one way ping

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

one way ping

Post by kb » Mon Jan 18, 2021 1:37 am

There are two networks with two linux servers: QNAP (home network) and Lukowa (work network).

description
The home network is connected with cable provider with 192.168.50.1 as default gateway. (The netmask is 255.255.254.0, as there was 192.168.51.* subnet one day.)
  • 192.168.50.1 - cable modem (with forwarded some ports to QNAP)
  • 192.168.50.2 - QNAP (eth0)
  • 192.168.50.3..253 - clients from home network
  • 192.168.50.254 - tomato DHCP for home network (with dnsmasq)
The work network is connected with usb/lte modem.
  • 192.168.49.2 - Lukowa (enp1s6)
  • 192.168.49.3..254 - clients from work network
The Lukowa computer is the gateway for 192.168.49.* through the enx0c5b8f279a64 network (192.168.8.1 is the usb/lte modem). As mobile internet company blocks all incoming connections the Lukowa computer is the VPN client. After establishing the openvpn/tun connection, there is tun0 on the server (inet addr: 192.168.48.1, ptp: 192.168.48.2) and tun2001 on the client (inet addr: 192.168.48.6, destination 192.168.48.5).

problem
From the QNAP network I can ping/connect 192.168.48.6, but I can't connect 192.168.49.2 (the following logs shows in OpenVPN telnet Management console with verb 7). At the same time I can ping whole 192.168.50.* network from the Lukowa, but I can ping only 192.168.48.6 from other work-client (eg. 192.168.49.3). I'd love to achieve the option to contact everything from everywhere ;) . I've read dozens of pages and I've tried to do it for 10 hours now... Can you help me, please?

Code: Select all

>LOG:1610931770,D,MULTI: REAP range 80 -> 96
>LOG:1610931770,D,GET INST BY VIRT: 192.168.49.6 [failed]
>LOG:1610931771,D,MULTI: REAP range 96 -> 112
>LOG:1610931771,D,GET INST BY VIRT: 192.168.49.6 [failed]

configuration
So, let's start from the server (QNAP). Ifconfig, route, iptables, etc

Code: Select all

[admin@QNAP ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:08:9B:CF:94:86
          inet addr:192.168.50.2  Bcast:192.168.51.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15738291 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12846453 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:466495933 (444.8 MiB)  TX bytes:2567913412 (2.3 GiB)
          Interrupt:11

eth1      Link encap:Ethernet  HWaddr 00:08:9B:CF:94:87
          UP BROADCAST NOTRAILERS MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:15

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4890740 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4890740 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:821737225 (783.6 MiB)  TX bytes:821737225 (783.6 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.48.1  P-t-P:192.168.48.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:8377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6807 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:7323778 (6.9 MiB)  TX bytes:410482 (400.8 KiB)

[admin@QNAP ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.50.1    0.0.0.0         UG    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.48.0    192.168.48.2    255.255.255.0   UG    0      0        0 tun0
192.168.48.2    *               255.255.255.255 UH    0      0        0 tun0
192.168.49.0    192.168.48.2    255.255.255.0   UG    0      0        0 tun0
192.168.50.0    *               255.255.254.0   U     0      0        0 eth0

[admin@QNAP ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[admin@QNAP ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

[admin@QNAP ~]#  cat /proc/sys/net/ipv4/ip_forward
1

[admin@QNAP ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

[admin@QNAP ~]# cat /etc/openvpn/ccd/lukowaVPN
iroute 192.168.49.0 255.255.255.0
QNAP Server configuration
cd /etc/openvpn
dev tun
keepalive 10 60
reneg-sec 0
persist-key
persist-tun
duplicate-cn
script-security 3
management localhost 7505
#username-as-common-name
#client-cert-not-required
verify-client-cert none
auth-user-pass-verify /usr/sbin/vpn_check_account via-env

ca /etc/openvpn/keys/ca.crt
dh /etc/openvpn/keys/dh1024.pem
key /etc/openvpn/keys/qnap.key
cert /etc/openvpn/keys/qnap.crt

client-connect /etc/openvpn/connect.sh
client-disconnect /etc/openvpn/disconnect.sh

status /var/log/openvpn-status.log
writepid /var/run/openvpn.server.pid

port secretportnumber
proto udp
max-clients 50

server 192.168.48.0 255.255.255.0

push "dhcp-option DNS 8.8.8.8"

client-config-dir ccd
client-to-client
route 192.168.49.0 255.255.255.0
push "route 192.168.49.0 255.255.255.0"
push "route 192.168.50.0 255.255.255.0"

comp-lzo
cipher AES-128-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

In addition the 192.168.50.254 DHCP server adds two static routes through 192.168.50.2 (which - I repeat - is NOT the default gateway). Dnsmasq works here with added:

