Dear All

I am running openvpn server ,I got with netmask 255.255.255.252 when connected to my vpn server from client.

How can I change ths netmask to 255.255.255.0?
I connected from 2 client sites but I can`t ping to client to client .
I think ,due the netmask.

Thanks

Hi,

OpenVPN uses this subnet (i.e. 4 private IP addresses per client) in order to provide compatibility with Windows clients due to the limitation of the TAP-Win32 driver's TUN emulation mode. If you know that only non-Windows clients will be connecting to your OpenVPN server, you can avoid this behavior by using the ifconfig-pool-linear directive.

This should not be problem for client-to-client directive, if you have enabled client-to-client into your server.conf

You may please post your .conf files here, it would be easier for everyone who can assist you.

Dipesh

hi please check my openvpn.conf
=========
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 192.168.41.0 255.255.255.0
push "dhcp-option DNS 192.168.40.12"
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.17.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
============

I connected from 192.168.15 network and 192.168.17 network to vpn server.
i got 192.168.41.6 ,255.255.255.252 for 15.0 network and 192.168.41.18, 255.255.255.252 for 17.0 network.

why I can`t access to 15 network to 17 network and 17 network to 15 network?

I think problem in My subnetmask 255.255.255.252 .
can you edit my servcer conf for changing netmask and accessing 15 to 17 and 17 to 15?

Thanks

Hello,

Please let me know your lan ip-range at server side, and OS at client side.

Moreover, please tell me, what exactly you want out of OpenVPN? Are you trying to connect just these two clients or would like to connect these three different networks?

I am not master at OpenVPN, but I would try at the best.

Dipesh

HI

Thanks for your supporting

MY server ip is 192.168.40.12 on eth0

My client OS is XP and ip is 192.168.17.100. ip arrange is 17.0/24

please remove both lines with push "route ...." from the openvpn.conf file (which is running at server), instead put push "route 192.168.40.0 255.255.255.0" and restart openvpn.

Now, connect both clients to vpn server and ping their tun ip (i.e. 192.168.41.6 and 192.168.41.18) from each other. it should work.

If this works, put route 192.168.15.0 255.255.255.0
route 192.168.17.0 255.255.255.0 into openvpn.conf and restart openvpn.

Check again at both clients.

please post the results here.

Dipesh

Hi

I got this error

Mon Sep 14 10:08:41 2009 route ADD 192.168.40.0 MASK 255.255.255.0 192.168.41.5
Mon Sep 14 10:08:41 2009 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=13]
Mon Sep 14 10:08:41 2009 Route addition via IPAPI failed

But I I got connected to Server.
Can`t ping to other client.
I think problem in subnet mask.

Thanks

I think problem in subnet mask.

I think it is problem with routing.

Mon Sep 14 10:08:41 2009 route ADD 192.168.40.0 MASK 255.255.255.0 192.168.41.5
Mon Sep 14 10:08:41 2009 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=13]
Mon Sep 14 10:08:41 2009 Route addition via IPAPI failed


Try adding route manually at xp client. (Btw, this fix is usually used for vista clients, xp should not have any problem adding routes). If it works, please put route directive into client.ovpn as route-method exe

Btw, I would like to know, why you are using 192.168.41.0 network as VPN IP Address Pool, instead of their suggested 10.8.0.0 or any other pool in class A subnet. If there is no any specific reason, please modify your openvpn.conf file at server like this:
port 443 <-- this port is used for https, you may use port 1194 which is IANA assigned for OpenVPN.
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.40.12"
duplicate-cn
client-to-client
keepalive 10 120
user nobody
group users
persist-key
persist-tun
comp-lzo
status openvpn-status.log
verb 3


Shall be waiting for progressive posts.

Dipesh

Hi I got error after put the "route-method exe " in client.

Mon Sep 14 14:09:15 2009 ERROR: Windows route add command failed: system() returned error code 1
Mon Sep 14 14:09:15 2009 route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.9
The requested operation requires elevation.
Mon Sep 14 14:09:15 2009 ERROR: Windows route add command failed: system() returned error code 1


I think I am facing with problem in my vista.

Hi I got error after put the "route-method exe " in client.

Mon Sep 14 14:09:15 2009 ERROR: Windows route add command failed: system() returned error code 1
Mon Sep 14 14:09:15 2009 route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.9
The requested operation requires elevation.
Mon Sep 14 14:09:15 2009 ERROR: Windows route add command failed: system() returned error code 1


I think I am facing with problem in my vista.

add route delay in config. thah works in our vista systems:

route-method exe
route-delay 2

Hi

thanks for your reply :)

I got error same

Mon Sep 14 14:52:35 2009 route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
The requested operation requires elevation.
Mon Sep 14 14:52:35 2009 ERROR: Windows route add command failed: system() returned error code 1

Thanks

Hi,

tray start conection as Administrator

Hi

I need to run the admin account?
I paid admin permission to my using account.
Is It now OK?

Thanks

try with right click and then "Run as administrator"

Hi

Thanks :)

I got ping reply
If I use with linux client, how can do?

Thanks

on debian / ubuntu

apt-get install openvpn

and copy certificate and config file to /etc/openvpn, but change extension in config file to *.conf
eg: client.ovpn -> client.conf

and restart openvpn

/etc/init.d/openvpn restart

Hi Sir

Thanks I will be test after linux OS install :)

Can I share my full internet access from my VPN Server or my vpn client?
If I got ,Can I share to my local-network from VPN?


