guides to create openvpn server in linux?

[metro2012]

i seen the ubuntu and the openvpn guides for server/client but its still not too clear and also doesnt work with devices like my android so i wudl ike more info. anyone have good solid but simpll guides? thank u

[Miuku.]

The guides won't get much easier than what is presented on the Ubuntu pages.

Better question would be; what issues are you currently facing?

[+BudMan MVC]

Which client are you using for your android - what android device do you have. Here is one that does not require root for example

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

What specific guide are you using - this one? This is for a bridged setup

https://help.ubuntu.com/community/OpenVPN

If your having issues, you might be better off with one of the many VMs that is ready to go for you. Is this your firewall/router box? You might want to use a specific distro that has it built in already. Vs trying to setup router/firewall from a standard distro install.

For example pfsense has openvpn integrated, click click its up and running. I use it daily to access my home network from work.

So actual details of what your working with hardware/software and where it sits on your network and what your trying to accomplish will be the fastest way to let us help you get it working.

[metro2012]

https://help.ubuntu.com/11.10/serverguide/openvpn.html

I'm using that guide....

Currently I get stuck when I put /etc/init.d/openvpn start

I get in the syslog connection refused code 111 this is when I try to start to server....

[metro2012]

I was trying with android but now I'm doing it between 2 linux boxes

[+BudMan MVC]

And did you look up this error?

https://forums.openv...topic10674.html

Did the server actually start? Can you post your server config.

[metro2012]

yes, this topic is the one that appeared.

however, if u red my post, i cannot even get the server to start and to listen. eg there is no tun interface.....while this user has gotten his to start.

no, the server cannot start.

yes. my server.conf is the folowwing:

#################################################

# Sample OpenVPN 2.0 config file for #

# multi-client server. #

# #

# This file is for the server side #

# of a many-clients <-> one-server #

# OpenVPN configuration. #

# #

# OpenVPN also supports #

# single-machine <-> single-machine #

# configurations (See the Examples page #

# on the web site for more info). #

# #

# This config should work on Windows #

# or Linux/BSD systems. Remember on #

# Windows to quote pathnames and use #

# double backslashes, e.g.: #

# "C:\\Program Files\\OpenVPN\\config\\foo.key" #

# #

# Comments are preceded with '#' or ';' #

#################################################

# Which local IP address should OpenVPN

# listen on? (optional)

;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one. You will need to

# open up this port on your firewall.

port 1194

# TCP or UDP server?

;proto tcp

proto udp

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one. On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this.

;dev-node MyTap

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key). Each client

# and the server must have their own cert and

# key file. The server and all clients will

# use the same ca file.

#

# See the "easy-rsa" directory for a series

# of scripts for generating RSA certificates

# and private keys. Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see "pkcs12" directive in man page).

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret

# Diffie hellman parameters.

# Generate your own with:

# openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys.

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address

# associations in this file. If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface. Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0. Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients. Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging

# using a DHCP-proxy, where clients talk

# to the OpenVPN server-side DHCP server

# to receive their IP address allocation

# and DNS server addresses. You must first use

# your OS's bridging capability to bridge the TAP

# interface with the ethernet NIC interface.

# Note: this mode only works on clients (such as

# Windows), where the client-side TAP adapter is

# bound to a DHCP client.

;server-bridge

# Push routes to the client to allow it

# to reach other private subnets behind

# the server. Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

;push "route 192.168.10.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory "ccd" for client-specific

# configuration files (see man page for more info).

# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

# iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious' private subnet to

# access the VPN. This example will only work

# if you are routing, not bridging, i.e. you are

# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

# ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different

# firewall access policies for different groups

# of clients. There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

# group, and firewall the TUN/TAP interface

# for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

# modify the firewall in response to access

# from different clients. See man

# page for more info on learn-address script.

;learn-address ./script

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses. CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

;push "dhcp-option DNS 208.67.222.222"

;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different

# clients to be able to "see" each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server's TUN/TAP interface.

;client-to-client

# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names. This is recommended

# only for testing purposes. For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

;duplicate-cn

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

# openvpn --genkey --secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be '0'

# on the server and '1' on the clients.

;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC # Blowfish (default)

;cipher AES-128-CBC # AES

;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

# The maximum number of concurrently connected

# clients we want to allow.

;max-clients 100

# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.

