How to properly configure routing over OpenVPN tunnel

cbastos · July 21, 2015, 4:07pm

Hi.

I have the following scenario:

172.31.0.0/24-----------|–[Linux Box] ---------OpenVPN tunnel--------[MikroTik with NAT]–Client Network
100.160.208.149/32–| 10.20.44.253 10.20.44.254

The VPN is stablished and the gateways can ping each other.
Now I want that hosts on the Client Network have access to some servers on the networks behind the Linux box, so I have done this configuration on the Linux side.

root@rjgw:~# cat /etc/openvpn/ccd_tcp/dis2111a 
push "route 172.31.0.111 255.255.255.255"
push "route 172.31.0.101 255.255.255.255"
push "route 200.160.208.149 255.255.255.255"
ifconfig-push 10.20.44.254 10.20.44.253

The routes are being pushed to the MikroTik, but they remain Unreacheable, the pushed routes point to the other side of the tunnel (Linux tunnel address).
Here is the log of the Linux box when the connection is stablished:

Tue Jul 21 09:04:15 2015 201.19.237.89:45231 [dis2111a] Peer Connection Initiated with 201.19.237.89:45231
Tue Jul 21 09:04:15 2015 dis2111a/201.19.237.89:45231 OPTIONS IMPORT: reading client specific options from: ccd_tcp/dis2111a
Tue Jul 21 09:04:15 2015 dis2111a/201.19.237.89:45231 MULTI: Learn: 10.20.44.254 -> dis2111a/201.19.237.89:45231
Tue Jul 21 09:04:15 2015 dis2111a/201.19.237.89:45231 MULTI: primary virtual IP for dis2111a/201.19.237.89:45231: 10.20.44.254
Tue Jul 21 09:04:15 2015 dis2111a/201.19.237.89:45231 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 21 09:04:15 2015 dis2111a/201.19.237.89:45231 SENT CONTROL [dis2111a]: 'PUSH_REPLY,route 10.20.32.1,ping 10,ping-restart 
120,route 172.31.0.111 255.255.255.255,route 172.31.0.101 255.255.255.255,route 200.160.208.149 255.255.255.255,ifconfig 10.20.44
.254 10.20.44.253' (status=1)

I have already created by hand a static route, at the MikroTik side, pointing the address 172.31.0.60 to it’s OpenVPN interface and it works fine.
vpn_routes2.PNG
This is how the OpenVPN interface address is configured at the MikroTik, although I have configured a /30 network between the gateways a network address 10.20.32.1 is shown on it. As a mater of fact I dont know if this ir the root cause of the trouble.
interface-VPN.JPG
Please, how can I correctly configure those routes without having to set them by hand at the MikroTik side?

Regards,
Carlos

cbastos · July 23, 2015, 3:00pm

Since I got no answer and found out it by myself, I’ll put the solution bellow just in case another one needs it.

First of all my OpenVPN server is pretty old and do not support the new statements to select the network topology.
I am usuing the now deprecated /30 network and the deamon at the MikroTik side was’t understanding how to fully setup the routes back to my Linux box.

The solution was pretty simple, I just had to modify the client ccd file from:

root@rjgw:~# cat /etc/openvpn/ccd/dis2111a 
push "route 172.31.0.111 255.255.255.255"
push "route 172.31.0.101 255.255.255.255"
push "route 200.160.208.149 255.255.255.255"
ifconfig-push 10.10.44.254 10.10.44.253

to:

root@rjgw:~# cat /etc/openvpn/ccd/dis2111a 
push "route 172.31.0.111 255.255.255.255 10.20.32.1"
push "route 172.31.0.101 255.255.255.255 10.20.32.1"
push "route 200.160.208.149 255.255.255.255 10.20.32.1"
ifconfig-push 10.10.44.254 10.10.44.253

The address 10.20.32.1 is the addrress of the first /30 subnet that is allocated to the tunnel on the server side.

Regards,
Carlos.