can not ping VPN server from client, icmp request received, but doesn't reply

[liucgbj]

Hi all,

I am usually not requesting help on forums but this time, I am not able to find a solution by searching and trying myself...
It will probably be simple for someone here but it is not for me

My environment looks like this :

Code: Select all

[Docker Container(VPN client)] < - > [VM-A] < - > [VM-B(VPN Server)]
         10.8.0.6                                    10.8.0.1           
 

I start a docker container on VM-A with following options, --cap-add=NET_ADMIN --device /dev/net/tun:/dev/net/tun,
I've successfully setup VPN tunnel between Docker Container and VM-B.
The VPN tunnel ip for Docker Container is : 10.8.0.6
The VPN tunnel ip for VM-B is : 10.8.0.1

Below is the result after I tested VPN connectivity, my question is I don't know why VM-B (VPN Server) doen't send icmp reply.

Code: Select all

1. I can ping/ssh VPN client from VPN server.
2. I can ssh VPN server from VPN client.
3. I can NOT ping VPN server from VPN client, I debugged on VM-B (VPN Server) by using tcpdump, I noticed that icmp request package has been received, but doesn't reply. 
 

OpenVPN version

Code: Select all

openvpn/bionic-updates,now 2.4.4-2ubuntu1.3 s390x

View Originalserver.conf

;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
verb 3
;mute 20

View Originalclient.conf

client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 169.63.212.12 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
;mute 20

VPN Server - route table

Code: Select all

root@6f2bec1280c9:/tmp# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.18.28.9     0.0.0.0         UG        0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.18.28.8     0.0.0.0         255.255.255.248 U         0 0          0 eth0
root@6f2bec1280c9:/tmp# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 40  bytes 4269 (4.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30  bytes 3491 (3.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

VPN Client - route table

Code: Select all

root@7e4afb85ed5a:/tmp# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG        0 0          0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0
root@7e4afb85ed5a:/tmp# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 30  bytes 3491 (3.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 4269 (4.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

VPN Server - iptables.rules

Code: Select all

# Generated by iptables-save v1.6.1 on Wed Nov 25 07:39:22 2020
*nat
:PREROUTING ACCEPT [3:128]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:68]
:POSTROUTING ACCEPT [1:68]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 25 07:39:22 2020
# Generated by iptables-save v1.6.1 on Wed Nov 25 07:39:22 2020
*filter
:INPUT DROP [1493:62268]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:52]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Nov 25 07:39:22 2020

VPN Server - vpn connectivity test - from VPN server to VPN client

Code: Select all

root@6f2bec1280c9:/tmp# ping 10.8.0.6 -c 4
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=55.6 ms
64 bytes from 10.8.0.6: icmp_seq=2 ttl=64 time=55.3 ms
64 bytes from 10.8.0.6: icmp_seq=3 ttl=64 time=55.8 ms
64 bytes from 10.8.0.6: icmp_seq=4 ttl=64 time=55.5 ms

--- 10.8.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 55.319/55.577/55.812/0.294 ms
root@6f2bec1280c9:/tmp# nc -zv 10.8.0.6 22
10.8.0.6: inverse host lookup failed: Unknown host
(UNKNOWN) [10.8.0.6] 22 (ssh) open

VPN Client - vpn connectivity test - from VPN client to VPN server

Code: Select all

root@7e4afb85ed5a:~/workspace# ping 10.8.0.1 -c 4
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3050ms
root@7e4afb85ed5a:~/workspace# nc -zv 10.8.0.1 22
10.8.0.1: inverse host lookup failed: Unknown host
(UNKNOWN) [10.8.0.1] 22 (ssh) open

VPN Server - tcpdump

Code: Select all

issue ping command on Client, then will noticed that only icmp-request has been received on VPN server, but doesn't send icmp-reply.

on VPN Client:

root@fe1d71c0f4ee:/etc/openvpn# ping 10.8.0.1 -c 1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

on VPN Server:

root@551a4cd43800:~# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:18:03.360215 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 7352, seq 1, length 64

[TinCanTech]

try using --topology subnet

[liucgbj]

Hi TinCanTech,

Thank you for your quick reply, I've enabled following parameter in server.conf, --topology subnet and tested vpn connectivity, but problem is still here.

View Originalserver.conf

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

VPN Test & Tcpdump

Code: Select all

on VPN Client:

root@1d19e3253229:/etc/openvpn# ping 10.8.0.1 -c 1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

on VPN Server:

root@6d77868edfe8:/etc/openvpn# tcpdump -i  tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
05:55:02.052634 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 7714, seq 1, length 64

Regards
Chenguang

[TinCanTech]

It is probably your firewall.

I do not debug iptables on this forum for free.

[liucgbj]

Hey TinCanTech,

Yes, this is a firewall problem, we have fixed it, now VPN works well, thanks.

Regards
Chenguang