DSM-G600, DNS-3xx and NSA-220 Hack Forum

mzypt · 2009-12-27 15:27:39

Hi,

My idea is so use DNS-323 as VPN server so I can access homeLAN remotely from internet while overseas.

I managed to establish OpenVPN connection to DNS-323.

Server:
tap0 is the OpenVPN interface, IP 192.168.1.22.
egiga0 in DSN-323 own LAN interface, IP 192.168.1.101

Client: Laptop XP. VPN address 192.168.1.21

I can ping tap0, 192.168.1.22 but how I can access to the rest of LAN? I can't ping 192.168.1.101 or my ADSL modem 192.168.1.1.
Ideally would be a bridge connection between tap0 and egiga0, is it possible? Or maybe some routing solution, all incoming traffic to tap0 will be forwarded to egiga0?

Can someone please point me to the right direction?

==========
Server conf:

dev tap
port 86
proto tcp-server
ifconfig 192.168.1.22 255.255.255.252
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
=========

Client conf:

remote mydns.ip.address.com
port 86
dev tap
secret static.key
proto tcp-client
float
comp-lzo
ifconfig 192.168.1.21 255.255.255.252
route-gateway 192.168.1.22
=========

oxygen · 2009-12-27 22:58:06

activate ip forwarding

mzypt · 2009-12-28 06:48:48

How can I do that? Any specific instructions?

oxygen · 2009-12-28 11:49:53

echo 1 > /proc/sys/net/ipv4/ip_forward

mzypt · 2009-12-29 09:27:22

I tried but it doesn't work

C:\WINNT\system32>ping 192.168.1.22 < ---this IP is VPN tap0 and ping works from remote PC

Pinging 192.168.1.22 with 32 bytes of data:

Reply from 192.168.1.22: bytes=32 time=1122ms TTL=64
Reply from 192.168.1.22: bytes=32 time=1498ms TTL=64

C:\WINNT\system32>ping 192.168.1.101 < another IP address within the same subnet doesn't respond

Pinging 192.168.1.101 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.

I entered the command and gave restart..just in case
echo 1 > /proc/sys/net/ipv4/ip_forward

But still

C:\WINNT\system32>ping 192.168.1.22

Pinging 192.168.1.22 with 32 bytes of data:

Reply from 192.168.1.22: bytes=32 time=1122ms TTL=64
Reply from 192.168.1.22: bytes=32 time=1498ms TTL=64

C:\WINNT\system32>ping 192.168.1.101

Pinging 192.168.1.101 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.

gasman · 2009-12-29 12:05:10

Not sure if I'm on the right track here?, but doesn't your ip mask only allow for 2 hosts per subnet.?

http://www.subnet-calculator.com/

so 192.168.1.101 is not in same subnet as 192.168.1.22. ???

oxygen · 2009-12-29 13:11:06

the vpn host should route to the local network, that's ok. i guess the route's are not correctly setup at the windows client.

btw, the egiga0 interface (.101) wont respond anyways and restarting will deactivate ip forwarding again.

Last edited by oxygen (2009-12-29 13:15:54)

Electrocut · 2009-12-29 16:05:53

mzypt wrote:
Server:
tap0 is the OpenVPN interface, IP 192.168.1.22.
egiga0 in DSN-323 own LAN interface, IP 192.168.1.101

Client: Laptop XP. VPN address 192.168.1.21

I think you should use Routing (dev tun), instead of bridging (dev tap)

Then, configure a different network, for your VPN :
example:

Client side:
Local network, 192.168.0.2, mask 255.255.255.0
VPN adress, 192.168.2.21, mask 255.255.255.0
Gateway 192.168.2.22 (route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.22)

Server (DNS-323) side:
Local network, 192.168.1.101, mask 255.255.255.0
VPN adress, 192.168.2.22, mask 255.255.255.0

And enable ip forwarding (you can add the command in openvpn start script)

Last edited by Electrocut (2009-12-29 16:09:50)

mzypt · 2009-12-30 03:56:37

Thank you, thank you, thank you!!
It works now...you saved my day:)

I have just one minor question. I want to use openVPN on port 443, but it seems to be reserved by DSN323.

