# VPN (probably) routing issue



## archen (Oct 1, 2009)

From looking through these boards, routing with a VPN seems to be a common issue so I guess I'm not alone.  My issue doesn't actually seem that complicated, so I'm hoping what I'm experiencing is just a bone headed thing I'm overlooking.  I'll try to keep this fairly brief as far as network explanations go


```
--------  internet  -------     -------
|Net C |<==========>|Net A|<--->|Net B|
--------  (vpn)     -------     -------
```

So network A and C are connected through a VPN tunnel using Openvpn on a pair of FreeBSD Firewalls. It's configured to use tunneled mode (tun0) not bridged. Both Firewalls are the default gateway, have NAT enabled etc.  

All hosts on any network can ping the virtual tunnel addresses used.  The firewalls themselves can get to anywhere on the networks.  However hosts on Network C cannot ping hosts on Network A and visa versa.  Here's the weird thing though, hosts on network B CAN get to hosts on network C.

To answer some common questions, both freebsd gateways have forewarding enabled.  The VPN does function, and pass traffic which I've been able to verify as far as I could.  Traffic is not getting caught in the firewall as I have ipfw pass the tunneled traffic before it gets to the NAT divert - just to be sure.  I've also logged it and confirmed that traffic was accepted.  Also being able to get all the way through from Network B to C would confirm that I have this set up correctly for the most part.

I've run tcpdump and everything seems to go through all the way on network C.  I see echo reply come back on tun0 on the Net A firewall, but then I see nothing coming out on the physical network interface for Net A (bge1). Keeping in mind that in order for Net B to talk to C it also has to come through that interface.  If anyone has any suggestions for things to try it would be much appreciated.  Most of the things I've read through here on the forums seemed _similar_ but didn't quite address my problem.


----------



## aragon (Oct 1, 2009)

More details would be helpful I think.  IP addresses of all the gateways, netmasks and addresses of all the networks, etc.

BTW, NAT should not be necessary anywhere...


----------



## archen (Oct 1, 2009)

Network A: 172.16.10.0/24
Network B: 172.16.20.0/24 
Network C: 172.16.30.0/24

Firewall on Net a is: 172.16.10.253 internal, xx.xx.xx.xx external
Firewall on Net c is: 172.16.30.254 internal, yy.yy.yy.yy external

On host A I have
tun0: inet 10.172.0.1 --> 10.172.0.3 netmask 0xffffffff
rc.conf route_c="  -net 172.16.30.0/24  10.172.0.3"
--openvpn.conf
   dev tun0
   ifconfig 10.172.0.1 10.172.0.3
   route 172.16.30.0 255.255.255.0

On host C I have
tun0 host C: inet 10.172.0.3 --> 10.172.0.1 netmask 0xffffffff
rc.conf route_a="-net 172.16.10.0/24  10.172.0.1"
--openvpn.conf
   dev tun0
   ifconfig 10.172.0.3  10.172.0.1
   route 172.16.10.0 255.255.255.0
   remote xx.xx.xx.xx

Openvpn creates tun0 and adds the routes, so I suppose that setting this in rc.conf is redundant. They do show up as expected with netstat -r. I also noticed that the netmask for tun0 doesn't match what is in the openvpn.conf, although I'm not sure if that makes a difference either.


----------

