Bridged VPN: Clients connected but not ping each other

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
chameleon
OpenVpn Newbie
Posts: 1
Joined: Wed Sep 11, 2019 4:54 am

Bridged VPN: Clients connected but not ping each other

Post by chameleon » Wed Sep 11, 2019 6:05 am

I am a newbie linux user, but after that, I will read nuclear physics as I read comics :-)

I am trying to setup VPN, as in picture, mainly for gaming, samba, for securing ssh/sftp and for access to other services with no forwarded ports in router A.
Image

Until now, I successfully installed and run as services:
server on NAS / Debian
client on NAS / Debian
client on PC1 / Windows7
No errors on logs.

The problem (1):
From PC1, I can ping 192.168.254.2 which is localhost.
From NAS, I can ping 192.168.254.254 which is localhost.
From NAS, I cannot ping 192.168.254.2
From PC1, I cannot ping 192.168.254.254

Question (2):
On NAS / Debian, which is the OpenVPN server, I installed and run OpenVPN client too, with different certification. Is this correct?

Question (3):
If I understand correctly the bridging, if (see picture) PC4 runs on a physical subnet 192.168.20.x, as OpenVPN client, and PC1 with NAS runs on its physical subnet 192.168.1.x, where NAS is OpenVPN server and PC1 is neither OpenVPN server or client, then OpenVPN bridges 192.168.20.x with 192.168.1.x and from PC4 I can ping PC1?
If yes, how all of these port forwarding takes place? How PC1 which is not an OpenVPN client knows where to find 192.168.20.x?

Question (4):
I forward from Router A to NAS, port 1194, because many clients exist on internet. OpenVPN server needs more ports? (like FTP or FTPS).
OpenVPN clients have listening ports?

What I did:
- I use this guide: https://community.openvpn.net/openvpn/w ... edwithOVPN
- I generated certification authority with my script:

Code: Select all

#!/bin/sh
openssl genrsa -des3 -out ca.key 4096
chmod 600 ca.key
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
- I signed server and clients certificates with my script:

Code: Select all

#!/bin/sh
if [ $# -lt 2 ] || [ "$1" != "client" ] && [ "$1" != "server" ]; then
   echo "Syntax is:\n<client|server> <certification_name>. E.g. 'client client_1'."
   exit 1
fi
openssl genrsa -out "$2.key" 4096
chmod 600 "$2.key"
openssl req -new -key "$2.key" -out "$2.csr"
openssl x509 -req -days 36500 -in "$2.csr" -CA ca.crt -CAkey ca.key -set_serial 01 -out "$2.crt" -extfile openssl.x509.$1.conf
rm "$2.csr"
where openssl.x509.server.conf is:

Code: Select all

keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth
and openssl.x509.client.conf is:

Code: Select all

keyUsage = digitalSignature
extendedKeyUsage=clientAuth
- My server.conf is:
Server Config
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem # Generated with: openssl dhparam -out dh4096.pem 4096
topology subnet
ifconfig-pool-persist ipp.txt
server-bridge 192.168.254.1 255.255.255.0 192.168.254.2 192.168.254.254
client-to-client
keepalive 60 120
tls-auth ta.key 0 # Generated with: openvpn --genkey --secret ta.key
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

- All client.conf /client.ovpn are:
Client Config
client
dev tap
proto udp
remote ODROID-HC2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt # Common with server
cert client.crt # Distinct for each client
key client.key # Distinct for each client
remote-cert-tls server
tls-auth ta.key 1 # Common with server
cipher AES-256-CBC
verb 3

- On NAS, I started services and get logs with:

Code: Select all

systemctl start openvpn@server.service
systemctl enable openvpn@server.service
systemctl start openvpn@client.service
systemctl enable openvpn@client.service
systemctl status openvpn@server.service
systemctl status openvpn@client.service
- On Windows7 I set OpenVPNService to Automatic and I run these commands:

Code: Select all

sc delete OpenVPNServiceLegacy
net stop OpenVPNServiceInterface  # I don't remember the exact name
sc delete OpenVPNServiceInterface  # I don't remember the exact name
net start OpenVPNService
- Finally I do port forwarding, as the guide says (I don't clearly understand why) with:

Code: Select all

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
- I did nothing more that these.
- There is no firewalls on any machine. I hate firewalls.

Code: Select all

iptables -L
shows nothing.
- ifconfig is not exist on NAS /Debian because it is deprecated. ip exists instead.

Post Reply