OpenVPN Support Forum

Posted: **Thu Jul 23, 2020 10:50 pm**

I have clients successfully connecting to my oepnvpn server and I can ping the clients from the server but when I try to ping clients from other clients it times out. Any ideas on how to fix this?

I have the following client config. This is the config at the top of an ovpn file:

Code: Select all

client
dev tun
proto udp
remote xxxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
comp-lzo
tun-mtu 1500
mssfix 1400
fragment 1300
verb 3
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I have the following server config:

Code: Select all

port 1194 
proto udp 
dh /etc/openvpn/dh2048.pem 
server 10.8.0.0 255.255.252.0 
ifconfig-pool-persist /etc/openvpn/ipp.txt 
keepalive 10 60 
ca /etc/openvpn/ca.crt 
cert /etc/openvpn/server.crt 
key /etc/openvpn/server.key 
crl-verify /etc/openvpn/crl.pem 
dev tun 
tun-mtu 1500 
mssfix 1400 
fragment 1300 
script-security 2 
tls-auth /etc/openvpn/ta.key 0 
tls-version-min 1.0 
route 10.11.0.0 255.255.0.0 
push "route 10.11.0.0 255.255.0.0" 
client-config-dir /etc/openvpn/ccd 
cipher AES-128-CBC 
auth SHA256 
comp-lzo 
persist-key 
status /etc/openvpn/openvpn-status.log 
verb 3

Here are the client logs:

Code: Select all

Thu Jul 23 22:21:05 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Thu Jul 23 22:21:05 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Thu Jul 23 22:21:05 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 23 22:21:05 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jul 23 22:21:05 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jul 23 22:21:05 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]54.70.149.21:1194
Thu Jul 23 22:21:05 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jul 23 22:21:05 2020 UDP link local: (not bound)
Thu Jul 23 22:21:05 2020 UDP link remote: [AF_INET]54.70.149.21:1194
Thu Jul 23 22:21:05 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 23 22:21:06 2020 TLS: Initial packet from [AF_INET]54.70.149.21:1194, sid=a87a882e 76a8a999
Thu Jul 23 22:21:06 2020 VERIFY OK: xxxx
Thu Jul 23 22:21:06 2020 VERIFY KU OK
Thu Jul 23 22:21:06 2020 Validating certificate extended key usage
Thu Jul 23 22:21:06 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jul 23 22:21:06 2020 VERIFY EKU OK
Thu Jul 23 22:21:06 2020 VERIFY OK: xxxx
Thu Jul 23 22:21:06 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Thu Jul 23 22:21:06 2020 [server] Peer Connection Initiated with [AF_INET]54.70.149.21:1194
Thu Jul 23 22:21:07 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jul 23 22:21:07 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.11.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.18 10.8.0.17,peer-id 1,cipher AES-256-GCM'
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: route options modified
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: peer-id set
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: adjusting link_mtu to 1629
Thu Jul 23 22:21:07 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 23 22:21:07 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 23 22:21:07 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 23 22:21:07 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 23 22:21:07 2020 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:bb:14:75
Thu Jul 23 22:21:07 2020 TUN/TAP device tun0 opened
Thu Jul 23 22:21:07 2020 TUN/TAP TX queue length set to 100
Thu Jul 23 22:21:07 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 23 22:21:07 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 23 22:21:07 2020 /sbin/ip addr add dev tun0 local 10.8.0.18 peer 10.8.0.17
Thu Jul 23 22:21:07 2020 /etc/openvpn/update-resolv-conf tun0 1500 1557 10.8.0.18 10.8.0.17 init
Thu Jul 23 22:21:07 2020 /sbin/ip route add 10.11.0.0/16 via 10.8.0.17
Thu Jul 23 22:21:07 2020 /sbin/ip route add 10.8.0.1/32 via 10.8.0.17
Thu Jul 23 22:21:07 2020 GID set to nogroup
Thu Jul 23 22:21:07 2020 UID set to nobody
Thu Jul 23 22:21:07 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 23 22:21:07 2020 Initialization Sequence Completed

Posted: **Thu Jul 23, 2020 11:04 pm**

Tried it again with two ubuntu clients and now when I ping I get the following response:

Code: Select all

PING 10.8.0.22 (10.8.0.22) 56(84) bytes of data.
From xxxx icmp_seq=1 Packet filtered
From xxxx icmp_seq=2 Packet filtered

Would my wifi setup cause this to happen?

Posted: **Thu Jul 23, 2020 11:43 pm**

I can also ping the server (10.8.0.1) from each of the clients.

Posted: **Thu Jul 23, 2020 11:47 pm**

apache8080 wrote: ↑
Thu Jul 23, 2020 10:50 pm
Any ideas on how to fix this?

Posted: **Fri Jul 24, 2020 12:40 am**

Seems like adding the client-to-client flag in the server config helped solve this issue.

OpenVPN Support Forum

Can't ping other clients when connected to vpn server

Can't ping other clients when connected to vpn server

Re: Can't ping other clients when connected to vpn server

Re: Can't ping other clients when connected to vpn server

Re: Can't ping other clients when connected to vpn server

Re: Can't ping other clients when connected to vpn server