[Solved] Client Can't Ping Other Interfaces on Server from Client
Posted: Mon Mar 20, 2017 3:39 am
Hello,
I have been trying to set up OpenVPN on a server (among other things) for the better part of two days now and I can not for the life of me figure out what the problem is. If anyone can shed any light on the situation I would be forever grateful!
Everything OpenVPN oriented seems to be working fine. The server is up and running and and the client connects just fine. The problem is that I need to be able to ping from the server to an interface other than the OpenVPN interface on the client and also from the client to the an interface other than the OpenVPN interface on the server.
Right now the client is able to ping all other interfaces on the server but the server can not ping any interface aside from the active OpenVPN tun interface on the client.
My end game is communicating among all interfaces on 2 different physical servers running CentOS7 connected to each other with an OpenVPN tunnel between them for management purposes so that I can set up an active/active high availability redundant configuration between them with clients connecting to either machine and in the case of server failure having all clients move from the the inactive server to the active server. Before I get that far I need help solving this puzzle.
I have stripped down my configuration to the following for the sake of troubleshooting.
I have removed all routes from my configuration and added the necessary routes using the ip route command again.
I also created an IP alias on the Ethernet interface of both hosts to simulate the other 2 tun interfaces that clients will be connecting to.
OpenVPN Version
Server Configuration:
Client Configuration:
Server Log File:
Client Log File:
Server's ip route Output
Client's ip route Output
Ping from Server to IP Alias on Client
Server's tcpdump Output for Interface tun1 Durring Ping from Server to Client
Client's tcpdump Output for Interface tun1 Durring Ping from Server to Client
Ping from Client to IP Alias on Server
Server's tcpdump Output for Interface tun1 Durring Ping from Client to Server
Client's tcpdump Output for Interface tun1 Durring Ping from Client to Server
Any insight anyone?
Thanks in advance!
I have been trying to set up OpenVPN on a server (among other things) for the better part of two days now and I can not for the life of me figure out what the problem is. If anyone can shed any light on the situation I would be forever grateful!
Everything OpenVPN oriented seems to be working fine. The server is up and running and and the client connects just fine. The problem is that I need to be able to ping from the server to an interface other than the OpenVPN interface on the client and also from the client to the an interface other than the OpenVPN interface on the server.
Right now the client is able to ping all other interfaces on the server but the server can not ping any interface aside from the active OpenVPN tun interface on the client.
My end game is communicating among all interfaces on 2 different physical servers running CentOS7 connected to each other with an OpenVPN tunnel between them for management purposes so that I can set up an active/active high availability redundant configuration between them with clients connecting to either machine and in the case of server failure having all clients move from the the inactive server to the active server. Before I get that far I need help solving this puzzle.
I have stripped down my configuration to the following for the sake of troubleshooting.
I have removed all routes from my configuration and added the necessary routes using the ip route command again.
I also created an IP alias on the Ethernet interface of both hosts to simulate the other 2 tun interfaces that clients will be connecting to.
OpenVPN Version
Code: Select all
OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2016 OpenVPN Technologies, Inc.
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
SERVER
#mode server
dev tun1
proto udp
port 11950
keepalive 5 30
max-clients 6
comp-lzo
user nobody
group nobody
auth-nocache
persist-key
persist-tun
script-security 2
tls-server
tls-auth /full/path/to/ta.key 0
remote-cert-tls client
cipher AES-256-CBC
auth SHA256
ca /full/path/to/ca.crt
crl-verify /full/path/to/crl.pem
cert /full/path/to/vpn1mgmt.crt
key /full/path/to/vpn1mgmt.key
dh /full/path/to/dh2048.pem
ifconfig 10.255.254.1 255.255.255.248
ifconfig-pool 10.255.254.3 10.255.254.7
topology subnet
client-config-dir /full/path/to/ccd
ccd-exclusive
verb 4
mute 10
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log
management 127.0.0.1 5554
dev tun1
proto udp
port 11950
keepalive 5 30
max-clients 6
comp-lzo
user nobody
group nobody
auth-nocache
persist-key
persist-tun
script-security 2
tls-server
tls-auth /full/path/to/ta.key 0
remote-cert-tls client
cipher AES-256-CBC
auth SHA256
ca /full/path/to/ca.crt
crl-verify /full/path/to/crl.pem
cert /full/path/to/vpn1mgmt.crt
key /full/path/to/vpn1mgmt.key
dh /full/path/to/dh2048.pem
ifconfig 10.255.254.1 255.255.255.248
ifconfig-pool 10.255.254.3 10.255.254.7
topology subnet
client-config-dir /full/path/to/ccd