Code: Select all

dhcp-option=option:classless-static-route,192.168.48.0/24,192.168.50.2, 192.168.49.0/24,192.168.50.2



And there comes the Lukowa VPN client configuration:

Code: Select all

root@lukowa:~# ifconfig
enp1s6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.49.2  netmask 255.255.255.0  broadcast 192.168.49.255
        inet6 fe80::da5d:4cff:fe83:57c4  prefixlen 64  scopeid 0x20<link>
        ether d8:5d:4c:83:57:c4  txqueuelen 1000  (Ethernet)
        RX packets 779145  bytes 579801876 (579.8 MB)
        RX errors 2  dropped 10  overruns 1  frame 0
        TX packets 895236  bytes 586928401 (586.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enx0c5b8f279a64: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.100  netmask 255.255.255.0  broadcast 192.168.8.255
        inet6 fe80::e5b:8fff:fe27:9a64  prefixlen 64  scopeid 0x20<link>
        ether 0c:5b:8f:27:9a:64  txqueuelen 1000  (Ethernet)
        RX packets 370821  bytes 331188878 (331.1 MB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 265850  bytes 85846348 (85.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 310437  bytes 44030576 (44.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 310437  bytes 44030576 (44.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun2001: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.48.6  netmask 255.255.255.255  destination 192.168.48.5
        inet6 fe80::b213:d9ad:6506:808e  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 6730  bytes 403476 (403.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8429  bytes 7328720 (7.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@lukowa:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.8.1     0.0.0.0         UG    100    0        0 enx0c5b8f279a64
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 enx0c5b8f279a64
192.168.8.1     0.0.0.0         255.255.255.255 UH    100    0        0 enx0c5b8f279a64
192.168.48.0    192.168.48.5    255.255.255.0   UG    0      0        0 tun2001
192.168.48.5    0.0.0.0         255.255.255.255 UH    0      0        0 tun2001
192.168.49.0    0.0.0.0         255.255.255.0   U     0      0        0 enp1s6
192.168.49.0    192.168.49.1    255.255.255.0   UG    99     0        0 enp1s6
192.168.50.0    192.168.48.5    255.255.255.0   UG    0      0        0 tun2001

root@lukowa:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@lukowa:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.49.0/24      anywhere

root@lukowa:~#  cat /proc/sys/net/ipv4/ip_forward
1

root@lukowa:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
The last MASQUERADE is

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.49.0/24 -o enx0c5b8f279a64 -j MASQUERADE
, so it is for the Lukowa network clients to be masqueraded in the internet, and not for the tun2001.

Lukowa client config
client
dev tun2001
script-security 3
proto udp
explicit-exit-notify 1
remote my.home.address secretportnumber
resolv-retry infinite
nobind
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/lukowaVPN.crt
key /etc/openvpn/client/lukowaVPN.key
auth-user-pass /etc/openvpn/client/login.conf
reneg-sec 0
cipher AES-128-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
comp-lzo

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Mon Jan 18, 2021 2:13 pm

PS. pinging from 192.168.50.xx

Code: Select all

C:\Users\kb> ping 192.168.48.6 -n 2
Badanie 192.168.48.6 z 32 bajtami danych:
Odpowiedź z 192.168.48.6: bajtów=32 czas=80ms TTL=63
Odpowiedź z 192.168.48.6: bajtów=32 czas=72ms TTL=63

Statystyka badania ping dla 192.168.48.6:
    Pakiety: Wysłane = 2, Odebrane = 2, Utracone = 0
             (0% straty),
Szacunkowy czas błądzenia pakietów w millisekundach:
    Minimum = 72 ms, Maksimum = 80 ms, Czas średni = 76 ms

C:\Users\kb> ping 192.168.49.2 -n 2
Badanie 192.168.49.2 z 32 bajtami danych:
Upłynął limit czasu żądania.
Upłynął limit czasu żądania.