(has full internet access) (has full internet access)
vista client <=> VPN server <=> xp client to localnetwork

Hi Sir

Thanks I will be test after linux OS install :)

Can I share my full internet access from my VPN Server or my vpn client?
If I got ,Can I share to my local-network from VPN?


(has full internet access) (has full internet access)
vista client <=> VPN server <=> xp client to localnetwork

Obviously, you can access your entire network as you are sitting at office.
e.g.
vista client
|
V
VPN Server
|
V
192.168.40.xxx network


Dipesh

Hi

I mean I want to use Internet access from other client.

example : If I am using 17.0 network , I want to internet access from 15.0.
(17.0) to (15.0)

Thanks

You can add server directive into your openvpn.conf as push "redirect-gateway" and NAT it appropriately by iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Btw, if you more clearly specify what do you want to have with VPN setup, it would be nice to suggest you accordingly.

Dipesh

HI

Already added your command.
how can I test this is work or not?

my wanted is vpn client can all access from VPN server.
Example : IF can ping anywhere from VPN server,I want also ping from vpn client.

Thanks

how can I test this is work or not?

you can use traceroute (or tracert in windows) to check through which route your packets are travelling.

my wanted is vpn client can all access from VPN server.
Example : IF can ping anywhere from VPN server,I want also ping from vpn client. I am still unable to understand, why you want to divert all traffic through your vpn server. In general, vpn client connects to your server by means of internet, so why don't you leave it as it is? i.e. allowing web traffic through client's gateway, and all other access to your network through vpn server.

Dipesh

HI sir

I am bad in english ,don`t mind me...



I have 5 PC client in 17.0 network and 3 pc client in 15.0 network .

I can access to all clients to clients if even connect 1 vpnclient to the server.

example if I connect 17.1 to vpn server ,can I access from 17.2(not use vpn client) to vpn server and 15.0 network client?

I mean is can I use as gateway the 17.1.


Thanks

If your 17 network and 15 networks are at physical different locations, you can bridge both networks using openvpn. For this situation, you can use OpenVPNs static link and not the way until now have done. You can check openvpn.net for the howto.

Little busy rightnow, please check after few minutes, I would post step-by-step instructions, for your setup.

Dipesh

Hello,

You have two networks, 192.168.15.xxx and 192.168.17.xxx, we shall bridge both networks so that each client at either side would have access to every other clients at opposite side network, as you were sitting in that office.

This can be done with a simple static link between two networks using OpenVPN. In such case, there is no need for any CA, and client certificate/key structure. Just one static key would be shared between them for authentication.

We shall need OpenVPN running on any one PC on each side. This PC should have internet access so that it can connect to vpn server at another side.

First, we shall need a common secret key to share, to generate it give following as root at terminal (for example your .17 network):
openvpn --genkey --secret static.key
this would generate a secret key with the name static.key, copy it to /etc/openvpn. Now, create static.conf file into /etc/openvpn as under:
proto udp
dev tun0
remote <host.domain or static IP of VPN server at another side>
ifconfig 10.0.0.1 10.0.1.1
secret /etc/openvpn/static.key
daemon

lport 12250
rport 12550

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/static-status.log
log-append /var/log/openvpn/static.log

ping-restart 60
ping 10

route 192.168.15.0 255.255.255.0


Now, copy static.key to PC running openvpn at another side (e.g. your .15 network) (Please do not use unsecure way such as email or ftp to transmit the file. The best way is to copy it to a pen drive, and bring pen drive at another location).

Here (at .15 network), copy static.key to /etc/openvpn folder. Create static.conf into /etc/openvpn as under:
proto udp
dev tun0
remote <host.domain or static IP of VPN server at another side>
ifconfig 10.0.1.1 10.0.0.1
secret /etc/openvpn/static.key
daemon

lport 12550
rport 12250

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/static-status.log
log-append /var/log/openvpn/static.log

ping-restart 60
ping 10

route 192.168.17.0 255.255.255.0


Next, add following iptables entry.
At .17 network

iptables -A INPUT -p udp --sport 12250 --dport 12550 -j ACCEPT
iptables -A OUTPUT -p udp --sport 12550 --dport 12250 -j ACCEPT

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

At .15 network

iptables -A INPUT -p udp --sport 12550 --dport 12250 -j ACCEPT
iptables -A OUTPUT -p udp --sport 12250 --dport 12550 -j ACCEPT

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT


Restart openvpn on both side, and try to ping device on another side, it should work.

Hope this helps. Please come back with results.

Dipesh

PS: You are free to change any file name, port, ip as you desire. I have given them keeping your networks in mind.

HI

I need to Install server in 15 and 17 network?
this is server to server vpn?
Thanks

I need to Install server in 15 and 17 network?
this is server to server vpn?

Yes, you can say it as type of server to server vpn.

Basically, OpenVPN itself is not server or client, it depends on your config file. You can have more than one instances of OpenVPN running simultaneously, where some are server and others are client.

Hope this clears doubts.

Dipesh

Hi

Thanks for your quickly reply :)

I think you are skill full in linux Networking platform :)

If you OK,Can I get your Messenger address?

Thanks