;user nobody

;group nogroup

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status openvpn-status.log

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

# Use log or log-append to override this default.

# "log" will truncate the log file on OpenVPN startup,

# while "log-append" will append to it. Use one

# or the other (but not both).

;log openvpn.log

;log-append openvpn.log

# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

# Silence repeating messages. At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

There is nothing changed except the paths to certs/ca/key/etc

[+BudMan MVC]

So from quick look your on the default port 1194 udp

---

port 1194

# TCP or UDP server?

;proto tcp

proto udp

---

i would verify that nothing else listening on it, odd that something else would be using that port - but possible service already started?

Do you get any other errors?

edit: Ok in you guide it says to check that tun0 was created

"Now check if OpenVPN created a tun0 interface::

But in your config you have just tun

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

let me look at my config and check that - but I would verify that you have tun0 interface with ifconfig

edit2: ok on mine the interface is

ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500

options=80000<LINKSTATE>

inet6 fe80::250:56ff:fe00:2%ovpns1 prefixlen 64 scopeid 0xb

inet 10.0.200.1 --> 10.0.200.2 netmask 0xffffffff

nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

Opened by PID 15749

And in my config

--

dev ovpns1

dev-type tun

tun-ipv6

dev-node /dev/tun1

writepid /var/run/openvpn_server1.pid

#user nobody

#group nobody

script-security 3

daemon

keepalive 10 60

ping-timer-rem

persist-tun

persist-key

proto tcp-server

cipher AES-128-CBC

up /usr/local/sbin/ovpn-linkup

down /usr/local/sbin/ovpn-linkdown

local 24.13.xxx.xxx

tls-server

server 10.0.200.0 255.255.255.0

client-config-dir /var/etc/openvpn-csc

tls-verify /var/etc/openvpn/server1.tls-verify.php

lport 443

management /var/etc/openvpn/server1.sock unix

max-clients 2

push "route 192.168.1.0 255.255.255.0"

push "dhcp-option DOMAIN local.lan"

push "dhcp-option DNS 192.168.1.253"

push "dhcp-option NTP 192.168.1.253"

client-to-client

ca /var/etc/openvpn/server1.ca

cert /var/etc/openvpn/server1.cert

key /var/etc/openvpn/server1.key

dh /etc/dh-parameters.1024

tls-auth /var/etc/openvpn/server1.tls-auth 0

comp-lzo

persist-remote-ip

float

--

[metro2012]

from ur post, it seems u comment nothing seems to be wrong.

and no, from checking inside the box, i dnot see any process using that port.

ive removed fully openvpn and started from scartch but using something called webmin and see if tha makes it easier...

[+BudMan MVC]

"from ur post, it seems u comment nothing seems to be wrong."

:blink:

What? Check that you actually created a TUN0 interface - your config was calling just tun, not tun0 -- so this could be a problem! See how in my config I call the dev by its direct name -- ie in mine its dev ovpns1

And you can see from my ifconfig the device is called exactly that ovpns1

if your dev is tun0, and your just say dev tun that could be a problem.

[metro2012]

well I tried with the webmin thing and same exact error.....sumthing else maybe?

I used http://papandut.com/2011/09/04/installing-and-configuring-openvpn-server-on-centos-using-webmin-part-1/ I might have misunderstood the route ppart so ill repost tomm.

tank u 4 the help budman.

tomm ill give a update (using webmin)

[+BudMan MVC]

tomm?

I don't see any other posts in this thread other than ours. did you mean tmrw?

[metro2012]

tomm?

I don't see any other posts in this thread other than ours. did you mean tmrw?

tommorow. sorry for the confusion

[metro2012]

well, tried to configure it again but to no avail.....its obvious im missing something.

im testing this in a lan and im using the following as a base

linux server has

172.16.3.3 255.255.255.0

linux client has

172.16.3.1 255.255.255.0

thats step one.

now, the certificates im sure are being generated right. its click by click in webmin.

where i am lost i think is here:

where it says net ip assigns....not sure what to put there even if it says that it is for allocating the netwrok range....

anyways when setting it up with webmin i was able to start up the server (finally) but it gives me errors like these:

Wed Jun 27 10:06:05 2012 OpenVPN 2.2.1 i686-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012

