Can't ping server on different private subnet

pfess · Post by **pfess** » Fri Nov 02, 2018 4:23 pm

I setup an Access Server in a public AWS subnet. Routing is set to use NAT. I specified both the subnet the AS is on and another in the "Specify the private subnets to which all clients should be given access". When I remotely connect to the AS from a windows server, I can ping servers that are on the same private subnet. I can't ping anything on the other subnet. The AS can ping a server on the other subnet though. There are no NACLs involved. I know the security group is configured correctly because the AS can ping the server on the other subnet. A tracert from the client server shows it using the AS ip address as the first hop. How can I fix this?

Thank you

Post by **novaflash** » Fri Nov 02, 2018 4:52 pm

I'd suggest running tcpdump on the Access Server itself, and then pinging from a VPN client to the target subnet, and see if the source address of the packet remains the same as it passes through the Access Server. If it does, then somehow routing is being used instead of NAT. And then it would be a matter of looking in your settings where routing is being applied for the target subnet.

pfess · Post by **pfess** » Fri Nov 02, 2018 7:03 pm

I take it that this means the packet remains the same:

14:58:54.283669 In ethertype IPv4 (0x0800), length 76: 172.27.232.3 > 172.17.10.3: ICMP echo request, id 1, seq 384, length 40
14:58:54.283695 Out 12:31:9d:c5:7b:dc ethertype IPv4 (0x0800), length 76: 172.27.232.3 > 172.17.10.3: ICMP echo request, id 1, seq 384, length 40

Thank you

pfess · Post by **pfess** » Fri Nov 02, 2018 7:31 pm

This is what I see in the Access Server config:

"vpn.server.routing.gateway_access": "true",
"vpn.server.routing.private_access": "nat",
"vpn.server.routing.private_network.0": "172.17.0.0/22",
"vpn.server.routing.private_network.1": "172.17.8.0/22",

Post by **novaflash** » Fri Nov 02, 2018 11:19 pm

Yeah, somewhere in your config, you are using routing. Try checking under Advanced VPN > Routed subnets, and empty that field out?

pfess · Post by **pfess** » Mon Nov 05, 2018 1:11 pm

That field is empty.

Post by **novaflash** » Mon Nov 05, 2018 1:42 pm

I suggest you open a support ticket on the official openvpn.net main website and submit your findings so the situation as a whole can be evaluated. But your tcpdump says that routing is being used. And if so, then you can either switch to NAT so things are easy for you, and obviously somewhere in your settings routing is being set, or you can adjust your network to reciprocate this routing approach.

pfess · Post by **pfess** » Mon Nov 05, 2018 2:16 pm

Thank you. That was what I wanted to do before submitting this post but the website wouldn't send me a confirmation email for a new account.

Post by **novaflash** » Mon Nov 05, 2018 5:50 pm

And did you succeed now?

pfess · Post by **pfess** » Tue Nov 06, 2018 5:10 pm

yes, I have a support ticket open now.

Post by **novaflash** » Thu Nov 15, 2018 3:29 pm

Was the issue eventually resolved, and did you figure out what the problem was?

OpenVPN Support Forum

Can't ping server on different private subnet

Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet

Re: Can't ping server on different private subnet