I am usually not requesting help on forums but this time, I am not able to find a solution by searching and trying myself...
It will probably be simple for someone here but it is not for me
My environment looks like this :
Code: Select all
[Docker Container(VPN client)] < - > [VM-A] < - > [VM-B(VPN Server)]
10.8.0.6 10.8.0.1
I've successfully setup VPN tunnel between Docker Container and VM-B.
The VPN tunnel ip for Docker Container is : 10.8.0.6
The VPN tunnel ip for VM-B is : 10.8.0.1
Below is the result after I tested VPN connectivity, my question is I don't know why VM-B (VPN Server) doen't send icmp reply.
Code: Select all
1. I can ping/ssh VPN client from VPN server.
2. I can ssh VPN server from VPN client.
3. I can NOT ping VPN server from VPN client, I debugged on VM-B (VPN Server) by using tcpdump, I noticed that icmp request package has been received, but doesn't reply.
Code: Select all
openvpn/bionic-updates,now 2.4.4-2ubuntu1.3 s390x
server.conf
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
verb 3
;mute 20
client.conf
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 169.63.212.12 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
;mute 20
VPN Server - route table
Code: Select all
root@6f2bec1280c9:/tmp# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.18.28.9 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.18.28.8 0.0.0.0 255.255.255.248 U 0 0 0 eth0
root@6f2bec1280c9:/tmp# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 40 bytes 4269 (4.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 30 bytes 3491 (3.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
root@7e4afb85ed5a:/tmp# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
root@7e4afb85ed5a:/tmp# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 30 bytes 3491 (3.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 4269 (4.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
# Generated by iptables-save v1.6.1 on Wed Nov 25 07:39:22 2020
*nat
:PREROUTING ACCEPT [3:128]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:68]
:POSTROUTING ACCEPT [1:68]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 25 07:39:22 2020
# Generated by iptables-save v1.6.1 on Wed Nov 25 07:39:22 2020
*filter
:INPUT DROP [1493:62268]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:52]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Nov 25 07:39:22 2020
Code: Select all
root@6f2bec1280c9:/tmp# ping 10.8.0.6 -c 4
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=55.6 ms
64 bytes from 10.8.0.6: icmp_seq=2 ttl=64 time=55.3 ms
64 bytes from 10.8.0.6: icmp_seq=3 ttl=64 time=55.8 ms
64 bytes from 10.8.0.6: icmp_seq=4 ttl=64 time=55.5 ms
--- 10.8.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 55.319/55.577/55.812/0.294 ms
root@6f2bec1280c9:/tmp# nc -zv 10.8.0.6 22
10.8.0.6: inverse host lookup failed: Unknown host
(UNKNOWN) [10.8.0.6] 22 (ssh) open
VPN Client - vpn connectivity test - from VPN client to VPN server
Code: Select all
root@7e4afb85ed5a:~/workspace# ping 10.8.0.1 -c 4
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3050ms
root@7e4afb85ed5a:~/workspace# nc -zv 10.8.0.1 22
10.8.0.1: inverse host lookup failed: Unknown host
(UNKNOWN) [10.8.0.1] 22 (ssh) open
Code: Select all
issue ping command on Client, then will noticed that only icmp-request has been received on VPN server, but doesn't send icmp-reply.
on VPN Client:
root@fe1d71c0f4ee:/etc/openvpn# ping 10.8.0.1 -c 1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
--- 10.8.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
on VPN Server:
root@551a4cd43800:~# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:18:03.360215 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 7352, seq 1, length 64