Wed Jun 27 10:06:05 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Wed Jun 27 10:06:05 2012 WARNING: file 'keys/ser-ca/ser-svr.key' is group or others accessible

Wed Jun 27 10:06:05 2012 TLS-Auth MTU parms [ L:1539 D:138 EF:38 EB:0 ET:0 EL:0 ]

Wed Jun 27 10:06:05 2012 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [172.16.3.0/255.255.255.0] and remote VPN [172.16.3.1/255.255.255.255]

Wed Jun 27 10:06:05 2012 TUN/TAP device tun0 opened

Wed Jun 27 10:06:05 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Wed Jun 27 10:06:05 2012 /sbin/ifconfig tun0 172.16.3.1 pointopoint 172.16.3.2 mtu 1500

SIOCADDRT: File exists

Wed Jun 27 10:06:05 2012 ERROR: Linux route add command failed: external program exited with error status: 7

SIOCADDRT: File exists

Wed Jun 27 10:06:05 2012 ERROR: Linux route add command failed: external program exited with error status: 7

SIOCADDRT: File exists

Wed Jun 27 10:06:05 2012 ERROR: Linux route add command failed: external program exited with error status: 7

Wed Jun 27 10:06:05 2012 WARNING: potential route subnet conflict between local LAN [172.16.3.0/255.255.255.0] and remote VPN [172.16.3.0/255.255.255.0]

SIOCADDRT: File exists

Wed Jun 27 10:06:05 2012 ERROR: Linux route add command failed: external program exited with error status: 7

Wed Jun 27 10:06:05 2012 Data Channel MTU parms [ L:1539 D:1450 EF:39 EB:135 ET:0 EL:0 AF:3/1 ]

Wed Jun 27 10:06:05 2012 GID set to nogroup

Wed Jun 27 10:06:05 2012 UID set to nobody

Wed Jun 27 10:06:05 2012 UDPv4 link local (bound): [undef]

Wed Jun 27 10:06:05 2012 UDPv4 link remote: [undef]

Wed Jun 27 10:06:05 2012 Initialization Sequence Completed

Wed Jun 27 10:36:49 2012 event_wait : Interrupted system call (code=4)

Wed Jun 27 10:36:49 2012 TCP/UDP: Closing socket

Wed Jun 27 10:36:49 2012 Closing TUN/TAP interface

Wed Jun 27 10:36:49 2012 /sbin/ifconfig tun0 0.0.0.0

SIOCSIFADDR: Permission denied

SIOCSIFFLAGS: Permission denied

Wed Jun 27 10:36:49 2012 Linux ip addr del failed: external program exited with error status: 255

Wed Jun 27 10:36:49 2012 SIGTERM[hard,] received, process exiting

[+BudMan MVC]

Well yeah your going to have issues

"subnet conflict between local LAN [172.16.3.0/255.255.255.0] and remote VPN [172.16.3.1/255.255.255.255]"

What do you not understand about this error??

You have the same network on both ends of a VPN -- wont work!

Think of it this way your client on 172.16.3.0/24 network gets told hey if you want to get to the 172.16.3.0/24 network go down your vpn. Well he says BS to that my interface is already connected to that network directly ;)

Get someone to test that is on a different network.

[metro2012]

i decided to follow the guide number per number; meaning i changed it to a 10.x.x.x (a class) network. now the error does not pop up but (and tis makes me feel stuipid) how do i test it? i tried to install the openvpn client on my windows pc but i cant really input the server ip, just lets me input a address

[+BudMan MVC]

you can put in an IP vs fqdn in the client, this is in the .opvn file -- I use both fqdn and IP all the time for different connection. Where are you having issues with using an IP over fqdn?

But yes testing access from the same network of the server can be a bit difficult, unless your on a segmented network so your on different subnets.

if you would like to test access, just PM the info and certs, etc. and happy to test it for you.

[metro2012]

you can put in an IP vs fqdn in the client, this is in the .opvn file -- I use both fqdn and IP all the time for different connection. Where are you having issues with using an IP over fqdn?

But yes testing access from the same network of the server can be a bit difficult, unless your on a segmented network so your on different subnets.

if you would like to test access, just PM the info and certs, etc. and happy to test it for you.

i open the openvpn connect client that appears on my desktop and it asks me for a server (cant input a ip there) a username and a password (???)

