open VPN Can ping Open VPN Server but not hosts behind it

Peter Roth

Hello,

my network looks like this:

[Blockierte Grafik: http://www.pkrhs.de/intern/network.png]

From host b i can connect via openvpn client to the open VPN server of firewall 2 and ping firewall 2 and host c, as well as using rdp to connect to host c.

From host a i can connect via openvpn client to the open VPN server of firewall 2 and ping firewall 2 but not host c, nor can i connct via rdp to host c.

I'm using exactly the same config.

So i think i need to change somenting on firewall 1.

Status of firewall 1.

Outgoing firewall disabled.

Source Nat:

Source Target Service NAT TO
192.168.2.0/24 uplink main <ALL> Auto

P.S. the client keeps reporting for host a (the client on host b doesn't) :

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1320 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Peter Roth

Update:

solved problem by myself.

host a was a vista client and there is omethin wrong by modifing the routng tables

after i issued the follwing statemenns it is working

route delete 192.168.1.0

route add 192.168.1.253 mask 255.255.255.255 192.168.1.x (you must assign a fixed ip address in the ediean firewall)
route add 192.168.1.0 mask 255.255.255.0 192.168.1.253

now i need to create two scripts -- connect and disconnect--

working on it...

Peter Roth

Falls das Problem bei anderen auftauchen sollte hier mein Fix (funktioniert unter Vista und 7):

Benutzt wurde der client 2.2.1 von openvpn.eu

company.ovpn

Code

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client


# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap




# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap


# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote remote.host.ip 1194                         (remote. host.ip durch ip des Zielhosts ersetzen)




# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite


# Most clients don't need to bind to
# a specific local port number.
nobind


# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nobody


# Try to preserve some state across restarts.
persist-key
persist-tun


# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]


# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings


# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca c:\\OpenVPN\\config\\firewall.cer


# Use Username and Password Authentication
auth-user-pass


# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server


# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1


# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x


# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo


# Set log file verbosity.
verb 3


# Silence repeating messages
mute-replay-warnings
mute 20 


#scripts
route-up 	c:\\OpenVPN\\route-up.bat
down		c:\\OpenVPN\\down.bat

Alles anzeigen

company_connect.bat -> muss mit Admin Rechten ausgeführt werden

Code

C:\OpenVPN\bin\openvpn.exe --config C:\OpenVPN\config\company.ovpn --route-noexec --script-security 2


route delete 192.168.1.0
route delete 192.168.1.x               (wobei x die statische IP-Adresse ist die man an den Rechner des Users übergibt)
route delete 192.168.1.253
route delete 192.168.1.255

TAP Device in der Netzwerkkonfiguration in "OpenVPN" umbennen

company_disconnect.bat -> muss mit Admin Rechten ausgeführt werden

Code

netsh interface set interface "OpenVPN" DISABLE
netsh interface set interface "OpenVPN" ENABLE

Zwei scripts anlegen

route_up.bat

Code

route delete 192.168.1.0
route delete 192.168.1.253
route delete 192.168.1.255


route add 192.168.1.253 mask 255.255.255.255 	192.168.1.x  (wobei x die statische IP-Adresse ist die man an den Rechner des Users übergibt)
route add 192.168.1.0     mask 255.255.255.0 	192.168.1.253
route add 192.168.1.255 mask 255.255.255.255	192.168.1.253

down.bat

Code

route delete 192.168.1.0
route delete 192.168.1.253
route delete 192.168.1.255

Benutzer online in diesem Thema