[Openvpn-users] routing client to server LAN borked?

[Moshe H. <hyz...@gr...>]

I have a feeling I am missing something very simple, but after banging 
my head against the wall for the past week, I have decided to seek help. :)

I am currently testing OpenVPN for larger deployment.  My setup is this:
 

                [---------------VMWare Server--------------]
                                    
Corp<-->OpenVPN<--->Stateful firewall<--->OpenVPN<--->Client 
Net      Server  ^    (only TCP 80 &   ^  Client   ^   Net
                 |     443 outbound    | RHEL 3u6  |
               Bridged      open )   vnet1       vnet2
              connection

My configs are thus:

Server
------

# General
dev tun
server 172.28.128.0 255.255.128.0
port 443
proto tcp
comp-lzo
verb 5

# Clients

client-config-dir /root
ccd-exclusive

#push "route 192.168.26.0 255.255.254.0"
#push "route 192.168.24.0 255.255.255.0"
#push "route 192.168.1.0  255.255.255.0"
#push "route 192.168.22.0 255.255.254.0"

route 172.27.255.240 255.255.255.240

# Secuity
cipher AES-256-CBC
ca /var/lib/openvpn/ssl/gsg-ca.crt
cert /var/lib/openvpn/ssl/ovpn-srv-test.crt
key /var/lib/openvpn/ssl/ovpn-srv-test.key 
crl-verify /var/lib/openvpn/ssl/crl.pem
dh /var/lib/openvpn/ssl/dh2048.pem
tls-auth /var/lib/openvpn/ssl/hmac.key 0
persist-key
persist-tun


Client
------
# General
remote test02.grantstreet.com 443
proto tcp
dev tun
client
comp-lzo
verb 5

# Security
cipher AES-256-CBC
ca /var/lib/openvpn/ssl/gsg-ca.crt
cert /var/lib/openvpn/ssl/ovpn-cli01-test.crt
key /var/lib/openvpn/ssl/ovpn-cli01-test.key
tls-auth /var/lib/openvpn/ssl/hmac.key 1
ca /var/lib/openvpn/ssl/gsg-ca.crt


In the default configuration, machines on the client lan can ping and connect to the OpenVPN server just fine, the reverse is also true.  IP Forwarding is turned on both the server and the client.  However, if I uncomment any of the 'push route' lines in the server config, or if on the client I execute the equivalent command: 

# route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1

the client can no longer ping the server.  I see the OpenVPN client thinking it is sending packets, but nothing ever reaches the server.  Running tcpdump on the server, the client and the intervening firewall, 
In fact, no packets ever get sent out of the client's 'real' interface, eth0.  '# tcpdump -i any' only sees tun0 packets.  If I then perform:

# route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1

and start pinging again, nothing happens for a few seconds, then all the  pings come back in a rush:

[root@ws01a ~]# route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
[root@ws01a ~]# ping 172.28.128.1
PING 172.28.128.1 (172.28.128.1) 56(84) bytes of data.
64 bytes from 172.28.128.1: icmp_seq=0 ttl=64 time=6437 ms
64 bytes from 172.28.128.1: icmp_seq=1 ttl=64 time=5419 ms
64 bytes from 172.28.128.1: icmp_seq=2 ttl=64 time=4419 ms
64 bytes from 172.28.128.1: icmp_seq=3 ttl=64 time=3420 ms
64 bytes from 172.28.128.1: icmp_seq=4 ttl=64 time=2419 ms
64 bytes from 172.28.128.1: icmp_seq=5 ttl=64 time=1419 ms
64 bytes from 172.28.128.1: icmp_seq=6 ttl=64 time=411 ms
64 bytes from 172.28.128.1: icmp_seq=7 ttl=64 time=5.41 ms
64 bytes from 172.28.128.1: icmp_seq=8 ttl=64 time=2.74 ms
64 bytes from 172.28.128.1: icmp_seq=9 ttl=64 time=8.68 ms

I need to be able to reach subnets on the server side from the client side.  Is there something simple I am missing?  I can provide tcpdump logs and openvpn logs if nessecary.  Thanks for any help!


Moshe Hyzon

----
Moshe Hyzon
Grant Street Group
Ph: 412-391-5555, ext. 344