O
O
Oleg Tarakanov2014-06-04 11:38:07
Debian
Oleg Tarakanov, 2014-06-04 11:38:07

OpenVPN: joining two networks?

Hello!
A hackneyed question, but for a week now I can not understand what I'm doing wrong.
There is a server (Debian 7):


[email protected]:/# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:ab
inet addr:63.XXX.XXX.135 Bcast:63.XXX.XXX.159 Mask:255.255.255.224
inet6 addr : fe80::20c:29ff:fea7:e7ab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4463 errors:0 dropped:0 overruns:0 frame:0
TX packets:4245 errors:0 dropped :0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:491129 (479.6 KiB) TX bytes:764121 (746.2 KiB)
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:ab
inet addr:63.XXX.XXX.136 Bcast:63.XXX.XXX.159 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:b5
inet addr:10.11.4.1 Bcast:10.11.4.255 Mask:255.255.255.0
inet6 addr: fe80::20c :29ff:fea7:e7b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:534 (534.0 B) TX bytes:10762 (10.5 KiB)

There is a client (Ubuntu 13.10):

[email protected]:~# service openvpn stop
* Stopping virtual private network daemon(s)... * Stopping VPN 'client' [ OK ]
[email protected]:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:8b :1e:d8
inet addr:10.11.1.153 Bcast:10.11.3.255 Mask:255.255.252.0
inet6 addr: fe80::250:56ff:fe8b:1ed8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets :12749 errors:0 dropped:0 overruns:0 frame:0
TX packets:4405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1096581 (1.0 MB) TX bytes:572015 (572.0 KB)
[email protected]:~#

It is necessary to organize access in both directions for networks 10.11.4.0/24 and 10.11.0.0/22.
OpenVPN configs are as follows:
1. Server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.11.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.11.4.0 255.255.255.0"
client-config -dir ccd
route 10.11.0.0 255.255.252.0
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status status_server.log
verb 3

2. /ccd/Corp:

iroute 10.11.0.0 255.255.252.0

3.Client.config:

client
dev tun
proto udp
remote 63.XXX.XXX.135 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert Corp.crt
key Corp.key
ns-cert-type server
cipher AES- 128-CBC
comp-lzo
verb 3
log-append openvpn_client.log
status status_client.log

After enabling OpenVPN, we have the following tables:
1. Server:

[email protected]:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 63.XXX.XXX.129 0.0.0.0 UG 0 0 0 eth0
10.11.0.0 10.11.100.2 255.255.252.0 UG 0 0 0 tun0
10.11 .4.0 * 255.255.255.0 U 0 0 0
ETH1 10/10/100.0 10/10/100.2 255.255.255.0 Ug 0 0 0 0 0 0 0 0 0 Tun0
0 0 0 0 0 Tun0
63.xxx.xxxx28 * 255.255.255.224 U 0 0 0 eth0

2. Client:

[email protected]:~# route
IP Protocol Core Routing Table
Destination Gateway Genmask Flags Metric Ref Use Iface
default irn-usvc-01.cor 0.0.0.0 UG 0 0 0 eth0
10.11.0.0 * 255.255.252.0 U 0 0 0 eth0
10.11. 4.0 10.11.100.5 255.255.255.0 UG 0 0 0
tun0

Trace:
1. Server:

[email protected]:/# traceroute 10.11.1.153
traceroute to 10.11.1.153 (10.11.1.153), 30 hops max, 60 byte packets
1 10.11.1.153 (10.11.1.153) 1.901 ms 2.381 ms 2.376 ms


[email protected]:/# traceroute 10.11.1.1
traceroute to 10.11.1.1 (10.11.1.1), 30 hops max, 60 byte packets
1 10.11.100.6 (10.11.100.6) 2.006 ms 2.449 ms 2.449 ms
2 * * *
3 * * *
4 * * *
5 * * *
...
29 * * *
30 * * *

2. Client:

[email protected]:~# traceroute -n 10.11.1.1
traceroute to 10.11.1.1 (10.11.1.1), 30 hops max, 60 byte packets
1 10.11.1.1 0.262 ms 0.251 ms 0.239 ms


traceroute to 10.11.4.1 (10.11.4.1), 30 hops max, 60 byte packets
1 10.11.4.1 1.570 ms 1.961 ms 1.978 ms

Iptables:
Server:

[email protected]:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt ​​source destination
Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination
Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination
[email protected]:/#

Customer:

[email protected]:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt ​​source destination
Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination
Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination
[email protected]:~#

---
net.ipv4.ip_forward=1 and sysctl -p did on both servers.
What I'm doing wrong - I can't figure it out. :-(
Please help.
---
Advice
on the server
iptables -A FORWARD -i tun0 -s 10.11.1.0/22 ​​-d 10.11.4.0/24 -j ACCEPT
on the client
iptables -A FORWARD -i tun0 -s 10.11.4.0/24 -d 10.11.1.0/22 ​​- j ACCEPT
seems like this

Unfortunately, it did not help ...
---
Interface configs, after raising OpenVPN:
on the server
[email protected]:/# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:ab
inet addr:63.XXX.XXX.135 Bcast:63.XXX.XXX.159 Mask:255.255.255.224
inet6 addr : fe80::20c:29ff:fea7:e7ab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:114009 errors:0 dropped:0 overruns:0 frame:0
TX packets:176770 errors:0 dropped :0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17090491 (16.2 MiB) TX bytes:30009996 (28.6 MiB)
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:ab
inet addr:63.XXX.XXX.136 Bcast:63.XXX.XXX.159 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:0c:29:a7:e7:b5
inet addr:10.11.4.1 Bcast:10.11.4.255 Mask:255.255.255.0
inet6 addr: fe80::20c :29ff:fea7:e7b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:133 errors:0 dropped:0 overruns:0 frame:0
TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12274 (11.9 KiB) TX bytes:87976 (85.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4548 errors:0 dropped:0 overruns:0 frame:0
TX packets:4548 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes: 465807 (454.8 KiB) TX bytes:465807 (454.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.11.100.1 PtP:10.11.100.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:93 errors:0 dropped:0 overruns:0 frame:0
TX packets:55850 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5652 (5.5 KiB) TX bytes:4691412 (4.4 MiB)
[email protected]:/#

on the client

[email protected]:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:8b:1e:d8
inet addr:10.11.1.153 Bcast:10.11.3.255 Mask:255.255.252.0
inet6 addr: fe80::250:56ff: fe8b:1ed8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:420600 errors:0 dropped:0 overruns:0 frame:0
TX packets:95041 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:42045225 (42.0 MB) TX bytes:9428701 (9.4 MB)
lo Link encap:Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes: 1344 (1.3 KB) TX bytes:1344 (1.3 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.11.100.6 PtP:10.11.100.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:55437 errors:0 dropped:0 overruns:0 frame:0
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4656720 (4.6 MB) TX bytes:5652 (5.6 KB)
[email protected]:~#

Answer the question

In order to leave comments, you need to log in

2 answer(s)
O
Oleg Tarakanov, 2014-06-05
@druoleg

At least tell me - are the settings correct? Can re-boot machines with OS?
---
The "problem" was solved by enabling masquerading on internal interfaces.
Thanks everyone for the help!

H
Heizenberg, 2014-06-05
@Heizenberg

The settings for the client in the ccd/Corp file are incorrect.
You need to assign an IP for the tun interface
and push routing through the tun interface
# assign an ip-address
ifconfig-push 10.11.100.6 255.255.255.0
# routing on the central office network
push "route 10.11.4.0 255.255.255.0 10.11.100.1"
It seems so, but I can make mistakes.
to server config
client-config-dir ccd
push "route 10.11.100.0 255.255.255.0 10.11.100.1"
keepalive 10 120
client-to-client

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question