site to site (client side) route dont publish correctly

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

site to site (client side) route dont publish correctly

Post by ahiyaz » Thu Jul 23, 2020 4:26 pm

hi

im using the OpenVPN community ver.
ive installed a server and a client.
created certs and config files.
im trying to get bi-directional vpn access (site to site)
vpn tunnel is up and both sides can ping each other tunnel interface.
ive added routes to internal networks and the client is able to ping servers local network.
but the server couldn't ping the client local network.
i can see the route on the server-side and it redirects towards the tun0 peer address (not to the client tun0 address).
i can't really tell what is wrong.

appreciate any help

thanks

some details:

server ver - OpenVPN 2.4.4 on ubuntu 18.0.4
client ver - OpenVPN 2.4.4 on ubuntu 18.0.4

server config

;local a.b.c.d
port 1194
proto udp
;dev tap
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 172.30.0.0 255.255.255.0" (servers lan)
client-config-dir /etc/openvpn/ccd
route 172.17.200.0 255.255.255.0 (client lan)
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key
cipher AES-256-CBC
persist-key
persist-tun
verb 3
explicit-exit-notify 1

CCD folder routes
“iroute 172.17.200.0 255.255.255.0”


client configuration file

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/M54.crt
key /etc/openvpn/keys/M54.key
remote-cert-tls server
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 3



server route table:

Code: Select all

default via 172.30.0.1 dev eth0 proto dhcp src 172.30.0.139 metric 100
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
172.17.200.0/24 via 10.8.0.2 dev tun0
172.30.0.0/24 dev eth0 proto kernel scope link src 172.30.0.139
172.30.0.1 dev eth0 proto dhcp scope link src 172.30.0.139 metric 100
client route table:

Code: Select all

default via 172.17.200.1 dev eth0 proto dhcp src 172.17.200.47 metric 100
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
172.17.200.0/24 dev eth0 proto kernel scope link src 172.17.200.47
172.17.200.1 dev eth0 proto dhcp scope link src 172.17.200.47 metric 100
172.30.0.0/24 via 10.8.0.5 dev tun0

server interfaces:

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:9d:b1:75:8c:1d brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.139/24 brd 172.30.0.255 scope global dynamic eth0
       valid_lft 2503sec preferred_lft 2503sec
    inet6 fe80::9d:b1ff:fe75:8c1d/64 scope link
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c4b2:d276:98d0:bcd0/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

client interfaces:

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:17:ff:99 brd ff:ff:ff:ff:ff:ff
    inet 172.17.200.47/24 brd 172.17.200.255 scope global dynamic eth0
       valid_lft 578140sec preferred_lft 578140sec
    inet6 fe80::dea6:32ff:fe17:ff99/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether dc:a6:32:17:ff:9b brd ff:ff:ff:ff:ff:ff
21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c8df:ec27:83e4:36c0/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
Last edited by Pippin on Thu Jul 23, 2020 5:17 pm, edited 1 time in total.
Reason: Formatting

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 5:46 am

Hi everyone

any ideas regarding my route issue?
really need your help here.

thanks

300000
OpenVPN Super User
Posts: 215
Joined: Tue May 01, 2012 9:30 pm

Re: site to site (client side) route dont publish correctly

Post by 300000 » Mon Jul 27, 2020 9:06 am

What is name of file in cdd folder? The name is important for server know how to add route if you push wrongly it not work for you .

In cdd folder it shout contain a name as certificate of common name on client and inside that file contains the “iroute 172.17.200.0 255.255.255.0”

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 9:12 am

hi
thanks for responding
the file name is the same as cert file name (except of the file extantion of cours)

300000
OpenVPN Super User
Posts: 215
Joined: Tue May 01, 2012 9:30 pm

Re: site to site (client side) route dont publish correctly

Post by 300000 » Mon Jul 27, 2020 9:21 am

Can you post cdd file in here

Iroute shoul inside file on cdd folder but not in server config . And check iptable to see if your iptable block or not

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 11:07 am

ccd M54 file:

Code: Select all

“iroute 172.17.200.0 255.255.255.0”

i have the "iroute" line only in ccd file
but in the server file i have route

Code: Select all

route 172.17.200.0 255.255.255.0

the FW is disable for now on both the server and client
the server is in AWS so ive open in the security group udp 1194 in
on the client side all traffic is allowed out.
Last edited by Pippin on Mon Jul 27, 2020 11:40 am, edited 1 time in total.
Reason: Formatting

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 11:18 am

hi
this is the output when the server loads.
i see this statment "M54,10.8.0.4" while the client TUN0 ip is 10.8.0.6
dose this statment reffers to /30 subnet or thisis a misstake?
nad i allso saw this error in this log

Code: Select all

 Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ccd/M54:1: “iroute (2.4.4)
Server log

