VPN Initialization Completes but Ping Fails

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
afranji
OpenVpn Newbie
Posts: 1
Joined: Mon Sep 23, 2019 4:31 am

VPN Initialization Completes but Ping Fails

Post by afranji » Mon Sep 23, 2019 5:16 am

Hello,

My VPN successfully connects the client and server but ping fails. I have been trying to solve this for a week now and cannot figure where my issue is. If you see any issues, I would really appreciate your help.

-When I ping from the server to the client, I can see the "ICMP echo request" when using "tcpdump -i tun0" on the client. I don't see anything else.
-When I ping from the client to the server, I can't find the ping message anywhere on the server when using tcpdump.
-I have enabled ip_forwarding

Here are the server's stats:
route -n

- Kernel IP routing table
- Destination Gateway Genmask Flags Metric Ref Use Iface
- 0.0.0.0 aaa.bbb.ccc.7 0.0.0.0 UG 100 0 0 eno1
- 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
- 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
- aaa.bbb.ccc.0 0.0.0.0 255.255.240.0 U 100 0 0 eno1
- ddd.eee.fff.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1

ifconfig

- eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- inet aaa.bbb.ccc.101 netmask 255.255.240.0 broadcast aaa.bbb.ccc.255
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x20<link>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- inet6 [...] prefixlen 64 scopeid 0x0<global>
- ether [...] txqueuelen 1000 (Ethernet)
- RX packets 467958105 bytes 35265673379 (35.2 GB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 14670394 bytes 2460634387 (2.4 GB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- device interrupt 20 memory 0xe1a00000-e1a20000
-
- lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- inet [...] netmask 255.0.0.0
- inet6 ::1 prefixlen 128 scopeid 0x10<host>
- loop txqueuelen 1000 (Local Loopback)
- RX packets 292473 bytes 41677734 (41.6 MB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 292473 bytes 41677734 (41.6 MB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
- inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
- inet6 [...] prefixlen 64 scopeid 0x20<link>
- unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
- RX packets 0 bytes 0 (0.0 B)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 96 bytes 7740 (7.7 KB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

iptables -L

- target prot opt source destination
- ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:openvpn
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
-
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- ACCEPT tcp -- anywhere 10.8.0.2 tcp dpt:openvpn
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT all -- anywhere anywhere
-
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination


Here are the client's stats:
route -n

-Kernel IP routing table
-Destination Gateway Genmask Flags Metric Ref Use Iface
- 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
- 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
- xxx.yyy.zzz.0 0.0.0.0 255.255.255.0 U 322 0 0 wlan0

ifconfig

- tun0 Link encap:UNSPEC
- inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
- UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
- RX packets:95 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:100
- RX bytes:7692 TX bytes:0
-
- wlan0 Link encap:Ethernet HWaddr [...]
- inet addr:xxx.yyy.zzz.70 Bcast:xxx.yyy.zzz.255 Mask:255.255.255.0
- inet6 addr: [...] Scope: Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:5067 errors:0 dropped:296 overruns:0 frame:0
- TX packets:5405 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:755946 TX bytes:556646
-
- dummy0 Link encap:Ethernet HWaddr [...]
- inet6 addr: [...] Scope: Link
- UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:0 TX bytes:210
-
- rmnet0 Link encap:UNSPEC
- UP RUNNING MTU:2000 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:0 TX bytes:0
-
- lo Link encap:Local Loopback
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope: Host
- UP LOOPBACK RUNNING MTU:65536 Metric:1
- RX packets:54 errors:0 dropped:0 overruns:0 frame:0
- TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:4072 TX bytes:4072

iptables -L

- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- bw_INPUT all -- anywhere anywhere
- fw_INPUT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
-
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- sort_out_interface all -- anywhere anywhere
- oem_fwd all -- anywhere anywhere
- fw_FORWARD all -- anywhere anywhere
- bw_FORWARD all -- anywhere anywhere
- natctrl_FORWARD all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
-
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- DROP udp -- anywhere anywhere udp dpt:1900
- sort_out_interface all -- anywhere anywhere
- oem_out all -- anywhere anywhere
- fw_OUTPUT all -- anywhere anywhere
- st_OUTPUT all -- anywhere anywhere
- bw_OUTPUT all -- anywhere anywhere
-
- Chain bw_FORWARD (1 references)
- target prot opt source destination
-
- Chain bw_INPUT (1 references)
- target prot opt source destination
- all -- anywhere anywhere owner socket exists
-
- Chain bw_OUTPUT (1 references)
- target prot opt source destination
- all -- anywhere anywhere owner socket exists
-
- Chain bw_costly_shared (0 references)
- target prot opt source destination
- bw_penalty_box all -- anywhere anywhere
-
- Chain bw_happy_box (0 references)
- target prot opt source destination
-
- Chain bw_penalty_box (1 references)
- target prot opt source destination
-
- Chain fw_FORWARD (1 references)
- target prot opt source destination
-
- Chain fw_INPUT (1 references)
- target prot opt source destination
-
- Chain fw_OUTPUT (1 references)
- target prot opt source destination
-
- Chain fw_dozable (0 references)
- target prot opt source destination
- RETURN all -- anywhere anywhere owner UID match 0-9999
- DROP all -- anywhere anywhere
-
- Chain fw_standby (0 references)
- target prot opt source destination
-
- Chain natctrl_FORWARD (1 references)
- target prot opt source destination
- DROP all -- anywhere anywhere
-
- Chain natctrl_tether_counters (0 references)
- target prot opt source destination
-
- Chain oem_fwd (1 references)
- target prot opt source destination
-
- Chain oem_out (1 references)
- target prot opt source destination
-
- Chain sort_out_interface (2 references)
- target prot opt source destination
- REJECT all -- anywhere anywhere TTL match TTL < 63 reject-with icmp-port-unreachable
- RETURN all -- anywhere anywhere TTL match TTL == 63
- CONNMARK all -- anywhere anywhere CONNMARK set 0x40
-
- Chain st_OUTPUT (1 references)
- target prot opt source destination


VPN Configurations
server.conf

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3


client.conf

proto tcp
dev tun
ca ca.crt
cert client1.crt
key client1.key
remote aaa.bbb.ccc.ddd 1194
cipher AES-256-CBC
persist-key
persist-tun
verb 3
resolv-retry infinite
nobind
remote-cert-tls server

Post Reply