Wed Dec 30 10:05:01 2009 LZO compression initialized
Wed Dec 30 10:05:01 2009 TCP/UDP: Socket bind failed on local address [undef]:443: Address already in use
Wed Dec 30 10:05:01 2009 Exiting

How can I check which application is using it? Netstat doesn't show PID

netstat -a
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

Last edited by mzypt (2009-12-30 05:05:38)

mzypt · 2009-12-30 06:10:49

Okay...I disabled web interface and now I can use 443 as well. But still something wrong, I can only ping 192.168.1.101

I don't get this..mask is 255.255.255.0 so It should work

Client:
remote myipdnsalias.org
port 443
dev tun
secret static.key
proto tcp-client
float
comp-lzo
ifconfig 192.168.2.21 192.168.2.22
route 192.168.1.0 255.255.255.0 192.168.2.22

C:\WINNT\system32>tracert 192.168.1.1

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 148 ms 149 ms 140 ms 192.168.2.22
2 * * * Request timed out.

192.168.1.1 is router to NAS, but no answer. Also ping from NAS IP 192.168.1.1 works. So looks like is is blocked between tun and egiga. But IP forward is used.

How can I check the used mask. Maybe it allos only two IPs?

mzypt · 2009-12-30 11:34:07

actually when I disabled IP_forvward with echo 0 > /proc/sys/net/ipv4/ip_forward, it didn't have any impact.

Ping was still working to 192.168.2.22 and 192.168.1.101. So same result with or without IP_forw. Or does this command need a restart to work properly?

Electrocut · 2009-12-30 12:10:30

mzypt wrote:
C:\WINNT\system32>tracert 192.168.1.1

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 148 ms 149 ms 140 ms 192.168.2.22
2 * * * Request timed out.

I think you should add a route, into your gateway 192.168.1.1, so that it knows that the "VPN network - 192.168.2.0 mask 255.255.255.0", is located behind 192.168.1.101 (your NAS)

Because, even if Ip forwarding is enabled, the PING traffic does:
192.168.2.21 > 192.168.2.22 > 192.168.1.1 ... but 192.168.1.1 doesn't know how to reply to 192.168.2.21

mzypt · 2009-12-30 14:10:20

Crap..makes sense. My gateway is Linksys WAG160,m I think there is some routing options.

so the whole VPN connection would be like this?

PC --VPN (192.168.2.21)--internet--[VPN(192.168.2.22)--NAS(192.168.1.101)]--router(192.168.1.1)---Other PC(192.168.1.102)

But how on earth I can do the routing rule to GW? Has actually someone done this? Some example would be appreciated.

This is GW routing table now

Destination
LAN IP    Subnet Mask    Gateway Interface
xxx.xxx.76.1 255.255.255.255    0.0.0.0    WAN
192.168.1.0    255.255.255.0    0.0.0.0    LAN
0.0.0.0    0.0.0.0    xxx.xxx.76.1 WAN

But If I route 192.168.1.0 back to NAS then there will be a mismatch since it's already there.

Btw. What does GW 0.0.0.0 mean?

WAG160 has followin settings to fill

Destination IP Address:
Subnet Mask:
Gateway:
Hop Count:

Last edited by mzypt (2009-12-30 14:14:18)

oxygen · 2009-12-30 18:40:10

I'm still thinking your routing table on the client just lacks a entry for 192.168.1.0/16, adding a route on the router is than not necessary.

can you paste the output of
ip route show (or the approciate command for windows, afair it's route print)
on your vpn client?

if you want to add the route in the router (it wont break anything), fill the following in:
dest: 192.168.2.0
mask: 255.255.255.0
gateway: 192.168.1.101
hopcount: 0 or 1 (dont know)

0.0.0.0/0 means all (or everything else in most cases), it's ususally called the default gateway

Electrocut · 2009-12-30 21:25:13

oxygen wrote:
I'm still thinking your routing table on the client just lacks a entry for 192.168.1.0/16

I think it's already the case:

mzypt wrote:
Client:
[...]
route 192.168.1.0 255.255.255.0 192.168.2.22

oxygen wrote:
if you want to add the route in the router (it wont break anything), fill the following in:
dest: 192.168.2.0
mask: 255.255.255.0
gateway: 192.168.1.101
hopcount: 0 or 1 (dont know)

You are right.

