Open VPN Routing

[gizmoshq]

Banging my head against a wall here. Using Open VPN on an AWS Server 2019 instance. Using NAT. Pushing config to Asus OpenVPN Client. I need to ping clients behind the Asus router. Not my first foray into Open VPN, so I'm confused. Windows Defender Firewall is off. I can ping the Open VPN Virtual Lan adapter on the Server 2019 box from clients behind the Asus Router, as expected. However, from the Server, I am unable to ping the Lan clients behind the Asus router. Tracert does not get a single hop. All firewalls are down. Router is an Asus RTn66U Dark Knight. Here are my configs:

$20 Paypal for whomever spots the error.... I give up.

OpenVPN Server
[oconf=]port 1194
proto udp
dev tun
ca c:\\openvpn\\easy-rsa\\keys\\ca.crt
cert c:\\openvpn\\easy-rsa\\keys\\server.crt
key c:\\openvpn\\easy-rsa\\keys\\server.key # This file should be kept secret
dh c:\\openvpn\\easy-rsa\\keys\\dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
route 192.168.6.0 255.255.255.0
push "route 192.168.6.0 255.255.255.0"
client-config-dir c:\\openvpn\\config\\ccd
client-to-client
duplicate-cn
keepalive 3 10
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1[/oconf]

CCD File for the client:

iroute add 192.168.6.0 255.255.255.0


Routing table on the Server 2019 Machine:
[oconf=]
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.31.32.1 172.31.32.136 25
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.1 35
10.8.0.0 255.255.255.252 On-link 10.8.0.1 291
10.8.0.1 255.255.255.255 On-link 10.8.0.1 291
10.8.0.3 255.255.255.255 On-link 10.8.0.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.169.123 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.249 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.250 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.251 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.253 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.254 255.255.255.255 172.31.32.1 172.31.32.136 50
172.31.32.0 255.255.240.0 On-link 172.31.32.136 281
172.31.32.136 255.255.255.255 On-link 172.31.32.136 281
172.31.47.255 255.255.255.255 On-link 172.31.32.136 281
192.168.6.0 255.255.255.0 10.8.0.6 10.8.0.1 36
192.168.6.0 255.255.255.0 10.8.0.2 10.8.0.1 35
192.168.6.0 255.255.255.255 On-link 10.8.0.1 36
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.1 291
224.0.0.0 240.0.0.0 On-link 172.31.32.136 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.1 291
255.255.255.255 255.255.255.255 On-link 172.31.32.136 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.169.254 255.255.255.255 172.31.32.1 25
169.254.169.250 255.255.255.255 172.31.32.1 25
169.254.169.251 255.255.255.255 172.31.32.1 25
169.254.169.249 255.255.255.255 172.31.32.1 25
169.254.169.123 255.255.255.255 172.31.32.1 25
169.254.169.253 255.255.255.255 172.31.32.1 25
===========================================================================
[/oconf]

[TinCanTech]

CCD File for the client:

iroute add 192.168.6.0 255.255.255.0

That "add" is an error ..

20 Paypal for whomever spots the error....

You can contact mne privately: tincanteksup <at> gmail

[gizmoshq]

No dice. Still can ping OpenVPN Adapters. Here is updated routing table:
[oconf=

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.31.32.1 172.31.32.136 25
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.1 35
10.8.0.0 255.255.255.252 On-link 10.8.0.1 291
10.8.0.1 255.255.255.255 On-link 10.8.0.1 291
10.8.0.3 255.255.255.255 On-link 10.8.0.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.169.123 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.249 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.250 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.251 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.253 255.255.255.255 172.31.32.1 172.31.32.136 50
169.254.169.254 255.255.255.255 172.31.32.1 172.31.32.136 50
172.31.32.0 255.255.240.0 On-link 172.31.32.136 281
172.31.32.136 255.255.255.255 On-link 172.31.32.136 281
172.31.47.255 255.255.255.255 On-link 172.31.32.136 281
192.168.6.0 255.255.255.0 10.8.0.6 10.8.0.1 36
192.168.6.0 255.255.255.0 10.8.0.2 10.8.0.1 35
192.168.6.0 255.255.255.255 On-link 10.8.0.1 36
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.1 291
224.0.0.0 240.0.0.0 On-link 172.31.32.136 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.1 291
255.255.255.255 255.255.255.255 On-link 172.31.32.136 281
===========================================================================
]
[/oconf]

Here is updated client1 file from CCD

iroute 192.168.6.0 255.255.255.0

And for shits and giggles, here is my OpenVPN Output when run from the console:

