this issue is driving me nuts!
i have an openvpn server with 2 network interfaces running on centos 7
Code: Select all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:62:fd:66 brd ff:ff:ff:ff:ff:ff
inet <PUBLIC IP>/29 brd <PUBLIC_BROADCAST> scope global ens192
valid_lft forever preferred_lft forever
inet6 <PUBLIC IP>/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe62:fd66/64 scope link
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:62:fd:70 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.4/24 brd 172.16.1.255 scope global ens224
valid_lft forever preferred_lft forever
inet6 fe80::c33f:ff31:f8a4:9c7e/64 scope link
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 172.16.31.1/24 brd 172.16.31.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::cfa5:4ec6:abb3:895c/64 scope link flags 800
valid_lft forever preferred_lft forever
routing table
Code: Select all
default via <PUBLIC ROUTER> dev ens192 proto static metric 100
172.16.1.0/24 dev ens224 proto kernel scope link src 172.16.1.4 metric 100
172.16.2.0/24 via 172.16.1.1 dev ens224 proto static
172.16.3.0/24 via 172.16.1.1 dev ens224 proto static
172.16.31.0/24 dev tun0 proto kernel scope link src 172.16.31.1
<PUBLIC IP> dev ens192 proto kernel scope link src <PUBLIC IP> metric 100
172.16.1.1 is my firewall serving subnets 172.16.1.0, 172.16.2.0 and 172.16.3.0
in my routing table of my firewall i added 172.16.31.0 to be routed through the ip address of my openvpn server (inside) 172.16.1.4
well now internet works, traffic goes through ens192 ansd gets natted.
all traffic to the internal subnets fails with the exception of ping.
when pinging i get a nice ping reply fromn for example 172.16.3.7. from 172.16.3.7 i can also ping 172.16.31.2 (ip of openvpn client).
when i do anything else but ping from 172.16.31.2 to 172.16.3.7 i get a no route to host. when trying anything else from 172.16.3.7 to 172.16.31.2 i get a connection refused (no services running, so as expected).
i tried different sizes of mtu/mss. but pinging with large packets works.
my firewall is not dropping anything. (all traffic was first blocked: ping was not working. all traffic allowed from 172.16.31.0/24 to 172.16.3.7: ping worked)
please help
Code: Select all
# OpenVPN server configuration
# (lines begining with `#' or `;' are comments)
# IP address, port, and protocol to bind
local <PUBLIC IP>
port 1194
proto udp
dev tun
tun-mtu 1500
mssfix 1350
reneg-sec 0
# cryptographic options (key, certificates, HMAC, cipher)
ca /etc/pki/tls/certs/rootCA.crt
cert /etc/pki/tls/certs/vpn.heitmann.nl.crt
key /etc/pki/tls/private/vpn.heitmann.nl.key
dh dh2048.pem
;tls-auth ta.key 0
cipher AES-256-CBC
# networking options for VPN (IP range, routes, if any)
server 172.16.31.0 255.255.255.0
;push "route 172.16.1.0 255.255.255.0"
;push "route 172.16.2.0 255.255.255.0"
;push "route 172.16.3.0 255.255.255.0"
push "redirect-gateway def1"
;push "dhcp-option DNS 172.16.2.21"
push "dhcp-option DNS 208.67.222.222"
topology subnet
# Enable multiple client to connect with same key
duplicate-cn
# miscellanous options
client-to-client
keepalive 20 60
comp-lzo
persist-key
persist-tun
verb 3
# enable log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
# hardening: run as nobody in chroot jail etc.
# (directory /etc/openvpn/jail must exist)
user nobody
group nobody
;chroot jail
# CRL, if any (must be located in /etc/openvpn/jail)
;crl-verify crl.pem