[juneau-lug] Re: OpenVPN continued...

> >
> > On the OpenVPN installation I set up at work, all OpenVPN tunnels had a=
 netmask of 255.255.255.252 - a small, two host network, just server and cl=
ient. =A0All of the normal, unencrypted interfaces the tun interfaces piggy=
backed on had normal, legal netmasks. =A0Not one 255.255.255.255 anywhere.
> >
> > Cheers,
> >
> > James

OK, Kevin I spent some time Sunday playing with this again.

I re-did my OpenVPN setup to mirror yours, with the exception that I didn't=
 use a default route. =A0Instead, I just mapped a class C over. =A0So I did=
 a one-server to many-clients setup.

Just like you, OpenVPN filled up my routing table with 255.255.255.255 entr=
ies. =A0Odd. =A0It weren't that way with the static key setup, where they w=
ere 255.255.255.252 routes. =A0

Did some very basic research that I should have done before and I guess tha=
t all point to point interfaces use these maps. =A0Something I never though=
t about, even though I've seen my share of pptp connections before. =A0The =
software handles routing on either end, not the kernel. =A0(I guess learnin=
g networking with a cable modem instead of DSL has it's drawbacks.)

=46or a time I had a similar problem as you do - the OpenVPN tunnel would c=
ome up, but no packets would go over the tunnel. =A0That was because my ser=
ver did not have a valid route back to the client. =A0I think this is the s=
ame thing you are seeing since when you provide an alternate path (plugging=
 the cable in), the tunnel suddenly works.

So: pf on the server, route tables on the server, or else a firewall on the=
 client.

One other thing to look at - in my configs I use "device tun" and you use "=
device tun0".

Cheers,

James
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

Other related posts: