello!

I have a big problem ... still existing after reading hours over hours in this and other forums.

I installed the OpenVPN contrib and it is working fine when it comes to connection.
...but the problem is, when I´m connected I can only ping the server I´m connected to.
All the other clients connected on the server-side cannot be reached.

My connection looks like this (nothing unusual)

vpn-client ---> WAN ---> vpn-server ---> lan

|-----------------------------------||------|
            working                                   X

192.168.1.0---> XXX.XXX.XXX.XXX ---> 192.168.2.0 / 10.5.108.0 ---> 10.5.108.0


Hope somebody can help me ...

Cheers!

[Daniel B.]

Hi.
I don't understand your schem

what's your SME internal IP and network? Does it work in server only or server and gateway?

It should just work as it's bridge mode (which means your client gets an ip of the internal network, and all the âckets, even arp ones will be sent over the tunnel)

[elysium]

The internal is 10.5.108.230
DHCP works! My VPN-Client get an IP-Address!

In the network environement I can also see the workgroups.
SMB works too - but only for the SME-Server

It looks as if the network "behind" the SME is not existing.
If I connect via SSH I can ping all the clients but not via VPN.

SME is working in server and gateway mode.

So everythings working fine but the network (the clients and workstations) are not reachable!

         home-pc                          internet                               SME                       Clients
192.168.1.0/10.5.108.71---> XXX.XXX.XXX.XXX ---> 192.168.2.0 / 10.5.108.0 ---> 10.5.108.0
    eth              tab1                    wan                       ext.net        int.net              int.net

is this scheme better???

so a ping leaves my pc over the tunnel - passes ext.net of SME and enters int.net. / everything afterwards seems cuttet!

[elysium]

no idea???

[Franco]

You're trying to set up two distinctives networks, connected by VPN using the same IP range? That's why it does not work.
You need to use different ranges.

[elysium]

don´t think so ... my normal home net is the 192.168.1.0.
tab1 gets it ip via dhcp to get a connection to the internal lan at work (I think this is the right behaviour)

Did I get it right???

As I said I can ping the internal LAN but only the SME

[brick]

Did I get it right???

elysium,
Listen to what stuntshell is trying to tell you!
Your setup won't work, your network will look for the internal hosts and not the VPN.

Good luck.

[elysium]

...hmmm... I think I´m not getting it ... do you have a little example?
The home net can be changed to a range that fits ... but what fits?

By now I´m totally lost and scatterbrained ...

Just a little hint please!!!

[Franco]

what do you mean by tab1? Is this the IP that the VPN server is giving you?
192.XXX and 10.XXX are both private ranges. Are your networks 192.168.1.X and 192.168.2.X or 10.5.108.X?

[elysium]

homenet = 192.168.1.0
tap1 =  virtual vpn adapter with dhcp enabled - gets IP from OpenVPN-Server
eth1 net of SME (ext.LAN) = 192.168.2.0
eth0 net of SME (int.LAN) = 10.5.108.0

The SME has two nic´s - one for the so-called external LAN one for the internal.

The internet connection is established through a router on both sides (home & work)

What I need is a connection to the internal LAN of the SME.
It works - my virtual adapter get an IP - but I cannot reach the rest of the internal network.

The connection simply gets routed through the external nic and connects to the internal.

[elysium]

Correction:

I always wrote tab but meant tap

Sorry

[Franco]

OK, if I understand you correct, then all you have to do is configure the VPN correctly: Make sure the advanced configuration has the 'Redirect Gateway' enabled and 'Client to Client' enabled. After that you should be able to pass traffic and see everyone else on the other side.

[elysium]

...just tried it ... guess! It doesn´t work!
Still the same behaviour as before. 

[Daniel B.]

Hi.
Sorry for not responding before, but your problem is currious, I don't have a clear idea where it comes from. Have you checked the firewall on your client? It can blocks the connexion sometimes, try to disable it for thre tap interface

[elysium]

...already did that! Firewalls are BAAAADDDDD...
but that didn´t solver the prob.

Meanwhile I found a point to start at: the routes

I think the clients were not able to answer because they didn´t know the way to the tunnel.
So I added a route to one of the clients pointing directly at the vpn-client and it worked.

Do I have to enter 10 routes to each client connected when there are 10 vpn-connections???
Or is it possible to add one route for an ip range?

I think the routes will solve the problem

[Daniel B.]

Well, quite strange, routing cannot solve the problem since it's bridging mode, which means, when you're connected to the VPN, you're (virtually) connected to your internal network, and you don't need any routes to contact others host on the same subnet, you just need to send an arp request to get it's mac address. I'm just currious, which route did you added? Your client is on the same subnet as the host in your internal network.

[elysium]

my client gets an ip for tap1 so it is in the same subnet.
The route I addes was like
route add 10.5.109.70 mask 255.255.255.255 gw 10.5.108.230

...but this seems to be the only way to get it to work ...
Or do you have a better idea?

[Daniel B.]

Well, it depends on your netmask. Usually, with the class 10.x.x.x (A class) we use the natural mask 255.0.0.0 (/8), so 10.5.109.70 and 10.5.108.230 are on 2 differents network. In this case, the route isn't necessary. The same if you have a mask of 255.255.0.0 (/16), they are both on the same network, and the route still makes non sense. And if you use a netmask 255.255.255.0 (/24), you've a problem because your client is out of SME's internal network. Anyway, I don't really understand your situation and your network topology (on both side)

[elysium]

The netmask is 255.255.252.0 so I have the range 10.5.108.1-10.5.111.255

Tell me ehat u don´t understand???
SME has 2 nics - one connected to the internal network and one connected to a router which lies in a different network (192.168.2.0). So the SME has 10.5.108.0 on one side and 192.168.2.1 on the other.
Does this help u?