Re: [Openvpn-users] Site2Site - routing-problem (linux)

[Phil B. <phi...@bl...>]

Martin Müller - Rudolf Hausstein OHG wrote:

> So I changed my second LAN to your suggestion. But it wasnt working 
> (like 10.8.0.0). Cant reach the Server-LAN from the Client-Lan.
> 
> So what I think is, that the problem belongs to the networkmask.
> I changed my Client-LAN to 192.168.200.0
> 
> #/etc/openvpn/server.conf
> route 192.168.200.0 255.255.255.0
> push "route 192.168.100.0 255.255.255.0"
> Here again, I put away the line
>    'push "route 192.168.200.0 255.255.255.0" '
> because when I use this, the Clients of 192.168.200.0/24 cant reach 
> 192.168.200.99.

Maybe this is because you are using redirect-gateway. I have that push 
route line in my own server.conf and I have no problems but you seem to 
get an extra route in your client routing table that I don't get. 
Strange. :)

> route in the client with tun0 up:
> Ziel            Router          Genmask         Flags Metric Ref    Use 
> Iface
> 192.168.100.0   192.168.123.5   255.255.255.0   UG    0      0        0 
> tun0
> 192.168.200.0   192.168.123.5   255.255.255.0   UG    0      0        0 
> tun0
> 192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 
> eth0

^^^^^^^^^^^^^^^

> 192.168.123.0   192.168.123.5   255.255.255.0   UG    0      0        0 
> tun0

Again you have two routes for 192.168.200.0 - one sending it down eth0 
and one down tun0. If you removed the push "route 192.168.200.0 
255.255.255.0" line, I am not sure why you are getting this.

Try disabling push "redirect-gateway" first of all and test pings etc to 
see if it works.

Next..

Have you tried sniffing the tun0 interface to see what's happening?

Do a ping on your client like:

ping 192.168.100.1 -I 192.168.200.1

(Change the IP's if the ones I used are wrong. The first one should be 
any machine on your server LAN and the second one should be the local IP 
on your client gateway. This makes it looks like the ping came from your 
client LAN.)

Log on your server and use tcpdump -i tun0 or ethereal if you have it to 
see if the pings are coming through. If you use the IP's above, you 
should see something like:

11:18:29.793920 IP 192.168.200.1 > 192.168.100.1: icmp 64: echo request 
seq 3
11:18:29.794440 IP 192.168.100.1 > 192.168.200.1: icmp 64: echo reply seq 3

As before your routes look OK.

Phil