Hi,
I have set up an OpenVPN link between a network in AWS and an on-premise network. I have used TurnKey OpenVPN appliances at each end for the OpenVPN server and client.
The configration is very much as created by the supplied scripts, with the exception of adding some additional subnet routes.
The problem I am having is that I can ping the remote tun adapter from a local LAN address, but not out beyond that into the remote LAN. Running tcpdump to monitor traffic shows the remote tun adapter doesn't receive packets to be forwarded on via the remote eth0 adapter.
Server configuration is as follows:
[oconf=]
port 1194
proto udp
dev tun
comp-lzo
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
chroot /etc/openvpn/easy-rsa/keys/crl.jail
crl-verify crl.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt
ifconfig-pool-persist /var/lib/openvpn/server.ipp
client-config-dir /etc/openvpn/server.ccd
status /var/log/openvpn/server.log
verb 4
# virtual subnet unique for openvpn to draw client addresses from
# the server will be configured with x.x.x.1
# important: must not be used on your network
server 10.115.252.0 255.255.255.0
# push routes to clients to allow them to reach private subnets
push "route 10.0.1.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
# subnet behind a client: zzzzz
route 10.10.1.0 255.255.255.0
route 10.105.3.0 255.255.255.0
route 10.102.40.0 255.255.255.0
[/oconf]
Server iptables rules:
[oconf=]*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT
[/oconf]
CCD file for client on server:
[oconf=]iroute 10.10.1.0 255.255.255.0
iroute 10.105.3.0 255.255.255.0
iroute 10.102.40.0 255.255.255.0[/oconf]
Client configuration:
[oconf=]remote <address> 1194
proto udp
ns-cert-type server
client
dev tun
resolv-retry infinite
keepalive 10 120
comp-lzo
nobind
verb 3
[/oconf]
Client iptables rules:
[oconf=]*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT
[/oconf]
Can anyone spot any obvious mistakes? I'm tearing out my remaining hair (and there's not a lot of that)
Thanks
Lindsay
Packets not being forwarded into remote LANs
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
lindsayv
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Aug 11, 2017 10:04 pm