Routing issue

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lionelito
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 02, 2017 3:09 pm

Routing issue

Post by lionelito » Wed Jun 14, 2017 4:36 pm

Hello,

I have installed openvpn to join my home network from my office. Here is my architecture :
Image

After a lot of problem, the tunnel is now up and running.
The server config (Ubuntu):

Code: Select all

port 1194
proto udp
dev tun0
ca myca.crt
dh mydh.pem
cert mycert.crt
key mykey.key
server 10.8.0.0 255.255.255.0
crl-verify /openvpnpath/crl.pem
cipher AES-256-CBC
user nobody
group nogroup
status /openvpnpath/openvpn-status.log
log-append /openvpnpath/openvpn.log
verb 15
mute 20
max-clients 100
keepalive 10 120
client-config-dir /openvpnpath/ccd
client-to-client
comp-lzo
ccd-exclusive
persist-key
persist-tun
push "route 172.17.21.0 255.255.255.0"
route 10.17.12.0 255.255.255.0
The client config (OpenWRT):

Code: Select all

client
proto udp
dev tun
ca myca.crt
dh mydh.pem
cert mycert.crt
key mykey.key
remote X.X.X.X 1194
cipher AES-256-CBC
verb 15
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
I can see that the tunnel is up by a ifconfig on the client :

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:672 (672.0 B)  TX bytes:1596 (1.5 KiB)
And I can ping 10.8.0.1 and 172.17.21.254 from the client.
But I can't ping 10.17.12.2 from the server and all others machines in the 172.17.21.0 network are unjoinable from 10.17.12.0 network

I have read a lot of topics and try a lot of things (firewall....nat.....) but it's still the same. :(

I have captured logs in the server during a ping from 10.17.12.2 to 172.17.21.26, the result is :

Code: Select all

Wed Jun 14 18:19:22 2017 us=234617 myprofile/X.X.X.X:57518 TLS: tls_pre_decrypt, key_id=4, IP=[AF_INET]X.X.X.X:57518
Wed Jun 14 18:19:22 2017 us=234705 myprofile/X.X.X.X:57518 DECRYPT IV: 45d5ae5a 6afdd98d 86032ca5 abbe22e8
Wed Jun 14 18:19:22 2017 us=234783 myprofile/X.X.X.X:57518 DECRYPT TO: 0000009d fa450000 5413b640 0040015b ba0a0800 06ac1115 1a0800ba a025590[more...]
Wed Jun 14 18:19:22 2017 us=234918 myprofile/X.X.X.X:57518 PID_TEST [0] [SSL-4] [123456789>>>>>>>>>>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:156 0:157 t=1497457162[0] r=[-4,64,15,0,1] sl=[36,64,64,528]
Wed Jun 14 18:19:22 2017 us=234977 myprofile/X.X.X.X:57518 GET INST BY VIRT: 10.8.0.6 -> myprofile/X.X.X.X:57518 via 10.8.0.6
Wed Jun 14 18:19:22 2017 us=235052 myprofile/X.X.X.X:57518 GET INST BY VIRT: 172.17.21.26 [failed]
Wed Jun 14 18:19:22 2017 us=235109 PO_CTL rwflags=0x0000 ev=4 arg=0x565213f9a170
Wed Jun 14 18:19:22 2017 us=235155 PO_CTL rwflags=0x0002 ev=5 arg=0x565213f9a088
Wed Jun 14 18:19:22 2017 us=235212 I/O WAIT Tr|TW|Sr|Sw [3/156473]
Wed Jun 14 18:19:22 2017 us=235342 PO_WAIT[1,0] fd=5 rev=0x00000004 rwflags=0x0002 arg=0x565213f9a088 
Wed Jun 14 18:19:22 2017 us=235404  event_wait returned 1
Wed Jun 14 18:19:22 2017 us=235479 I/O WAIT status=0x0008
Wed Jun 14 18:19:22 2017 us=235503 myprofile/X.X.X.X:57518 TUN WRITE [84]
Wed Jun 14 18:19:22 2017 us=235584 myprofile/X.X.X.X:57518  write to TUN/TAP returned 84
Wed Jun 14 18:19:22 2017 us=235670 PO_CTL rwflags=0x0001 ev=4 arg=0x565213f9a170
Wed Jun 14 18:19:22 2017 us=235810 PO_CTL rwflags=0x0001 ev=5 arg=0x565213f9a088
Wed Jun 14 18:19:22 2017 us=235859 I/O WAIT TR|Tw|SR|Sw [3/156473]
Wed Jun 14 18:19:25 2017 us=395162  event_wait returned 0
Wed Jun 14 18:19:25 2017 us=395305 I/O WAIT status=0x0020
Wed Jun 14 18:19:25 2017 us=395331 MULTI: REAP range 176 -> 192
Wed Jun 14 18:19:25 2017 us=395478 myprofile/X.X.X.X:57518 TLS: tls_pre_encrypt: key_id=4
Wed Jun 14 18:19:25 2017 us=395522 myprofile/X.X.X.X:57518 ENCRYPT IV: 636933e9 40c4e2c7 1f972321 f1f976fe
Wed Jun 14 18:19:25 2017 us=395658 myprofile/X.X.X.X:57518 ENCRYPT FROM: 0000008c fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Wed Jun 14 18:19:25 2017 us=395750 myprofile/X.X.X.X:57518 ENCRYPT TO: 636933e9 40c4e2c7 1f972321 f1f976fe d7560873 f81b285b fa0356e8 14c2b82[more...]
Wed Jun 14 18:19:25 2017 us=395781 myprofile/X.X.X.X:57518 SENT PING
Wed Jun 14 18:19:25 2017 us=395797 myprofile/X.X.X.X:57518 TIMER: coarse timer wakeup 10 seconds
Wed Jun 14 18:19:25 2017 us=395818 myprofile/X.X.X.X:57518 RANDOM USEC=106099
Wed Jun 14 18:19:25 2017 us=395992 myprofile/X.X.X.X:57518 SCHEDULE: schedule_add_modify wakeup=[Wed Jun 14 18:19:31 2017 us=50434] pri=1499879294
Wed Jun 14 18:19:25 2017 us=396122 SCHEDULE: schedule_find_least wakeup=[Wed Jun 14 18:19:31 2017 us=50434] pri=1660892136
Wed Jun 14 18:19:25 2017 us=396167 PO_CTL rwflags=0x0002 ev=4 arg=0x565213f9a170
Wed Jun 14 18:19:25 2017 us=396185 PO_CTL rwflags=0x0000 ev=5 arg=0x565213f9a088
Wed Jun 14 18:19:25 2017 us=396209 I/O WAIT Tr|Tw|Sr|SW [5/57523]
Wed Jun 14 18:19:25 2017 us=396248 PO_WAIT[0,0] fd=4 rev=0x00000004 rwflags=0x0002 arg=0x565213f9a170 
Wed Jun 14 18:19:25 2017 us=396305 NOTE: --mute triggered...
Wed Jun 14 18:19:25 2017 us=396352 myprofile/X.X.X.X:57518 2 variation(s) on previous 20 message(s) suppressed by --mute
Wed Jun 14 18:19:25 2017 us=396488 myprofile/X.X.X.X:57518 UDPv4 WRITE [69] to [AF_INET]X.X.X.X:57518: P_DATA_V1 kid=4 DATA 11c43f8d 8e012030 1f8b6981 7311926a 7de2889b 636933e9 40c4e2c7 1f97232[more...]
After a lot of research, the log GET INST BY VIRT: 172.17.21.26 [failed] seems to be a routing issue, but my iptable sounds good on both machines.

