2

Openvpn: clients connected to server = firewall; but can not access database in LAN

I have 5 vlan:

vlan 2: 192.168.12.0/24
vlan 3: 192.168.13.0/24
vlan 4: 192.168.14.0/24
vlan 5: 192.168.15.0/24
vlan 6: 192.168.100.0/24

All are LAN had been connected to Switch cisco 3650 layer3. Switch Layer3 is connected to Firewall (CentOS 6.2 installed squid and shorewall 4);

Firewall have eth0: 172.16.1.101 connected to modem:172.16.1.1; eth1: 192.168.99.99 connect to switch layer 3: 192.168.99.100 no switchport.

VPN client connect and have IP class: 192.168.10.0/24. Now all traffic from LAN to Internet is normal, no trouble.

When clients use openvpn connect to server successfull but cannot ping or access any computers in LAN. What have I done wrong?

jasonwryan
  • 73,126
jimmy
  • 21

1 Answers1

1

It coud be both a routing or firewall problem. First of all you should check if you can ping the server/firewall from the vpn client. Check if you can ping the address of eth1 and the tun1 one.

If these check fails you probably have a missing route. Maybe openVPN does not force the client to set routes for internal subnet.

On the client, supposing it's a linux one, you have to run route -n and check if it has a gateway for your remote lan.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
...
192.168.99.0    192.168.10.##   255.255.255.0   UG    0      0        0 tun1
...

192.168.10.## should be the address of tun1 interface on the server/firewall.

If route is there you should be able to ping at least the tun1 iface address.

For faster debug you can disable shorewall, btw you should check your firewall rules, you have to enable forward from the vpn tun interface to lan and vice versa.

Using IPTables should be something like:

# iptables -A FORWARD -i tun+ -o eth1 -j ACCEPT
# iptables -A FORWARD -i eth1 -o tun+ -j ACCEPT

tun+ stands for "any tun", you should use you real tun device, check it with ifconfig.

F2K
  • 111