open VPN Can ping Open VPN Server but not hosts behind it

Diese Seite verwendet Cookies. Durch die Nutzung unserer Seite erklären Sie sich damit einverstanden, dass wir Cookies setzen. Weitere Informationen

  • open VPN Can ping Open VPN Server but not hosts behind it

    Hello,

    my network looks like this:



    From host b i can connect via openvpn client to the open VPN server of firewall 2 and ping firewall 2 and host c, as well as using rdp to connect to host c.

    From host a i can connect via openvpn client to the open VPN server of firewall 2 and ping firewall 2 but not host c, nor can i connct via rdp to host c.

    I'm using exactly the same config.

    So i think i need to change somenting on firewall 1.

    Status of firewall 1.

    Outgoing firewall disabled.

    Source Nat:

    Source Target Service NAT TO
    192.168.2.0/24 uplink main <ALL> Auto

    P.S. the client keeps reporting for host a (the client on host b doesn't) :

    Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1320 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

    Dieser Beitrag wurde bereits 1 mal editiert, zuletzt von Peter Roth ()

  • Re: open VPN Cannot ping OPen VPN Server but not hosts behin

    Update:

    solved problem by myself.

    host a was a vista client and there is omethin wrong by modifing the routng tables

    after i issued the follwing statemenns it is working

    route delete 192.168.1.0

    route add 192.168.1.253 mask 255.255.255.255 192.168.1.x (you must assign a fixed ip address in the ediean firewall)
    route add 192.168.1.0 mask 255.255.255.0 192.168.1.253

    now i need to create two scripts -- connect and disconnect--

    working on it...
  • Re: open VPN Can ping Open VPN Server but not hosts behind i

    Falls das Problem bei anderen auftauchen sollte hier mein Fix (funktioniert unter Vista und 7):

    Benutzt wurde der client 2.2.1 von openvpn.eu

    company.ovpn

    Quellcode

    1. # Specify that we are a client and that we
    2. # will be pulling certain config file directives
    3. # from the server.
    4. client
    5. # Use the same setting as you are using on
    6. # the server.
    7. # On most systems, the VPN will not function
    8. # unless you partially or fully disable
    9. # the firewall for the TUN/TAP interface.
    10. dev tap
    11. # Windows needs the TAP-Win32 adapter name
    12. # from the Network Connections panel
    13. # if you have more than one. On XP SP2,
    14. # you may need to disable the firewall
    15. # for the TAP adapter.
    16. ;dev-node MyTap
    17. # Are we connecting to a TCP or
    18. # UDP server? Use the same setting as
    19. # on the server.
    20. ;proto tcp
    21. proto udp
    22. # The hostname/IP and port of the server.
    23. # You can have multiple remote entries
    24. # to load balance between the servers.
    25. remote remote.host.ip 1194 (remote. host.ip durch ip des Zielhosts ersetzen)
    26. # Keep trying indefinitely to resolve the
    27. # host name of the OpenVPN server. Very useful
    28. # on machines which are not permanently connected
    29. # to the internet such as laptops.
    30. resolv-retry infinite
    31. # Most clients don't need to bind to
    32. # a specific local port number.
    33. nobind
    34. # Downgrade privileges after initialization (non-Windows only)
    35. #user nobody
    36. #group nobody
    37. # Try to preserve some state across restarts.
    38. persist-key
    39. persist-tun
    40. # If you are connecting through an
    41. # HTTP proxy to reach the actual OpenVPN
    42. # server, put the proxy server/IP and
    43. # port number here. See the man page
    44. # if your proxy server requires
    45. # authentication.
    46. ;http-proxy-retry # retry on connection failures
    47. ;http-proxy [proxy server] [proxy port #]
    48. # Wireless networks often produce a lot
    49. # of duplicate packets. Set this flag
    50. # to silence duplicate packet warnings.
    51. ;mute-replay-warnings
    52. # SSL/TLS parms.
    53. # See the server config file for more
    54. # description. It's best to use
    55. # a separate .crt/.key file pair
    56. # for each client. A single ca
    57. # file can be used for all clients.
    58. ca c:\\OpenVPN\\config\\firewall.cer
    59. # Use Username and Password Authentication
    60. auth-user-pass
    61. # Verify server certificate by checking
    62. # that the certicate has the nsCertType
    63. # field set to "server". This is an
    64. # important precaution to protect against
    65. # a potential attack discussed here:
    66. # http://openvpn.net/howto.html#mitm
    67. #
    68. # To use this feature, you will need to generate
    69. # your server certificates with the nsCertType
    70. # field set to "server". The build-key-server
    71. # script in the easy-rsa folder will do this.
    72. ;ns-cert-type server
    73. # If a tls-auth key is used on the server
    74. # then every client must also have the key.
    75. ;tls-auth ta.key 1
    76. # Select a cryptographic cipher.
    77. # If the cipher option is used on the server
    78. # then you must also specify it here.
    79. ;cipher x
    80. # Enable compression on the VPN link.
    81. # Don't enable this unless it is also
    82. # enabled in the server config file.
    83. comp-lzo
    84. # Set log file verbosity.
    85. verb 3
    86. # Silence repeating messages
    87. mute-replay-warnings
    88. mute 20
    89. #scripts
    90. route-up c:\\OpenVPN\\route-up.bat
    91. down c:\\OpenVPN\\down.bat
    Alles anzeigen


    company_connect.bat -> muss mit Admin Rechten ausgeführt werden

    Quellcode

    1. C:\OpenVPN\bin\openvpn.exe --config C:\OpenVPN\config\company.ovpn --route-noexec --script-security 2
    2. route delete 192.168.1.0
    3. route delete 192.168.1.x (wobei x die statische IP-Adresse ist die man an den Rechner des Users übergibt)
    4. route delete 192.168.1.253
    5. route delete 192.168.1.255


    TAP Device in der Netzwerkkonfiguration in "OpenVPN" umbennen

    company_disconnect.bat -> muss mit Admin Rechten ausgeführt werden

    Quellcode

    1. netsh interface set interface "OpenVPN" DISABLE
    2. netsh interface set interface "OpenVPN" ENABLE


    Zwei scripts anlegen

    route_up.bat

    Quellcode

    1. route delete 192.168.1.0
    2. route delete 192.168.1.253
    3. route delete 192.168.1.255
    4. route add 192.168.1.253 mask 255.255.255.255 192.168.1.x (wobei x die statische IP-Adresse ist die man an den Rechner des Users übergibt)
    5. route add 192.168.1.0 mask 255.255.255.0 192.168.1.253
    6. route add 192.168.1.255 mask 255.255.255.255 192.168.1.253


    down.bat

    Quellcode

    1. route delete 192.168.1.0
    2. route delete 192.168.1.253
    3. route delete 192.168.1.255