OpenVPN- can connect client to server; but can't ping server side LAN machines (except for the server side LAN gateway)

[wowiesy]

I know I was able to set this same setup before.. but now I can't seem to find the problem in my setup...

Here it is:

Server Side:
OS: Ubuntu 16.04
LAN Gateway: 192.168.100.2
OpenVPN server LAN IP: 192.168.100.253

Route entry at 192.168.100.2:
destination: 10.8.0.0
netmask: 255.255.255.0
gateway 192.168.100.253



Server Config File:

View Originalserver

port 1194

proto udp

dev tun0
topology subnet
ca /etc/openvpn/ca.crt
cert /etc/openvpn/BULVPNSERVER.crt
key /etc/openvpn/BULVPNSERVER.key # This file should be kept secret

dh /etc/openvpn/dh2048.pem


server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.100.0 255.255.255.0"



keepalive 10 120

tls-auth ta.key 0 # This file is secret

cipher AES-128-CBC # AES

comp-lzo

;max-clients 100

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

;mute 20

Client config:

View Originalclient

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

client

dev tun

proto udp

remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

ca ca.crt
cert KSS1XMAC.crt
key KSS1XMAC.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-128-CBC

comp-lzo

verb 3

;mute 20

on the client side using a Mac, when connected to the VPN,

netstat -nr

Code: Select all

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.43.1       UGSc           11        0     en1
10.8/24            10.8.0.2           UGSc            1        0   utun0
10.8.0.2           10.8.0.2           UH              1        0   utun0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              3    77154     lo0
169.254            link#5             UCS             0        0     en1
192.168.43         link#5             UCS             1        0     en1
192.168.43.1/32    link#5             UCS             1        0     en1
192.168.43.1       8:23:b2:e3:ab:ca   UHLWIir        12      101     en1   1180
192.168.43.99/32   link#5             UCS             0        0     en1
192.168.43.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       13     en1
[b]192.168.100        10.8.0.1           UGSc            0        0   utun0
[/b]224.0.0            link#5             UmCS            2        0     en1
224.0.0.1          1:0:5e:0:0:1       UHmLWI          0        7     en1
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en1
255.255.255.255/32 link#5             UCS             0        0     en1

Internet6:
Destination                             Gateway                         Flags         Netif Expire
::1                                     ::1                             UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en1/64                           link#5                          UCI             en1
fe80::226:bbff:fe0a:7192%en1            0:26:bb:a:71:92                 UHLI            lo0
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#4                          UmCI            en0
ff01::%en1/32                           link#5                          UmCI            en1
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#4                          UmCI            en0
ff02::%en1/32                           link#5                          UmCI            en1

the routing entry shows that the 192.168.100.0/24 network should be routed through the tun interface..

I do have an entry in the LAN gateway routing 10.8.0.0/24 to gateway of 192.168.100.253...

I don't know which part I am still missing here...

iptables of the OpenVPN machine:

Code: Select all

[sudo] password for kss1x: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:1195
SSH_OVPNBOX  tcp  --  anywhere             anywhere             tcp dpt:2222

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

hope someone can point it out... thanks.

[wowiesy]

I suppose a restatement of the problem is needed..

with the given setup earlier provided, the remote client needs to access the following IP addresses within the server LAN:
192.168.100.144
192.168.100.141
192.168.100.246

upon connecting using OpenVPN, client does have entry for 192.168.100.0/24 network via 10.8.0.1 in its routing table... so I am able to ping thru 192.168.100.253. However, I can't ping through the other LAN machines. But I can ping thru 192.168.100.2 (which serves as the default gateway of the OpenVPN machine).

I check the static route entries over at 192.168.100.2.. and this gateway have entries routing 10.8.0.0/24 to vpn gateway 192.168.100.253... when I tried deleting that entry from that gateway.. and reconnected to the vpn... i couldn't even ping thru 192.168.100.253 and ssh to it... also to 100.2.. i can ping but I had to use the vpn ip of 10.8.0.1 in order to access the vpn server box... and I also couldn't get the web console of the 100.2 gateway... that just means (at least to me.. ) that the static route entry is working...

however.. still the problem is that the following machines on the server side can't be ping'd: 100.144, 100.141, 100.246... but.. if I am connected physically inside the server premises (thru LAN or wifi from within the Server site), I can actually ping 100.246 and 100.141.. meaning that once I fix this.. i should be able to ping thru 100.141 and 100.246...

any suggestions on what to investigate further to resolve this?

[wowiesy]

update on this:
I don't know which action fixed the issue... or if all of these actions were factors in getting this issue fixed.. but here is what I have done so far:

1. deleted "twin" server config - I noticed that there was another config file on the /etc/openvpn directory at the server.. with exactly the same server directives (offering the same ip pool)... I deleted the other config file and just left the config file I intended to run

2. I noticed that some server machines in the Server side LAN all had different default gateways setup to each of them... I noticed that all in all.. the LAN had 3 different gateways setup.. so I had to put the static route entries into the 3 different gateways

on a Road Warrior setup, the vpn client can now access the sql database at 100.246, and the remote desktop app at 100.141 and 100.144... I still find it weird though that a ping to these machines still end upwith no return packets. However.. as long as I am able to achieve the intended objective. all is fine.

Next topic (will start a separate thread).. is to setup a site to site vpn link.. where the remote satellite office LAN needs to access certain machines in the Server side (OpenVPN box is separate from these machines.. and is also separate from the gateway of the server side LAN).