ccd-exclusive
verb 4
mute 10
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log
management 127.0.0.1 5554
CLIENT
client
proto udp
remote vpn1.somedomainname.com
port 11950
dev tun1
nobind
cipher AES-256-CBC
auth SHA256
comp-lzo
remote-cert-tls server
tls-auth /full/path/to/ta.key 1
ca /full/path/to/ca.crt
cert /full/path/to/vpn2mgmt.crt
key /full/path/to/vpn2mgmt.key
dh /full/path/to/dh2048.pem
auth-nocache
user nobody
group nobody
topology subnet
verb 4
mute 10
keepalive 5 30
resolv-retry infinite
persist-key
persist-tun
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log
proto udp
remote vpn1.somedomainname.com
port 11950
dev tun1
nobind
cipher AES-256-CBC
auth SHA256
comp-lzo
remote-cert-tls server
tls-auth /full/path/to/ta.key 1
ca /full/path/to/ca.crt
cert /full/path/to/vpn2mgmt.crt
key /full/path/to/vpn2mgmt.key
dh /full/path/to/dh2048.pem
auth-nocache
user nobody
group nobody
topology subnet
verb 4
mute 10
keepalive 5 30
resolv-retry infinite
persist-key
persist-tun
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log
Code: Select all
Mon Mar 20 04:53:38 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Mon Mar 20 04:53:38 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Mon Mar 20 04:53:38 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5554
Mon Mar 20 04:53:38 2017 Diffie-Hellman initialized with 2048 bit key
Mon Mar 20 04:53:38 2017 Control Channel Authentication: using '/full/path/to/ta.key' as a OpenVPN static key file
Mon Mar 20 04:53:38 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:53:38 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:53:38 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Mar 20 04:53:38 2017 TUN/TAP device tun1 opened
Mon Mar 20 04:53:38 2017 TUN/TAP TX queue length set to 100
Mon Mar 20 04:53:38 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Mar 20 04:53:38 2017 /usr/sbin/ip link set dev tun1 up mtu 1500
Mon Mar 20 04:53:38 2017 /usr/sbin/ip addr add dev tun1 10.255.254.1/29 broadcast 10.255.254.7
Mon Mar 20 04:53:38 2017 GID set to nobody
Mon Mar 20 04:53:38 2017 UID set to nobody
Mon Mar 20 04:53:38 2017 UDPv4 link local (bound): [undef]
Mon Mar 20 04:53:38 2017 UDPv4 link remote: [undef]
Mon Mar 20 04:53:38 2017 MULTI: multi_init called, r=256 v=256
Mon Mar 20 04:53:38 2017 IFCONFIG POOL: base=10.255.254.3 size=5, ipv6=0
Mon Mar 20 04:53:38 2017 Initialization Sequence Completed
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:54758, sid=9283152e 8558ad38
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 CRL CHECK OK: CN=CDXVPN
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY OK: depth=1, CN=CDXVPN
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 Validating certificate key usage
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 ++ Certificate has key usage 0080, expects 0080
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY KU OK
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 Validating certificate extended key usage
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY EKU OK
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 CRL CHECK OK: CN=vpn2mgmt
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 6 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 [vpn2mgmt] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:54758
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 OPTIONS IMPORT: reading client specific options from: /full/path/to/ccd/vpn2mgmt
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 MULTI: Learn: 10.255.254.2 -> vpn2mgmt/xxx.xxx.xxx.xxx:54758
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 MULTI: primary virtual IP for vpn2mgmt/xxx.xxx.xxx.xxx:54758: 10.255.254.2
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 PUSH: Received control message: 'PUSH_REQUEST'
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 send_push_reply(): safe_cap=940
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 SENT CONTROL [vpn2mgmt]: 'PUSH_REPLY,ping 5,ping-restart 30,ifconfig 10.255.254.2 255.255.255.248' (status=1)
Code: Select all
Mon Mar 20 04:56:50 2017 us=657589 Current Parameter Settings:
Mon Mar 20 04:56:50 2017 us=657709 config = 'vpn2mgmt.conf'
Mon Mar 20 04:56:50 2017 us=657728 mode = 0
Mon Mar 20 04:56:50 2017 us=657743 persist_config = DISABLED
Mon Mar 20 04:56:50 2017 us=657757 persist_mode = 1
Mon Mar 20 04:56:50 2017 us=657900 show_ciphers = DISABLED
Mon Mar 20 04:56:50 2017 us=657958 show_digests = DISABLED
Mon Mar 20 04:56:50 2017 us=658015 show_engines = DISABLED
Mon Mar 20 04:56:50 2017 us=658072 genkey = DISABLED
Mon Mar 20 04:56:50 2017 us=658182 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 us=658243 266 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 us=658300 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Mon Mar 20 04:56:50 2017 us=658362 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Mon Mar 20 04:56:50 2017 us=670760 Control Channel Authentication: using '/full/path/to/ta.key' as a OpenVPN static key file
Mon Mar 20 04:56:50 2017 us=670832 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:56:50 2017 us=670853 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:56:50 2017 us=670898 LZO compression initialized