I think this rule is needed, so that machines on the "DNS-323 Side" can talk to VPN clients 192.168.2.x (and so, reply to 192.168.2.x requests)

mzypt · 2010-01-01 04:36:54

Yep..that was the missing link. Now I can ping the whole network. I'm very grateful for your help.

Happy New Year!!

Electrocut · 2010-01-03 14:16:46

Thank you Glad to know that it works as expected now !

Happy new year too

dlu01 · 2011-01-19 18:18:04

I too am having problem not able to ping other machines on VPN server side. Can someone help me figure out what's wrong with my configuration.

I downloaded DNS323 openvpn binaries from #64: http://dns323.kood.org/forum/viewtopic. … 95&p=3

I'm successfully created VPN connection but client VPN machine can only ping server VPN (dns323).

Here's my network configuration:

DNS323 side router IP: 192.168.50.1
DNS323 local IP: 192.168.50.155
DNS323 server VPN IP: 10.10.0.1

Laptop local IP: 192.168.0.101
Laptop client VPN IP: 10.10.0.6

Went connect to VPN, from my laptop I can ping 10.10.0.1 and 192.168.50.155, but can not ping 192.168.50.1.

Server.ovpn (removed other details):
===============================
local 192.168.50.155
port 1194 #forward this port on your router
proto udp
dev tun0
tls-server
server 10.10.0.0 255.255.255.0
push "route 192.168.50.0 255.255.255.0"
push "dhcp-option DNS 192.168.50.1"
push "redirect-gateway"
===============================

Client.ovpn (removed other details):
===============================
client
remote xxx.xxx.xxx.xxx 1194
dev tun
proto udp
resolv-retry infinite
===============================

Run openvpn on DNS323 with following cmds:
===============================
echo "1" > /proc/sys/net/ipv4/ip_forward
mkdir /dev/net
mknod /dev/net/tun c 10 200
insmod /ffp/lib/openvpn/tun.ko

/ffp/sbin/openvpn --config /ffp/etc/openvpn/server.conf
===============================

On my dns323 side router, I added a static route:
Dest IP Mask Gateway
10.10.0.0 255.255.255.0 192.168.50.155

DNS323 route table when OpenVPN server is running looks like this:
===============================
root@DNS323:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.50.0 * 255.255.255.0 U 0 0 0 egiga0
10.10.0.0 10.10.0.2 255.255.255.0 UG 0 0 0 tun0
224.0.0.0 * 255.0.0.0 U 0 0 0 egiga0
default 192.168.50.1 0.0.0.0 UG 0 0 0 egiga0
===============================

Thanks,

Daniel

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2009-12-27 15:27:39

OpenVPN

#2 2009-12-27 22:58:06

Re: OpenVPN

#3 2009-12-28 06:48:48

Re: OpenVPN

#4 2009-12-28 11:49:53

Re: OpenVPN

#5 2009-12-29 09:27:22

Re: OpenVPN

#6 2009-12-29 12:05:10

Re: OpenVPN

#7 2009-12-29 13:11:06

Re: OpenVPN

#8 2009-12-29 16:05:53

Re: OpenVPN

mzypt wrote:

#9 2009-12-30 03:56:37

Re: OpenVPN

#10 2009-12-30 06:10:49

Re: OpenVPN

#11 2009-12-30 11:34:07

Re: OpenVPN

#12 2009-12-30 12:10:30

Re: OpenVPN

mzypt wrote:

#13 2009-12-30 14:10:20

Re: OpenVPN

#14 2009-12-30 18:40:10

Re: OpenVPN

#15 2009-12-30 21:25:13

Re: OpenVPN

oxygen wrote:

mzypt wrote:

oxygen wrote:

#16 2010-01-01 04:36:54

Re: OpenVPN

#17 2010-01-03 14:16:46

Re: OpenVPN

#18 2011-01-19 18:18:04

Re: OpenVPN

Board footer