0

I tried this solution but it didn't work. Basically, I can connect to my remote network via OpenVPN, but only to one IP on the network. For server-based connections, I employed port forwarding via ssh. This worked and I gained access to some resources but I still cannot connect to some network shares to which I need access.

Any ideas/hints/work-arounds?

EDIT - Here are the configs:

client

dev tun
proto udp
remote remote.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
comp-lzo
verb 3

server

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0. 255.255.255.0
ifconfig-pool-persist
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-kiey
persist-tun
status openvpn-status.log
verb 3

I should note that this configuration has worked for many months. It still works (sort of) in that I can access through the VPN tunnel the server where the VPN is running. I just cannot access the other IPs on the network without work-arounds (this is the new behavior).

The only thing I can think of that has changed is that I reconfigured a Drobo on the same network with samba.

EDIT 2 - Here is some more info on the network setup for this situation:

Where I sit is a local network: 192.168.5.0/24

Where I work is another local network: 192.168.1.0/24

VPN network: 10.8.0.0/24

On the 192.168.1.0 network, there are a couple servers (one of which is the OpenVPN server) and a couple network shares to which I need access. Using ssh port forwarding I can connect to the WRT router (192.168.1.1 - which has a port forward for the VPN, through port 1194) and another CRM server I need: 192.168.1.20. The machine running VPN (192.168.1.10) is the only accessible IP when I use my existing VPN configuration (see above) that, previously, worked well (this means, I had access to all networks shares, all servers, all local shared machines on the 192.168.1.0 network).

One of the network shares sits on 192.168.1.15. The Drobo I discussed earlier sits on the CRM server (192.168.1.20). The Drobo used to be a DroboShare, with its own IP (192.168.1.16). This was recently changed. I can mount the network shares discussed here on to 192.168.1.10 (since I can access this machine vis ssh), so technically I have access to everything I need. The problem is, it's is cumbersome to do it this way, especially since I was used to a VPN working as it should.

Hopefully this edit makes things more clear.

Community
  • 1
nicorellius
  • 6,715
  • Do you administer the VPN? We'll need some more configuration specifics to solve this. Namely, is a routed VPN, what routes are pushed, and is the client-to-client directive included? At a minimum these are required to be able to talk between VPN clients. – imoatama Sep 16 '10 at 00:30
  • Yes. Configs to follow... – nicorellius Sep 16 '10 at 17:03
  • Are the machines you're trying to reach on the 10.8.0.0 VPN subnet? If so you'll need to include the client-to-client server directive.

    I they're not on the VPN subnet but are instead connected to the server via a physical LAN with eg subnet 192.168.10.0 you'll need to add a push "route 192.168.10.0" directive to the server config.

     – imoatama Sep 17 '10 at 01:51
  • When you say the configuration worked for several months, was that with or without tunnelling through the server? You seem to imply that not even tunnneling works for you now for some services. – imoatama Sep 17 '10 at 01:53
  • The EDIT 2 above should clear up the network(s) configuration. @ imoatama - I don't think I need a client-to-client directive. But perhaps a push "route". – nicorellius Sep 17 '10 at 16:30

2 Answers2

1

Depending on the VPN design, you'll probably need to include the following server config directives:

  • server
  • dev tun
  • push route <network>
  • client-to-client (this will depent on architecture - it's needed if everyone connects to the server via the VPN, rather than the server being on the same network as some machines with other gaining access to them via the VPN)

There are lots of places this could be going wrong eg

  • No route being pushed for the address(es) of the servers
  • Servers are only connected to VPN server via VPN as opposed to physical LAN, and client-to-client is not turned on
  • Obscure bugs in OpenVPN (hopefully not this one!)

Can you post (redacted) copies of your server and client config files? Otherwise can you give us a basic idea of the network architecture?

imoatama
  • 1,924
1

My guess is that the other machines on your network don't know how to route to the IP range that the OpenVPN clients are using (in your case, 10.8.0.0/24). If the box running the OpenVPN server is not also the default router, then the network hosts are probably sending their packets to 10.8.0.x to the router instead of the OpenVPN server.

The easiest workaround is to add a static route on your router for 10.8.0.0/255.255.255.0 where the gateway is your OpenVPN server's LAN IP address. If that's not possible, you can also add the same static route to each server or host that the clients need to talk to.

It's also possible to configure OpenVPN to work in a bridged mode, such that the clients appear to be on the same LAN subnet as the OpenVPN server. This is trickier to set up; on Linux you need to create a tap interface and bridge it to an ethernet interface.

Heath
  • 713
  • Your suggestions are very good. I have used bridged mode before. I have a pfSense firewall setup on my local (192.168.5.0 network). I ended up not using this mode ultimately, but I see how this may work. My main issue is why in the heck was it working and then not, just because I added a network share to a samba configuration? – nicorellius Sep 17 '10 at 16:32