AS 2.8.8: VPN client can ping private network IPs, but no other traffic is forwarded

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

AS 2.8.8: VPN client can ping private network IPs, but no other traffic is forwarded

Post by stephan.budach » Thu May 27, 2021 12:23 pm

Hi,

I just setup a new installation of AS 2.8.8 on CentOS 8. I have successfully configured LDAP and also post_auth ldap_groups to mach my LDAP accounts against AS access groups. In the VPN section I chose routing via NAT and entered two of my private networks.

My issue is, that any connected client can ping into the private networks, regardless of any access groups restrictions, but regular tcp traffic is not routed - it just seems to be dropped at the AS gateway. When the client connects, I can see the the routes for the private networks get pushed. This is how the vpn server is configured:

Code: Select all

  "vpn.server.cipher": "AES-256-CBC",
  "vpn.server.daemon.enable": "true",
  "vpn.server.daemon.ovpndco": "false",
  "vpn.server.daemon.protocols": "both",
  "vpn.server.daemon.tcp.n_daemons": "2",
  "vpn.server.daemon.tcp.port": "443",
  "vpn.server.daemon.udp.n_daemons": "2",
  "vpn.server.daemon.udp.port": "1194",
  "vpn.server.dhcp_option.adapter_domain_suffix": "jvm.de",
  "vpn.server.dhcp_option.dns.0": "10.11.24.6",
  "vpn.server.dhcp_option.domain": "jvm.de",
  "vpn.server.google_auth.enable": "false",
  "vpn.server.group_pool.0": "172.27.240.0/20",
  "vpn.server.port_share.enable": "true",
  "vpn.server.port_share.ip_address": "1.2.3.4",
  "vpn.server.port_share.port": "1234",
  "vpn.server.port_share.service": "admin+client",
  "vpn.server.routing.gateway_access": "true",
  "vpn.server.routing.private_access": "nat",
  "vpn.server.routing.private_network.0": "10.11.31.0/24",
  "vpn.server.routing.private_network.1": "10.11.24.0/24",
  "vpn.server.tls_auth": "true",
  "vpn.server.tls_version_min": "1.2",
As far as I understood, choosing NAT should take care of configuring the IP masquerading, shouldn't it? However, when I try to run any tcp traffic to any of the hosts in either private gateway, no traffic emerges from the local interface. 10.11.31.0/24 is the network where the AS resides itself, so there couldn't even be a routing issue.

I have already setup the free version of OpenVPN before, but I cannot seem to get this working, so any input is greatly appreciated.

Thanks.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: AS 2.8.8: VPN client can ping private network IPs, but no other traffic is forwarded

Post by stephan.budach » Thu May 27, 2021 1:50 pm

So, it looks like, OpenVPN AS does not modify the forewall settings in regards to masquerading when choosing NAT in VPN settings. Is this supposed to be working, as I cannot find any hint that I'd have to to do that myself, after installing OpenVPN AS.

Post Reply