server :

Code: Select all

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         172.17.21.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.17.12.0      10.8.0.2        255.255.255.0   UG    0      0        0 tun0
localnet        *               255.255.255.0   U     0      0        0 eth0
client :

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.17.12.1      0.0.0.0         UG    0      0        0 br-lan
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.17.12.0      *               255.255.255.0   U     0      0        0 br-lan
172.17.21.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0
Any help is welcome :D

thx

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2992
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routing issue

Post by TinCanTech » Wed Jun 14, 2017 5:29 pm


lionelito
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 02, 2017 3:09 pm

Re: Routing issue

Post by lionelito » Wed Jun 14, 2017 7:24 pm

Yes, but maybe I missunderstood something ?

The only thing I did not test is the bridge mode. Do you think that can be an option ? I have spend a lot of time to configure it in routing mode (and now it's up and running) that I prefer to find an option in tun type.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2992
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routing issue

Post by TinCanTech » Wed Jun 14, 2017 8:15 pm

Use --verb 4 in your configs and your logs will show you any errors ..
--verb 15 is too high and will not help you.
lionelito wrote:I have read a lot of topics and try a lot of things (firewall....nat.....)
Use NAT on your server like so:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

lionelito
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 02, 2017 3:09 pm

Re: Routing issue

Post by lionelito » Thu Jun 15, 2017 7:38 am

Thx for your help TinCanTech
Use NAT on your server like so:
CODE: SELECT ALL
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Unfortunatly, it's the same with this command, but I configured the verbose to 4, the result of the same ping as my first post :

Code: Select all

Thu Jun 15 09:14:47 2017 us=93468 /sbin/ip route add 10.17.12.0/24 via 10.8.0.2
Thu Jun 15 09:14:47 2017 us=96354 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jun 15 09:14:47 2017 us=102081 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 15 09:14:47 2017 us=104370 GID set to nogroup
Thu Jun 15 09:14:47 2017 us=104490 UID set to nobody
Thu Jun 15 09:14:47 2017 us=104542 UDPv4 link local (bound): [undef]
Thu Jun 15 09:14:47 2017 us=104561 UDPv4 link remote: [undef]
Thu Jun 15 09:14:47 2017 us=104587 MULTI: multi_init called, r=256 v=256
Thu Jun 15 09:14:47 2017 us=104710 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jun 15 09:14:47 2017 us=104772 Initialization Sequence Completed
Nothing else during the ping......but now the tunnel doesn't bring up anymore

thx

lionelito
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 02, 2017 3:09 pm

Re: Routing issue

Post by lionelito » Thu Jun 15, 2017 8:00 am

Sorry, I did a misstake.....I have reloaded my server but I didn't turned off my firewall service. The tunnel is still up and running, but even with the command :
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
I cannot ping 172.17.21.0/24 network from the client

Thx

lionelito
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 02, 2017 3:09 pm

Re: Routing issue

Post by lionelito » Sat Jun 17, 2017 11:11 am

Hi

nobody can help me ?

Thx

Post Reply