Code: Select all

Mon Jul 27 11:09:42 2020 WARNING: file '/etc/openvpn/keys/ta.key' is group or others accessible
Mon Jul 27 11:09:42 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Mon Jul 27 11:09:42 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Mon Jul 27 11:09:42 2020 Diffie-Hellman initialized with 2048 bit key
Mon Jul 27 11:09:42 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 27 11:09:42 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 27 11:09:42 2020 ROUTE_GATEWAY 172.30.0.1/255.255.255.0 IFACE=eth0 HWADDR=02:9d:b1:75:8c:1d
Mon Jul 27 11:09:42 2020 TUN/TAP device tun0 opened
Mon Jul 27 11:09:42 2020 TUN/TAP TX queue length set to 100
Mon Jul 27 11:09:42 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 27 11:09:42 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 27 11:09:42 2020 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 27 11:09:42 2020 /sbin/ip route add 172.17.200.0/24 via 10.8.0.2
Mon Jul 27 11:09:42 2020 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Jul 27 11:09:42 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jul 27 11:09:42 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jul 27 11:09:42 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jul 27 11:09:42 2020 UDPv4 link remote: [AF_UNSPEC]
Mon Jul 27 11:09:42 2020 MULTI: multi_init called, r=256 v=256
Mon Jul 27 11:09:42 2020 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Jul 27 11:09:42 2020 ifconfig_pool_read(), in='M54,10.8.0.4', TODO: IPv6
Mon Jul 27 11:09:42 2020 succeeded -> ifconfig_pool_set()
Mon Jul 27 11:09:42 2020 IFCONFIG POOL LIST
Mon Jul 27 11:09:42 2020 M54,10.8.0.4
Mon Jul 27 11:09:42 2020 Initialization Sequence Completed
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 TLS: Initial packet from [AF_INET]81.218.81.50:50722, sid=1a1dff18 28b5bf41
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 VERIFY OK: depth=1, C=US, ST=NY, L=NewYork, O=Younity, OU=Eng, CN=openserver, name=EasyRSA, emailAddress=xxxxxx
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 VERIFY OK: depth=0, C=US, ST=NY, L=newyork, O=M54-younity, OU=Eng, CN=M54, name=EasyRSA, emailAddress=xxxxxx
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_VER=2.4.4
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_PLAT=linux
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_PROTO=2
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_NCP=2
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_LZ4=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_LZ4v2=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_LZO=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_COMP_STUB=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_COMP_STUBv2=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 peer info: IV_TCPNL=1
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Jul 27 11:09:57 2020 81.218.81.50:50722 [M54] Peer Connection Initiated with [AF_INET]81.218.81.50:50722
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/M54
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ccd/M54:1: “iroute (2.4.4)
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 MULTI: Learn: 10.8.0.6 -> M54/81.218.81.50:50722
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 MULTI: primary virtual IP for M54/81.218.81.50:50722: 10.8.0.6
Mon Jul 27 11:09:58 2020 M54/81.218.81.50:50722 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 27 11:09:58 2020 M54/81.218.81.50:50722 SENT CONTROL [M54]: 'PUSH_REPLY,route 172.30.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Jul 27 11:09:58 2020 M54/81.218.81.50:50722 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jul 27 11:09:58 2020 M54/81.218.81.50:50722 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 27 11:09:58 2020 M54/81.218.81.50:50722 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Last edited by Pippin on Mon Jul 27, 2020 11:42 am, edited 1 time in total.
Reason: Formatting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: site to site (client side) route dont publish correctly

Post by TinCanTech » Mon Jul 27, 2020 11:40 am

ahiyaz wrote:
Mon Jul 27, 2020 11:18 am
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ccd/M54:1: “iroute (2.4.4)
Well, it's a broken CCD File ..

User avatar
Pippin
Forum Team
Posts: 830
Joined: Wed Jul 01, 2015 8:03 am

Re: site to site (client side) route dont publish correctly

Post by Pippin » Mon Jul 27, 2020 11:44 am

@ahiyaz
Please use the Preview button before Submit.

Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: site to site (client side) route dont publish correctly

Post by TinCanTech » Mon Jul 27, 2020 11:51 am

@Pippin, I(we) really appreciate the effort you make to format posts :) Thank for doing so!

I might do a decent write up showing howto use BBCodes for you, properly, so you can add a link in future.

Just for the record, I don't really mind if people don't use them, even if we show them how to.
It shows how little care the users take when they don't use them ..
Especially when they are shown they do work by your edits.

300000
OpenVPN Super User
Posts: 215
Joined: Tue May 01, 2012 9:30 pm

Re: site to site (client side) route dont publish correctly

Post by 300000 » Mon Jul 27, 2020 12:16 pm

ahiyaz wrote:
Mon Jul 27, 2020 11:07 am
ccd M54 file:

Code: Select all

“iroute 172.17.200.0 255.255.255.0”

i have the "iroute" line only in ccd file
but in the server file i have route

Code: Select all

route 172.17.200.0 255.255.255.0

the FW is disable for now on both the server and client
the server is in AWS so ive open in the security group udp 1194 in
on the client side all traffic is allowed out.
It is correct and must have route 172.17.200.0 in server config and iroute on cdd so both need to have for site to site work . . now you need to make ipfordward and NAT in client so server can communicate with client subnet . Just do as you done with server but on client .
Type this command in to terminal with sudo

Code: Select all

Iptables -t nat -A POSTROUTING -s 172.17.200.0/24 -j MASQUERADE 

Code: Select all

perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net


It shout work out for you.

