Site-To-Site: Can't reach LAN behind client

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
heikoh
OpenVpn Newbie
Posts: 7
Joined: Sat Feb 17, 2018 9:10 am

Site-To-Site: Can't reach LAN behind client

Post by heikoh » Sat Feb 17, 2018 10:24 am

Hi everyone,

I want to connect 2 LANS with OpenVPN.
So far, I have successfully connected Site A (Server) with Site B (Client).
From the Client LAN, I can reach every LAN device on Server side.
However, I cannot reach any devices behind the Client. (I can only ping the Client IP from the Server console directly).
Update:
Executing

Code: Select all

iptables -t nat -A POSTROUTING -d 192.168.179.0/24 -j MASQUERADE
on the Client enables me to ping all devices behind the Client from the Server.
But not from the devices behind the Server!

I also use this Server for road-warrior Access with other Clients that are allowed the Access server's LAN. This is already working.

Site A - Server:
IP: 192.168.178.0 / 255.255.255.0
OpenVPN-Server: 192.168.178.220
OpenVPN-IP: 10.08.0.1

Site B - Client:
IP: 192.168.179.0 / 255.255.255.0
OpenVPN-Server: 192.168.179.29
OpenVPN-IP: 10.08.0.10

Site A - openvpn.conf:
Site A

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
#The push routes are added on the clients connecting, telling them to route those networks over the vpn.
push "route 192.168.178.0 255.255.255.0"
client-to-client
route 192.168.179.0 255.255.255.0 10.8.0.1
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120
tun-mtu 1300
script-security 2
--client-connect /usr/local/bin/ovpn_connect_sendemail.sh
--client-disconnect /usr/local/bin/ovpn_disconnect_sendemail.sh
--verb 4


Site A - /etc/openvpn/ccd/raspmue

Code: Select all

# Set a static IP address for the Router's client connection (to OpenVPN)
ifconfig-push 10.8.0.10 10.8.0.11

# Set the internal IP range for this network.
iroute 192.168.179.0 255.255.255.0
Site B - raspmue.conf:
Site B Client
client
dev tun
proto udp
remote xyz.xyz.de 1194
log-append /var/log/openvpn.log
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert raspmue.crt
key raspmue.key
verb 3
comp-lzo


Site A - iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Site B - iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https,48083
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Thanks,
Heiko

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4293
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site-To-Site: Can't reach LAN behind client

Post by TinCanTech » Sat Feb 17, 2018 11:56 pm

ip_forward on the client ?

heikoh
OpenVpn Newbie
Posts: 7
Joined: Sat Feb 17, 2018 9:10 am

Re: Site-To-Site: Can't reach LAN behind client

Post by heikoh » Sun Feb 18, 2018 8:43 am

Yes:

Code: Select all

net.ipv4.ip_forward=1
is set on both server on client!

As stated, from any client-LAN device I can reach every device on server-LAN.
I can also ping every server-LAN device from any client-lan-device.
However, from the other side, I cannot ping client-LAN from any Server-LAN device.

For example, if I execute on my Win10-machine (same LAN as VPN-Server):

Code: Select all

ping 192.168.179.1

Ping is executed for 192.168.179.1 with 32 Bytes Daten:
Answer from 192.168.178.220: Destination port not reachable.
Answer from 192.168.178.220: Destination port not reachable.
Answer from 192.168.178.220: Destination port not reachable.
Answer from 192.168.178.220: Destination port not reachable.

Ping-Statistic for 192.168.179.1:
    Pakete: sent= 4, received = 4, lost = 0
    (0% Verlust),
192.168.178.220 = my OpenVPN-Server

To me it seems that my Raspberry OpenVPN-Server seems to block incoming traffic for the VPN with it's iptables maybe?
As you can see in the ping answer my Win10-machine knows from my Gateway that it should sent packets for 192.168.179.1 via 192.168.178.220.
I have a static route set for 192.168.179.0 on my gateway to 192.168.178.220.
However, 192.168.178.220 says destination port not reachable.

Greetings,
Heiko

Post Reply