OpenVPN fb as client with ipcop zerina

[ramik]

I was able to make a vpn connection between my Fritz 7140 and an IPCop Zerina vpn server, with a p12 certificate, the fritzbox is able to see the remote network but the machines connected to the fritzbox no.

         192.168.130.18          192.168.130.1 (VPN IPs)
         192.168.178.1           192.168.30.254
          [FRITZ (1)]  <---*--->  [IPCOP (2)]
             ^                        ^
             |                        |
          Windows (3)             Windows (4)

from Fritz (1) i can ping the ipcop machine (2) and the windows machine (4)
but from the windows machine i cannot ping neither (2) nor (4), but i can only ping the dhcp ip gave the the vpn connection client on fritz (192.168.130.18).

what config should i do on the windows machine (3) to allow it to see the (2) and (4)? some kind of routing table? a bridge on the fritz (1)?

thanks.

 

[MaxMuster]

Hi,

I think, you are only looking on one side of the problem ;-).
First: the "other" devices ((2) and (4)) will not know about the network "behind" the Client-Box (1) so you will need a route for the network 192.168.178.0 255.255.255.0 on your IPCop machine to 192.168.130.18 (if it is the default gateway in the remote network). Of course, the Fritzbox also needs to know about the network 192.168.30.0 behind the IPCop machine, so it needs a route for 192.168.30.0 255.255.255.0 to 192.168.130.1.

Jörg

 

[ramik]

But fritz box already can see and ping the 192.168.30.x network (route automatically added in the ovpn config file), i just want to let the windows machine (3) see the other side, by letting it route the ip's 192.168.30.x throught the vpn and no the internet.

 

[MaxMuster]

Hi,

as long as the Fritzbox is the default gateway in the LAN of PC (3), the Fritzbox will route every packet with destination IP in 192.168.30.x to the IPCop machine, including every packet from the LAN 192.168.178.x .
But you must be aware that there is no NAT, so the PC (3) will reach this net with its original IP (192.168.178.x), so the "IPCop-Net" needs a route to that network (the Fritzbox will use the IP of the outgouing interface, therefore it will reach the net with the source IP 192.168.130.18 which is known by the IPCop machine).

Regards

Jörg

 

[ramik]

Ok, i understand that the requests from the windows machine (3) arrives to the linux machine with the ip of itself, and the ipcop machine (2) doesn't recognize this address so it drops the packets, here is the log of ipcop openvpn server:

22:53:48	openvpnserver	Rami/79.0.x.x:1194 MULTI: bad source address from client [192.168.178.5], packet dropped
22:53:33	openvpnserver	Rami/79.0.x.x:1194 MULTI: bad source address from client [192.168.178.5], packet dropped
22:53:28	openvpnserver	'PUSH_REPLY,route 192.168.30.0 255.255.255.0,route 192.168.130.1,ping 10,ping-r estart 60,ifconfig 192.168.130.18 192.168.130.17' (status=1)
22:53:28	openvpnserver	Rami/79.0.x.x:1194 PUSH: Received control message: 'PUSH_REQUEST'

but what can i do on the client side [(1) or (3)]? or in all cases i have only to work on ipcop with the iroute command ? can i do some mapping of ip addresses on windows (3) by assigning dual ip addresses, or some tricks?

 

[MaxMuster]

Hi,

you are right, the "MULTI: bad source address..." messages are from OpenVPN because of missing "iroute" entries for that network.

There are two possibilities if you can only change the "Client-Side"
- try to NAT your PC on the Fritz!Box, but this will need iptables to be added there and is unstable AFAIK
- use a VPN connection directly from your PC

Jörg

 

[ramik]

I tried to set the openvpn server with iroute parameter for my client (3) (client-config-dir), then i started a connection to the server (2), and the server had this log, no more dropped packets:

87.x.yy.zz:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA,1024 bit RSA
87.x.yy.zz:1194 [Rami] Peer Connection Initiated with 87.x.yy.zz:1194
Rami/87.x.yy.zz:1194 OPTIONS IMPORT: reading client specific options from: /var/ipcop/ovpn/ccd/Rami
Rami/87.x.yy.zz:1194 MULTI: Learn: 192.168.130.10 -> Rami/87.x.yy.zz:1194
Rami/87.x.yy.zz:1194 MULTI: primary virtual IP for Rami/87.x.yy.zz:1194: 192.168.130.10
Rami/87.x.yy.zz:1194 MULTI: internal route 192.168.178.0/24 -> Rami/87.9.191.165:1194
Rami/87.x.yy.zz:1194 MULTI: Learn: 192.168.178.0/24 -> Rami/87.x.yy.zz:1194
Rami/87.x.yy.zz:1194 PUSH: Received control message: 'PUSH_REQUEST'
'PUSH_REPLY,route 192.168.30.0 255.255.255.0,route 192.168.130.1,ping 10,ping-restart 60,ifconfig 192.168.130.10 192.168.130.9' (status=1)
Rami/87.x.yy.zz:1194 MULTI: Learn: 192.168.178.5 -> Rami/87.x.yy.zz:1194

but i still from my machine (3) i can't ping or see hosts from the other said of the vpn...
i also made a forward rule on my modem for th udp port 1194 to forward to fritzbox

 

[MaxMuster]

Just to get it strait: You need two routes on the ipcop Server for the network behind the client.
The "ordinary" route for the kernel to the openvpn process ("route 192.168.178.0 255.255.255.0 192.168.130.18" in the server config) and the "iroute" for the internal routing within the openvpn in the client-config-dir:

The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.
This option must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script.

Jörg