Site-To-Site: Server seems not to forward local requests

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
heikoh
OpenVpn Newbie
Posts: 8
Joined: Sat Feb 17, 2018 9:10 am

Site-To-Site: Server seems not to forward local requests

Post by heikoh » Sat Feb 17, 2018 1:51 pm

Hi everyone,

I want to connect 2 LANS with OpenVPN.
So far, I have successfully connected Site A (Server) with Site B (Client).

Site A - Server:
IP: 192.168.178.0 / 255.255.255.0
OpenVPN-Server: 192.168.178.220
OpenVPN-IP: 10.08.0.1

Site B - Client:
IP: 192.168.179.0 / 255.255.255.0
OpenVPN-Server: 192.168.179.29
OpenVPN-IP: 10.08.0.10

From the Client LAN, I can reach every LAN device on Server side - perfect!
From the server, I can ping devices on the client-LAN after executing on the client:

Code: Select all

iptables -t nat -A POSTROUTING -d 192.168.179.0/24 -j MASQUERADE
However, from any other devices behind the server, I cannot ping any LAN-devices ("Host port not reachable")
Static routes are properly configured on both routers (fritz.box) on server and client site.

net.ipv4.ip_forward = 1
is set on both Server and Client.

Site A - openvpn.conf:

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
#The push routes are added on the clients connecting, telling them to route those networks over the vpn.
push "route 192.168.178.0 255.255.255.0"
client-to-client
route 192.168.179.0 255.255.255.0 10.8.0.1
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120
tun-mtu 1300
script-security 2
--client-connect /usr/local/bin/ovpn_connect_sendemail.sh
--client-disconnect /usr/local/bin/ovpn_disconnect_sendemail.sh
--verb 4
Site A - /etc/openvpn/ccd/raspmue

Code: Select all

# Set a static IP address for the Router's client connection (to OpenVPN)
ifconfig-push 10.8.0.10 10.8.0.11

# Set the internal IP range for this network.
iroute 192.168.179.0 255.255.255.0
Site B - raspmue.conf:

Code: Select all

client
dev tun
proto udp
remote xyz.xyz.de 1194
log-append /var/log/openvpn.log
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert raspmue.crt
key raspmue.key
verb 3
comp-lzo
Site A - iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Site B - iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https,48083
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Thanks,
Heiko

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site-To-Site: Server seems not to forward local requests

Post by TinCanTech » Sun Feb 18, 2018 1:26 pm

The default gateway of the server lan needs routes for the VPN and client lan.

heikoh
OpenVpn Newbie
Posts: 8
Joined: Sat Feb 17, 2018 9:10 am

Re: Site-To-Site: Server seems not to forward local requests

Post by heikoh » Sun Feb 18, 2018 1:34 pm

TinCanTech wrote:
Sun Feb 18, 2018 1:26 pm
needs routes for the VPN and client lan.
What do you mean by routes for VPN and client LAN?
I have 1 static route for the Client LAN (192.168.179.1) that points to my OpenVPN-Server-Raspberry (192.168.178.220).
(See screenshot attached)
Somehow 192.168.178.220 doesn't seem to accept traffic that is directed from other Serverside-devices.
Image

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site-To-Site: Server seems not to forward local requests

Post by TinCanTech » Sun Feb 18, 2018 1:37 pm

What about routes on the client gateway ?

heikoh
OpenVpn Newbie
Posts: 8
Joined: Sat Feb 17, 2018 9:10 am

Re: Site-To-Site: Server seems not to forward local requests

Post by heikoh » Sun Feb 18, 2018 1:50 pm

On my OpenVPN-Server I have:

Code: Select all

root@fhem:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.178.1   0.0.0.0         UG    202    0        0 eth0
192.168.178.0   0.0.0.0         255.255.255.0   U     202    0        0 eth0
On the client side I have this.

Code: Select all

root@raspmue:~# route -n
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.11       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.179.1   0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.11       255.255.255.0   UG    0      0        0 tun0
10.8.0.11       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
89.xyz.xyz.xyz  192.168.179.1   255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.8.0.11       128.0.0.0       UG    0      0        0 tun0
192.168.178.0   10.8.0.11       255.255.255.0   UG    0      0        0 tun0
192.168.179.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
Looks like there are not enough routes on the OpenVPN-Server?
How do I add them? Never worked with routes before...

Post Reply