[oconf=
Mon May 06 10:41:42 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Mon May 06 10:41:42 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon May 06 10:41:42 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Mon May 06 10:41:42 2019 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Mon May 06 10:41:42 2019 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Mon May 06 10:41:43 2019 Diffie-Hellman initialized with 2048 bit key
Mon May 06 10:41:43 2019 interactive service msg_channel=0
Mon May 06 10:41:43 2019 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 I=7 HWADDR=0e:ce:4b:ed:b8:2a
Mon May 06 10:41:43 2019 open_tun
Mon May 06 10:41:43 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{85924138-FD86-4965-9791-EAC4ADB647FA}.tap
Mon May 06 10:41:43 2019 TAP-Windows Driver Version 9.21
Mon May 06 10:41:43 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {85924138-FD86-4965-9791-EAC4ADB647FA} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Mon May 06 10:41:43 2019 Sleeping for 10 seconds...
Mon May 06 10:41:53 2019 Successful ARP Flush on interface [12] {85924138-FD86-4965-9791-EAC4ADB647FA}
Mon May 06 10:41:53 2019 C:\Windows\system32\route.exe ADD 192.168.6.0 MASK 255.255.255.0 10.8.0.2
Mon May 06 10:41:53 2019 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Mon May 06 10:41:53 2019 Route addition via IPAPI succeeded [adaptive]
Mon May 06 10:41:53 2019 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Mon May 06 10:41:53 2019 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Mon May 06 10:41:53 2019 Route addition via IPAPI succeeded [adaptive]
Mon May 06 10:41:53 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Mon May 06 10:41:53 2019 Socket Buffers: R=[131072->131072] S=[131072->131072]
Mon May 06 10:41:53 2019 setsockopt(IPV6_V6ONLY=0)
Mon May 06 10:41:53 2019 UDPv6 link local (bound): [AF_INET6][undef]:1194
Mon May 06 10:41:53 2019 UDPv6 link remote: [AF_UNSPEC]
Mon May 06 10:41:53 2019 MULTI: multi_init called, r=256 v=256
Mon May 06 10:41:53 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon May 06 10:41:53 2019 IFCONFIG POOL LIST
Mon May 06 10:41:53 2019 Initialization Sequence Completed
Mon May 06 10:41:54 2019 184.69.103.110:41375 TLS: Initial packet from [AF_INET6]::ffff:184.69.103.110:41375, sid=1c6c2f64 29dd0264
Mon May 06 10:41:58 2019 184.69.103.110:41375 VERIFY OK: depth=1, C=CA, ST=BC, L=Victoria, O=OpenVPN, OU=Donald, CN=DonW, name=<blank>, emailAddress=mail@host.domain
Mon May 06 10:41:58 2019 184.69.103.110:41375 VERIFY OK: depth=0, C=CA, ST=BC, L=Victoria, O=OpenVPN, OU=Donald, CN=DonW, name=blank, emailAddress=mail@host.domain
Mon May 06 10:41:58 2019 184.69.103.110:41375 peer info: IV_VER=2.3.2
Mon May 06 10:41:58 2019 184.69.103.110:41375 peer info: IV_PLAT=linux
Mon May 06 10:41:58 2019 184.69.103.110:41375 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 06 10:41:58 2019 184.69.103.110:41375 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 06 10:41:58 2019 184.69.103.110:41375 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 06 10:41:58 2019 184.69.103.110:41375 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 06 10:41:58 2019 184.69.103.110:41375 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon May 06 10:41:58 2019 184.69.103.110:41375 [DonW] Peer Connection Initiated with [AF_INET6]::ffff:184.69.103.110:41375
Mon May 06 10:41:58 2019 DonW/184.69.103.110:41375 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon May 06 10:41:58 2019 DonW/184.69.103.110:41375 MULTI: Learn: 10.8.0.6 -> DonW/184.69.103.110:41375
Mon May 06 10:41:58 2019 DonW/184.69.103.110:41375 MULTI: primary virtual IP for DonW/184.69.103.110:41375: 10.8.0.6
Mon May 06 10:42:00 2019 DonW/184.69.103.110:41375 PUSH: Received control message: 'PUSH_REQUEST'
Mon May 06 10:42:00 2019 DonW/184.69.103.110:41375 SENT CONTROL [DonW]: 'PUSH_REPLY,route 192.168.6.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 3,ping-restart 10,ifconfig 10.8.0.6 10.8.0.5' (status=1)

/oconf]

[gizmoshq]

Didn't work. Updated the iroute file, still no go. Any other thoughts? Routing table still appears the same on the Server 2019 box.

[gizmoshq]

Close. Common name for my client was not the same as the certificate name.

[TinCanTech]

Common name for my client was not the same as the certificate name

Which you figured out because of:

CCD File for the client:

iroute add 192.168.6.0 255.255.255.0

That "add" is an error ..

20 Paypal for whomever spots the error....

You can contact mne privately: tincanteksup <at> gmail

Thanks