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 1:35 pm

TinCanTech wrote:
Mon Jul 27, 2020 11:51 am
@Pippin, I(we) really appreciate the effort you make to format posts :) Thank for doing so!

I might do a decent write up showing howto use BBCodes for you, properly, so you can add a link in future.

Just for the record, I don't really mind if people don't use them, even if we show them how to.
It shows how little care the users take when they don't use them ..
Especially when they are shown they do work by your edits.

i did use the "oconf" button, i dont know why it didnt work this time.
will priview next time

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 1:39 pm

300000 wrote:
Mon Jul 27, 2020 12:16 pm
ahiyaz wrote:
Mon Jul 27, 2020 11:07 am
ccd M54 file:

Code: Select all

“iroute 172.17.200.0 255.255.255.0”

i have the "iroute" line only in ccd file
but in the server file i have route

Code: Select all

route 172.17.200.0 255.255.255.0

the FW is disable for now on both the server and client
the server is in AWS so ive open in the security group udp 1194 in
on the client side all traffic is allowed out.
It is correct and must have route 172.17.200.0 in server config and iroute on cdd so both need to have for site to site work . . now you need to make ipfordward and NAT in client so server can communicate with client subnet . Just do as you done with server but on client .
Type this command in to terminal with sudo

Code: Select all

Iptables -t nat -A POSTROUTING -s 172.17.200.0/24 -j MASQUERADE 

Code: Select all

perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net


It shout work out for you.

i dont have a firewall on the client's ubuntu server, only an external FW as network GW.
do you mean i should configure inband port forwarding on my external FW?
what do you think about the error message i hade regarding the CCD file?
thanks

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 1:49 pm

TinCanTech wrote:
Mon Jul 27, 2020 11:40 am
ahiyaz wrote:
Mon Jul 27, 2020 11:18 am
Mon Jul 27 11:09:57 2020 M54/81.218.81.50:50722 Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ccd/M54:1: “iroute (2.4.4)
Well, it's a broken CCD File ..
so what do you think I should do? just reconfigure it?
you can see in my previous comment that the file structure is correct.

Thanks

300000
OpenVPN Super User
Posts: 215
Joined: Tue May 01, 2012 9:30 pm

Re: site to site (client side) route dont publish correctly

Post by 300000 » Mon Jul 27, 2020 1:57 pm

at the moment iroute is error so something wrong with that let check it first.

let post full common name certificate of the client . full name in cdd folder

when you create certificate for the client so when it ask common name for that certificate what is the name you given? if you dont know that name or forget you need to come back to find out what is name ? from find out that name so you need to rename the file in cdd on that name so when client connect to server it will adding route to its routing table .when you check routing so it should have 172.17.200.0/24 via 10.8.0.6 dev tun0 not 172.17.200.0/24 via 10.8.0.2 dev tun0 so now there is no Infor on client routing on server , it mean nothing from server can find it way to client subnet.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: site to site (client side) route dont publish correctly

Post by TinCanTech » Mon Jul 27, 2020 2:07 pm

ahiyaz wrote:
Thu Jul 23, 2020 4:26 pm
CCD folder routes
“iroute 172.17.200.0 255.255.255.0”
If you have use quotes in the CCD file then remove them.

The content of the file should be exactly:

Code: Select all

iroute 172.17.200.0 255.255.255.0
No quotes.
ahiyaz wrote:
Mon Jul 27, 2020 1:35 pm
i did use the "oconf" button
Please do not use oconf for log files, instead use Code Button: </>

oconf is for Openvpn config files and needs a parameter to work.

EG:

Code: Select all

[oconf=server]
details of your server config ..
[/oconf]

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 2:09 pm

im preaty sure ive created the client crt using M54 common name.

Code: Select all

./build-key M54

ahiyaz
OpenVpn Newbie
Posts: 12
Joined: Thu Jul 23, 2020 3:50 pm

Re: site to site (client side) route dont publish correctly

Post by ahiyaz » Mon Jul 27, 2020 2:16 pm

TinCanTech wrote:
Mon Jul 27, 2020 2:07 pm
ahiyaz wrote:
Mon Jul 27, 2020 1:35 pm
i did use the "oconf" button
Please do not use oconf for log files, instead use Code Button: </>

oconf is for Openvpn config files and needs a parameter to work.

EG:

Code: Select all

[oconf=server]
details of your server config ..
[/oconf]

answer
i think i got it. thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: site to site (client side) route dont publish correctly

Post by TinCanTech » Mon Jul 27, 2020 2:23 pm

Just stop using oconf altogether .. :(

300000
OpenVPN Super User
Posts: 215
Joined: Tue May 01, 2012 9:30 pm

Re: site to site (client side) route dont publish correctly

Post by 300000 » Mon Jul 27, 2020 2:33 pm

inside that file just add this

iroute 172.17.200.0 255.255.255.0

Post Reply