[Solved] LAN hosts no longer able to reach remote hosts after moving to 2.4

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
1034thaccount
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2017 9:06 am

[Solved] LAN hosts no longer able to reach remote hosts after moving to 2.4

Post by 1034thaccount » Fri Jan 27, 2017 9:57 am

The setup is a local router running an OpenVPN client (2.3.11) connected to a remote OpenVPN server that has a subnet behind it. I want to be able to reach any hosts in the remote subnet from my local LAN, behind the local router. This worked flawlessly until I updated the remote OpenVPN server from 2.3 to 2.4.

This is the situation since moving to 2.4:

Remote OpenVPN server: 10.8.0.1
The client on the router: 10.8.0.2
Remote subnet: 10.0.100.0/24
Local subnet: 192.168.0.0/24
  • Traffic between the two end points, 10.8.0.1 and 10.8.0.2, flows fine.
  • Traffic between 10.8.0.2 (local router) and 10.0.100.0/24 (remote subnet) flows fine.
  • Traffic between 192.168.0.0/24 and 10.0.100.0/24 does not traverse the tunnel and stops at the TUN end points: at 10.8.0.1 when source is 10.0.100.0/24, at 10.8.0.2 when source is 192.168.0.0/24.
Config for the remote server
port 1194
proto udp
dev tun

topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist pool
push "route 10.0.100.0 255.255.255.0"

client-config-dir ccd
route 192.168.0.0 255.255.255.0

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

cert /etc/openvpn/server/ovpn-server-longhaul.crt
key /etc/openvpn/server/ovpn-server-longhaul.key
ca /etc/openvpn/server/yorick-pfs.crt
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0

cipher AES-128-CBC

user nobody
group nobody
And ccd/yorick (for the client):

Code: Select all

iroute 192.168.0.0 255.255.255.0
Pertinent parts of the routing table on the remote side (no difference between 2.3 and 2.4):

Code: Select all

10.0.100.0/24 dev lxcbr0 proto kernel scope link src 10.0.100.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.0.0/24 via 10.8.0.2 dev tun0
So, under 2.4, each side receives the traffic from their respective local subnets in the TUN interface yet it does not traverse the tunnel. Downgrading the remote server to 2.3 immediately remedies the situation. Anyone have any idea what I might be doing wrong here?
Top
1034thaccount
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2017 9:06 am

Re: LAN hosts no longer able to reach remote hosts after moving to 2.4

Post by 1034thaccount » Sat Jan 28, 2017 8:00 am

Sigh. Don't I feel stupid. The problem turned out to be bad permissions on the ccd dir. Everything works now.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LAN hosts no longer able to reach remote hosts after moving to 2.4

Post by TinCanTech » Sat Jan 28, 2017 11:10 am

Thanks for letting us know you solved the issue 8-)
Top
Post Reply

Return to “Server Administration”