Routing issues?!?

Tom7320 · Post by **Tom7320** » Tue Oct 17, 2017 7:06 pm

Hello everyone!

I have a very simple setup which drives my nuts since it does not work as expected:

                     +----------------------------------+                                                     +----------------------------------+
                     |           ROUTER (Home)          |                                                     |           ROUTER (Office)        |
                     |                                  |public IP              INTERNET             public IP|                                  |
                     |static routes:                    |-----------------------------------------------------|static routes:                    |
                     |10.205.0.0/16    via 192.168.0.43 |                                                     |10.205.0.0/16  via 192.168.193.240|
                     |192.168.193.0/24 via 192.168.0.43 |                                                     |192.168.0.0/24 via 192.168.193.240|
                     |port forwarding:                  |                                                     |port forwarding:                  |
                     |udp/1194             192.168.0.43 |                                                     |udp/1194           192.168.193.240|
                     +-----------------+----------------+                                                     +-----------------+----------------+
                                       |192.168.0.1                                                                             |192.168.193.245
                                       |                                                                                        |
                   +-------------------+---------------------+                                              +-------------------+---------------------+
                   |                                         |                                              |                                         |
                   |192.168.0.43                             |192.168.0.X                                   |192.168.193.240                          |192.168.193.Y
 +-----------------+----------------+       +----------------+-----------------+          +-----------------+----------------+      +-----------------+----------------+
 |         OpenVPN CLIENT           |       |               PC                 |          |         OpenVPN SERVER           |      |               PC                 |
 |                                  |       |                                  |          |                                  |      |                                  |
 |ip forwarding enabled:            |       |                                  |          |ip forwarding enabled:            |      |                                  |
 |net.ipv4.ip_forward=1             |       |                                  |          |net.ipv4.ip_forward=1             |      |                                  |
 |tun 10.205.76.2                   |       |                                  |          |tun 10.205.76.1                   |      |                                  |
 +----------------------------------+       +----------------------------------+          +----------------------------------+      +----------------------------------+

After connecting from the client to the server everthing works fine from the perspective of the client:

Code: Select all

root@vm-openvpn:/etc/openvpn# ifconfig
eth0      Link encap:Ethernet  Hardware Adresse 00:15:5d:00:0a:0f
          inet Adresse:192.168.0.43  Bcast:192.168.0.255  Maske:255.255.255.0
          inet6-Adresse: fd00::215:5dff:fe00:a0f/64 Gültigkeitsbereich:Global
          inet6-Adresse: fe80::215:5dff:fe00:a0f/64 Gültigkeitsbereich:Verbindung
          inet6-Adresse: 2003:c0:33f5:a900:215:5dff:fe00:a0f/64 Gültigkeitsbereich:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX-Pakete:88468 Fehler:0 Verloren:1329 Überläufe:0 Fenster:0
          TX-Pakete:37987 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX-Bytes:23173750 (23.1 MB)  TX-Bytes:13606797 (13.6 MB)

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX-Pakete:816 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
          TX-Pakete:816 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:1
          RX-Bytes:53432 (53.4 KB)  TX-Bytes:53432 (53.4 KB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.205.76.2  P-z-P:10.205.76.2  Maske:255.255.255.0
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX-Pakete:4637 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
          TX-Pakete:5454 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX-Bytes:509228 (509.2 KB)  TX-Bytes:966318 (966.3 KB)

root@vm-openvpn:/etc/openvpn# route
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         fritz.box       0.0.0.0         UG    0      0        0 eth0
10.205.76.0     *               255.255.255.0   U     0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.193.0   10.205.76.1     255.255.255.0   UG    0      0        0 tun0
root@vm-openvpn:/etc/openvpn# ping -c 2 10.205.76.1
PING 10.205.76.1 (10.205.76.1) 56(84) bytes of data.
64 bytes from 10.205.76.1: icmp_seq=1 ttl=64 time=36.2 ms
64 bytes from 10.205.76.1: icmp_seq=2 ttl=64 time=37.1 ms