[metro2012]

i found another client and i can do it from the remote network :)

i just have a problem........

my main network is 192.168.100.x and the server is 10.180.1.13 (it is attached to that main network and that IP is static). The client I am trying to connect to ALSO has a static IP set to 10.180.1.10 ALSO attached to that main network.

the remote network is trying to connect to the public IP of that main network but nothing happens. im possibiliy missing something in making routes on the router of the main network. the ports on the main network are open.

tips? help? anything else?

thank u for offering ur help budman but like i mentioned with this remote network, i should be able to do it (using the viscosity client on the remote network)

main network

|-----------10.180.1.13 (server, static IP)

SWITCH-------router DHCP (192.168.100.x)

|-------------10.180.1.10 (client, static IP)

thats the diagram of the main network. jus in cas im doing something wrong...

[+BudMan MVC]

so did you forward the port on the router to your vpn server? Your last config was default of udp 1194

Is 1194 udp open on his end.

I have found that running the openvpn on port 443 is more likely to be open for the remote side than 1194 udp.

"my main network is 192.168.100.x and the server is 10.180.1.13"

What?? how does your server talk to the internet?? If your network is 192.168.100.0/24 -- how do you think a 10.180 address is going to work?? You lost me - that makes no sense at all.

What is the gateway for your server?

[metro2012]

sorry tha i havent replied budman.......i was with the issue but still havent gotten to work (even the guy that brought us the product doesnt know how to do it; eg, his company was selling a model, the manuchafucuer discontinued and now they are selling the new model but dont know how to work it. obviously they are trying to sell the old stock but we dont want it bc thether is no support)

im going to do this at home (to emulate it and try to figure it out). maybe if i can do it at home, i can implament it at work....

(below im going to set up the closest possible to the real scenario but at home using virutal machines in VMWare)

on the phyical side we have 1 server, 1 "router" with 2 LAN ports (LAN1 is the "internal network" which is connected to the server, LAN2 is the "external network" or the VPN itself) and then we have a client which is on the VPN connected to LAN 2

software side: the server is running ubuntu, the "router" will simply be a linux distro (again ill leave it at ubuntu), and the client doesnt really matter but for the sake of simplicity lets make it a windows client. the server will run OpenVPN (in server mode obviously) and the rest will have OpenVPN working in client mode. Ill also use the Webmin interface to further emulate.

network side: the server will 192.168.1.x (192.168.1.0), the LAN1 of the "router" will obviously also have to be 192.168.1.x but here is the tricky part: LAN2 (the VPN) has to be 10.10.10.x . If I can get that to work, then ill move on to 10.10.x.x

thank u very much budman and i hope you can help me emulate this to get it to work.

[+BudMan MVC]

Ok so you have 2 segments at work - that is nothing new. Normally they would be somewhat similar, ie 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 or 10.10.0.0/16, 10.11.0.0/16, etc.

but sure you could have 1 segment on 192.168.1.0/24, another on 10.2.3.0/16 and say another on 172.16.1.0/23, etc.

So a bit confused about lan1 and lan2 on your router. So what router is this? When you say external network on lan2 -- do you mean only this network as access to the internet? Do you have firewall rules between lan1 and lan2?

So if I understand this right - you want to vpn in to a openvpn server on your 10.x network - and then access a server on your 192.168 network?

This is not a problem - you just have to allow whatever rules you have on the router for traffic between lan1 and lan2 to allow for the IPs your going to hand out to your vpn clients.

I have to assume that this openvpn server on your 10.x network already knows how to get to and can get to the server on 192.168 network?

So I drew this up -- this is your setup right? So we can use this to discuss the problem. Lets correct this drawing so we have something to work with when discussing the setup.

So I am guessing that is your network your talking about. And that your client is coming from the public internet and wants access to your server. Is that correct? And your router/firewall is your gateway for both your 192 and 10 networks?

Does not matter if the ip ranges are exact, only that they are close so we know what we are talking about, etc.

[metro2012]

Ok so you have 2 segments at work - that is nothing new. Normally they would be somewhat similar, ie 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 or 10.10.0.0/16, 10.11.0.0/16, etc.

but sure you could have 1 segment on 192.168.1.0/24, another on 10.2.3.0/16 and say another on 172.16.1.0/23, etc.

