I am currently trying to configure OpenVPN to access our company network remotely.
I was able to establish a connection and ping the server at the configured address (10.8.0.1), but I was not able to access the network at the server side from clients.
The server is configured to push routes to the server with:
push "route 155.0.0.0 255.255.0.0 10.8.0.1 1"
where 155.0.0.0/16 is the server side network.
That did not work so I added
push "route 155.0.0.68 255.255.255.255 net_gateway 1"
because I read somewhere that it can be problematic if all packets including the ones to the server (155.0.0.68) are routed through the tunnel, but that still doesn't work. I am not able to ping any address on the server's network. Not even the server itself on 155.0.0.68.
What am I doing wrong?
Additional info:
Client and server run windows and OpenVPN runs in tun mode with the udp protocol. Firewalls are turned off on the client and the server.
I already asked this question on Network Engineering, but I was told ServerFault would be a better place for a problem like that.
Best Answer
Routes on both sides of the VPN tunnel are required.
Also IP Routing must be enabled on the server. For example on Windows 7:
Lets assume the following IPs and subnets:
192.168.0.0/24
192.168.0.2
10.8.0.2
155.0.0.0/16
155.0.0.68
10.8.0.1
Keys
Create a set of keys for the server and clients. Check the README in the OpenVPN installation dir
..\OpenVPN\easy-rsa\README.txt
for instructions how to generate those.Server side configuration
Add the following lines to the server config file:
Replace the paths with the respective installation directory.
Add a custom client config file on the server:
Create a directory
ccd
in the same directory as the server config file and in there a config file named after the CN (Common Name) of the client's certificate.Check the client certificate and look for this line (
CN=<client_name>
):In this example the file will be named
client1
(without an extension), add the following lines to the file:ifconfig-push
will give a static IP to this clientpush "route ..."
pushes the route to reach the server side subnet to the clientiroute
generates an internal route in OpenVPN to the client's subnetClient side configuration
Add the following lines to the client config file:
Replace the paths with your installation directory.
Additional Routes
This setup works if the server running OpenVPN is also a router and set as the
default-gateway
on all the clients on the server-side subnet.In the case a dedicated router exists, add the following static routes to it (or add them on all of the clients) to reach the VPN subnet and the subnet of
client1
.Static server-side subnet routes:
For additional hints on this topic, see this answer.