--- 10.205.76.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 36.291/36.743/37.195/0.452 ms
root@vm-openvpn:/etc/openvpn# ping -c 2 192.168.193.240
PING 192.168.193.240 (192.168.193.240) 56(84) bytes of data.
64 bytes from 192.168.193.240: icmp_seq=1 ttl=64 time=37.4 ms
64 bytes from 192.168.193.240: icmp_seq=2 ttl=64 time=37.4 ms

--- 192.168.193.240 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 37.441/37.446/37.451/0.005 ms
root@vm-openvpn:/etc/openvpn# ping -c 2 192.168.193.10
PING 192.168.193.10 (192.168.193.10) 56(84) bytes of data.
64 bytes from 192.168.193.10: icmp_seq=1 ttl=126 time=37.6 ms
64 bytes from 192.168.193.10: icmp_seq=2 ttl=126 time=38.8 ms

--- 192.168.193.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 37.684/38.264/38.844/0.580 ms
root@vm-openvpn:/etc/openvpn# traceroute 192.168.193.10
traceroute to 192.168.193.10 (192.168.193.10), 30 hops max, 60 byte packets
 1  10.205.76.1 (10.205.76.1)  41.324 ms  41.262 ms  41.951 ms
 2  192.168.193.10 (192.168.193.10)  41.932 ms * *
root@vm-openvpn:/etc/openvpn#

But from the perspective of the office LAN it does not work:

Code: Select all

pi@openvpn:/etc/openvpn $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.193.240  netmask 255.255.255.0  broadcast 192.168.193.255
        inet6 2003:c0:33cd:e300:e62d:6811:f28d:73ef  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::7e5a:bfc8:972c:f209  prefixlen 64  scopeid 0x20<link>
        inet6 fd50:7c6b:6849:0:86cf:ca3f:26e4:2d38  prefixlen 64  scopeid 0x0<global>
        ether b8:27:eb:10:41:c3  txqueuelen 1000  (Ethernet)
        RX packets 22889  bytes 4027496 (3.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11958  bytes 2628878 (2.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Lokale Schleife)
        RX packets 7  bytes 476 (476.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7  bytes 476 (476.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.205.76.1  netmask 255.255.255.0  destination 10.205.76.1
        inet6 fe80::eeab:3146:67cc:1722  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 6306  bytes 637857 (622.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6496  bytes 694692 (678.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

pi@openvpn:/etc/openvpn $ route
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         be.ip           0.0.0.0         UG    202    0        0 eth0
10.205.76.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     10.205.76.2     255.255.255.0   UG    0      0        0 tun0
192.168.193.0   0.0.0.0         255.255.255.0   U     202    0        0 eth0
pi@openvpn:/etc/openvpn $ ping -c 2 10.205.76.2
PING 10.205.76.2 (10.205.76.2) 56(84) bytes of data.
64 bytes from 10.205.76.2: icmp_seq=1 ttl=64 time=37.1 ms
64 bytes from 10.205.76.2: icmp_seq=2 ttl=64 time=41.7 ms

--- 10.205.76.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 37.103/39.430/41.758/2.335 ms
pi@openvpn:/etc/openvpn $ ping -c 2 192.168.0.43
PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data.

--- 192.168.0.43 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1026ms

pi@openvpn:/etc/openvpn $ ping -c 2 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.

--- 192.168.0.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1056ms

pi@openvpn:/etc/openvpn $ traceroute  192.168.0.10
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * *^C
pi@openvpn:/etc/openvpn $

There are (at least) two problems I can not solve myself:

I can not ping the client from the server
PCs on the client side can not ping any other machine on the server side

Here are the configs:

server

proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
duplicate-cn
user nobody
group nogroup
daemon
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555

tls-auth /etc/openvpn/keys/ta.key 0
dh /etc/openvpn/keys/dh2048.pem
pkcs12 /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify /etc/openvpn/keys/OpenVPN_PAW_CRL.pem

push "route 192.168.193.0 255.255.255.0"
route 192.168.0.0 255.255.255.0

client

proto udp
port 1194
dev tun
client
remote doe.jane.com
persist-key
persist-tun
user nobody
group nogroup
nobind
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls server
#management 127.0.0.1 5555

pkcs12 /etc/openvpn/keys_PAW/OpenVPN_PAW_Client1.p12
tls-auth /etc/openvpn/keys_PAW/ta.key 1

What am I doing wrong? Config problem? Router problem? Help would be reaaaaaaly very much appreciated!! Thx in advance!!