So a bit confused about lan1 and lan2 on your router. So what router is this? When you say external network on lan2 -- do you mean only this network as access to the internet? Do you have firewall rules between lan1 and lan2?

So if I understand this right - you want to vpn in to a openvpn server on your 10.x network - and then access a server on your 192.168 network?

This is not a problem - you just have to allow whatever rules you have on the router for traffic between lan1 and lan2 to allow for the IPs your going to hand out to your vpn clients.

I have to assume that this openvpn server on your 10.x network already knows how to get to and can get to the server on 192.168 network?

So I drew this up -- this is your setup right? So we can use this to discuss the problem. Lets correct this drawing so we have something to work with when discussing the setup.

So I am guessing that is your network your talking about. And that your client is coming from the public internet and wants access to your server. Is that correct? And your router/firewall is your gateway for both your 192 and 10 networks?

Does not matter if the ip ranges are exact, only that they are close so we know what we are talking about, etc.

yup. unless ive missed sumthing (i hope not) that is exactly the setup :)

The VPN network should be from 10.10.10.3 to 10.10.10.100 (for example). i comment because of the 172.x.x.x range u suddenly put there.

not to further manipulate the configuration on the real devices, is your opinion that i should emulate this in a vm enviroment???

thank u budman.

[+BudMan MVC]

I threw in the 172 just to be clear that the vpn network you hand out to clients is different than both your two local segments. If not you could have problems.

If you want sure you can set it up in a vm for testing at your house etc. But if this is how your setup, I can update the drawing to reflect your actual networks.

So what is the range on the 192 and the server IP and default? gateway. And then same info on your 10, and then what is your vpn network your handing out. And then we can go through your setup and figure out what is wrong.

Do you have firewall rules between your 192 and 10 networks? If so your going to have to allow for the vpn network to pass to the 192 network. Which is why I asked if your openvpn box currently has access to your server on the 192 network.

BTW if you throw me the login info, more than happy to test the connection from outside source for you. Don't need to give me any login info to your 192 server - just that I can ping it from the vpn client should be enough to verify connectivity.

I could simulate this on my network if you want - just have to bring up an interface on my router and connect to another vm network and could send you login info to access my network, etc. I could then throw you my config and you would be pretty much up and running.

[metro2012]

I threw in the 172 just to be clear that the vpn network you hand out to clients is different than both your two local segments. If not you could have problems.

that other local segment (LAN2) is dedicated strictly for the vpn network. the only existing one is the 192.168.100.x range.....

i apoligize for explainign myself wrong...

this is what i think the network is suppose to look like and what i would like it to look like:

If you want sure you can set it up in a vm for testing at your house etc. But if this is how your setup, I can update the drawing to reflect your actual networks.

yes, i think the best way would be to first test it out in a vm enviroment with a virtual network (a virtual network between VMs, not a VPN) and see how it plays out. enough has been touched on the real

So what is the range on the 192 and the server IP and default? gateway. And then same info on your 10, and then what is your vpn network your handing out. And then we can go through your setup and figure out what is wrong.

the gateway is 192.168.100.100

the server ip is (currently as configured) 192.168.100.90

range is unknown; important?

the gateway on LAN2 is 10.10.10.5

the server ip is 10.10.10.1

range also unknown and it is does not have a dhcp server

Do you have firewall rules between your 192 and 10 networks? If so your going to have to allow for the vpn network to pass to the 192 network. Which is why I asked if your openvpn box currently has access to your server on the 192 network.

i believe there are no firewall rules blocking this. if you say that i have to let is pass, are you referring to a static route? this is something i do not control at all (as i do not understand it well)

BTW if you throw me the login info, more than happy to test the connection from outside source for you. Don't need to give me any login info to your 192 server - just that I can ping it from the vpn client should be enough to verify connectivity.

ill take it under consideration :)

I could simulate this on my network if you want - just have to bring up an interface on my router and connect to another vm network and could send you login info to access my network, etc. I could then throw you my config and you would be pretty much up and running.

doing it in a virtual enviroment would be the same thing right? and u dont have to go thru the trouble :p

thank u budman for helping me