Mon Mar 20 04:56:50 2017 us=670998 Control Channel MTU parms [ L:1570 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Mar 20 04:56:50 2017 us=671053 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Mar 20 04:56:50 2017 us=807136 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
Mon Mar 20 04:56:50 2017 us=807217 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Mar 20 04:56:50 2017 us=807237 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Mar 20 04:56:50 2017 us=807280 Local Options hash (VER=V4): '73e43c96'
Mon Mar 20 04:56:50 2017 us=807304 Expected Remote Options hash (VER=V4): '8a3b3cca'
Mon Mar 20 04:56:50 2017 us=807494 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Mar 20 04:56:50 2017 us=807521 UDPv4 link local: [undef]
Mon Mar 20 04:56:50 2017 us=807578 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:11950
Mon Mar 20 04:56:50 2017 us=808878 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:11950, sid=935946a5 d9ae95ca
Mon Mar 20 04:56:50 2017 us=819514 VERIFY OK: depth=1, CN=CDXVPN
Mon Mar 20 04:56:50 2017 us=819756 Validating certificate key usage
Mon Mar 20 04:56:50 2017 us=819777 ++ Certificate has key usage 00a0, expects 00a0
Mon Mar 20 04:56:50 2017 us=819791 VERIFY KU OK
Mon Mar 20 04:56:50 2017 us=819810 Validating certificate extended key usage
Mon Mar 20 04:56:50 2017 us=819825 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Mar 20 04:56:50 2017 us=819843 VERIFY EKU OK
Mon Mar 20 04:56:50 2017 us=819858 VERIFY OK: depth=0, CN=vpn1mgmt
Mon Mar 20 04:56:50 2017 us=845168 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Mar 20 04:56:50 2017 us=845232 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 us=845299 4 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 us=845318 [vpn1mgmt] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:11950
Mon Mar 20 04:56:53 2017 us=261686 SENT CONTROL [vpn1mgmt]: 'PUSH_REQUEST' (status=1)
Mon Mar 20 04:56:53 2017 us=262521 PUSH: Received control message: 'PUSH_REPLY,ping 5,ping-restart 30,ifconfig 10.255.254.2 255.255.255.248'
Mon Mar 20 04:56:53 2017 us=262681 OPTIONS IMPORT: timers and/or timeouts modified
Mon Mar 20 04:56:53 2017 us=262702 OPTIONS IMPORT: --ifconfig/up options modified
Mon Mar 20 04:56:53 2017 us=262992 TUN/TAP device tun1 opened
Mon Mar 20 04:56:53 2017 us=263040 TUN/TAP TX queue length set to 100
Mon Mar 20 04:56:53 2017 us=263070 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Mar 20 04:56:53 2017 us=263102 /usr/sbin/ip link set dev tun1 up mtu 1500
Mon Mar 20 04:56:53 2017 us=265090 /usr/sbin/ip addr add dev tun1 10.255.254.2/29 broadcast 10.255.254.7
Mon Mar 20 04:56:53 2017 us=267791 GID set to nobody
Mon Mar 20 04:56:53 2017 us=267862 UID set to nobody
Mon Mar 20 04:56:53 2017 us=267877 Initialization Sequence Completed
Code: Select all
default via xxx.xxx.xxx.xxx dev enp2s0
10.0.0.0/24 dev enp2s0 proto kernel scope link src 10.0.0.1
10.0.0.2 via 10.255.254.1 dev tun1
10.255.254.0/29 dev tun1 proto kernel scope link src 10.255.254.1
xxx.xxx.xxx.xxx dev enp2s0 proto kernel scope link src xxx.xxx.xxx.xxx
169.254.0.0/16 dev enp2s0 scope link metric 1002
Code: Select all
default via xxx.xxx.xxx.xxx dev enp2s0
10.0.0.0/24 dev enp2s0 proto kernel scope link src 10.0.0.2
10.0.0.1 via 10.255.254.2 dev tun1
10.255.254.0/29 dev tun1 proto kernel scope link src 10.255.254.2
xxx.xxx.xxx.xxx dev enp2s0 proto kernel scope link src xxx.xxx.xxx.xxx
169.254.0.0/16 dev enp2s0 scope link metric 1002
Code: Select all
ping -c3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
Code: Select all
05:20:33.724602 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 1, length 64
05:20:34.723801 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 2, length 64
05:20:35.723817 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 3, length 64
Code: Select all
Code: Select all
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.752 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.680 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.644 ms
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.644/0.692/0.752/0.044 ms
Code: Select all
05:22:24.568511 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 1, length 64
05:22:24.568532 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 1, length 64
05:22:25.569010 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 2, length 64
05:22:25.569022 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 2, length 64
05:22:26.568958 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 3, length 64
05:22:26.568969 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 3, length 64
Code: Select all
05:22:24.568130 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 1, length 64
05:22:24.568849 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 1, length 64
05:22:25.568643 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 2, length 64
05:22:25.569311 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 2, length 64
05:22:26.568626 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 3, length 64
05:22:26.569260 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 3, length 64
Thanks in advance!