TinCanTech · Post by **TinCanTech** » Tue Oct 17, 2017 7:51 pm

Tom7320 wrote: ↑
Tue Oct 17, 2017 7:06 pm
After connecting from the client to the server everthing works fine from the perspective of the client

Tom7320 wrote: ↑
Tue Oct 17, 2017 7:06 pm
I can not ping the client from the server

Probably the client firewall. (Allow ICMP)

Tom7320 wrote: ↑
Tue Oct 17, 2017 7:06 pm
PCs on the client side can not ping any other machine on the server side

First step:
HOWTO: Expanding the scope of the VPN to include additional machines

Then you will need to revise what you know about routing to allow the client side machines to use the VPN .. if that is what you want.

Tom7320 · Post by **Tom7320** » Wed Oct 18, 2017 5:56 am

TXH a lot! I followed the steps in the HOWTO and it worked! Sorry! I was confused because of a chapter in the book "Mastering OpenVPN". I thought it was possible without a ccd. THX for enlightening me...

Tom7320 · Post by **Tom7320** » Wed Oct 18, 2017 6:17 am

But there is one more thing......

I only want to allow certain PCs on the office/server side to access my home network. What's the best way to do that? iptables on the server?

TinCanTech · Post by **TinCanTech** » Wed Oct 18, 2017 11:19 am

Tom7320 wrote: ↑
Wed Oct 18, 2017 6:17 am
iptables on the server

Indeed .. it's all in the howto

Tom7320 · Post by **Tom7320** » Wed Oct 18, 2017 2:16 pm

I'm so stupid.... You won't believe it, but I've really read the manpage and the howto and I still managed to miss it... I'm embarrassed..... Sorry! And thank you very much for pointing me in the right direction!

Tom7320 · Post by **Tom7320** » Wed Oct 18, 2017 3:57 pm

To my resccue I am looking for the other way around: server-specific access policies if you want. I only want office machines with certain ip addresses to have access to my network. Tried to figure the rules out myself, but tcpdump does not show any packets with ip addresses from the tunnel?!

Code: Select all

root@openvpn:~# tcpdump -i tun0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:54:06.535469 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 1135631732:1135631833, ack 431957170, win 255, length 101
17:54:06.544802 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 101:202, ack 1, win 255, length 101
17:54:06.545734 IP 192.168.193.10.3389 > 192.168.0.111.50469: Flags [.], ack 202, win 253, length 0
17:54:06.608395 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 202:303, ack 1, win 255, length 101
17:54:06.608982 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 303:404, ack 1, win 255, length 101
17:54:06.609899 IP 192.168.193.10.3389 > 192.168.0.111.50469: Flags [.], ack 404, win 252, length 0
17:54:06.717743 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 404:505, ack 1, win 255, length 101
17:54:06.821045 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 505:686, ack 1, win 255, length 181
17:54:06.822074 IP 192.168.193.10.3389 > 192.168.0.111.50469: Flags [.], ack 686, win 256, length 0
17:54:06.929073 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 686:867, ack 1, win 255, length 181
17:54:07.125806 IP 192.168.193.10.3389 > 192.168.0.111.50469: Flags [.], ack 867, win 256, length 0
17:54:07.681185 IP 192.168.0.111.50469 > 192.168.193.10.3389: Flags [P.], seq 867:968, ack 1, win 255, length 101
17:54:07.881884 IP 192.168.193.10.3389 > 192.168.0.111.50469: Flags [.], ack 968, win 255, length 0
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel
root@openvpn:~#

To my understanding: why are there no 10.205.0.0er packets visible? And what are the rules to only allow access to certain machines?

Sorry to bother again.....

Tom7320 · Post by **Tom7320** » Sat Oct 21, 2017 6:33 am

To answer my own question: the easiest way for access control was some firewall rules on the OpenVPN client in the "home" LAN:

ufw default allow
ufw default allow routed
ufw deny in on tun0
ufw route deny in on tun0
ufw enable

After that it is easy to allow access to certain machines and/or services with appropriate ufw route allow... statements.

OpenVPN Support Forum

Routing issues?!?

Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?

Re: Routing issues?!?