Statystyka badania ping dla 192.168.49.2:
    Pakiety: Wysłane = 2, Odebrane = 0, Utracone = 2
             (100% straty),

Code: Select all

[admin@QNAP ~] # tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
15:06:45.267554 IP 192.168.50.20 > 192.168.48.6: ICMP echo request, id 1, seq 167, length 40
15:06:45.347813 IP 192.168.48.6 > 192.168.50.20: ICMP echo reply, id 1, seq 167, length 40
15:06:46.269318 IP 192.168.50.20 > 192.168.48.6: ICMP echo request, id 1, seq 168, length 40
15:06:46.341008 IP 192.168.48.6 > 192.168.50.20: ICMP echo reply, id 1, seq 168, length 40
15:06:54.418832 IP 192.168.50.20 > 192.168.49.2: ICMP echo request, id 1, seq 169, length 40
15:06:58.996090 IP 192.168.50.20 > 192.168.49.2: ICMP echo request, id 1, seq 170, length 40

Code: Select all

root@lukowa:~# tcpdump -i tun2001 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun2001, link-type RAW (Raw IP), capture size 262144 bytes
15:06:46.094116 IP 192.168.50.20 > 192.168.48.6: ICMP echo request, id 1, seq 167, length 40
15:06:46.094190 IP 192.168.48.6 > 192.168.50.20: ICMP echo reply, id 1, seq 167, length 40
15:06:47.094075 IP 192.168.50.20 > 192.168.48.6: ICMP echo request, id 1, seq 168, length 40
15:06:47.094126 IP 192.168.48.6 > 192.168.50.20: ICMP echo reply, id 1, seq 168, length 40

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Sat Jan 23, 2021 1:22 am

anybody? :mrgreen:

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8661
Joined: Fri Jun 03, 2016 1:17 pm

Re: one way ping

Post by TinCanTech » Sat Jan 23, 2021 3:22 am

kb wrote:
Mon Jan 18, 2021 1:37 am
QNAP (home network) and Lukowa (work network).
Why do people go to work ?

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Thu Jan 28, 2021 9:48 pm

Because they like it?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8661
Joined: Fri Jun 03, 2016 1:17 pm

Re: one way ping

Post by TinCanTech » Thu Jan 28, 2021 10:33 pm

To get paid ...

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Sat Jan 30, 2021 3:06 am

"Choose a job you love and you'll never work a day in your life." Musicians don't have "work" (unfortunately). And the place I called "work" is a rehearsal/recording room. If you mean there should be pro IT tech in my "work", then I'm in charge ;)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8661
Joined: Fri Jun 03, 2016 1:17 pm

Re: one way ping

Post by TinCanTech » Sun Jan 31, 2021 8:19 pm

You are obviously not a musician.

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Sat Feb 13, 2021 12:46 am

:D

(Your message contains 2 characters.
You need to enter at least 15 characters.)

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Sun Feb 14, 2021 10:39 pm

OK, let's get it that way: I'll prove you I'm a musician, and you'll help me with routing. Are you in?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8661
Joined: Fri Jun 03, 2016 1:17 pm

Re: one way ping

Post by TinCanTech » Sun Feb 14, 2021 11:04 pm

kb wrote:
Sun Feb 14, 2021 10:39 pm
I'll prove you I'm a musician, and you'll help me with routing.
I'll prove you don't know how to do your job and then you pay me to do it for you.

Unless you have some Alternative Business Model to spring on the World .. ?

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Mon Feb 15, 2021 1:54 am

TinCanTech, I work as a session musician since I finished secondary school, and that means about 20 years now. Playing gigs, writing music, arranging, recording, other tasks. I play ~100-120 gigs per year. About 45 gigs yearly are gigs with most known Polish singer (comparable to Barbra Streisand or Cher). I'm doing it for living and I enjoy this. But we have a pandemic now and our government forbade us to work. Not only in Poland, most of gigs were cancelled last year. That's why we moved into recording. Otherwise I'd have to move into IT or other area. I still believe I don't have to do this.

I understand you don't want to help me. OK, I'll deal it by myself. I hoped forums.openvpn.net are created for such questions. Apparently I was wrong.

300000
OpenVPN Super User
Posts: 463
Joined: Tue May 01, 2012 9:30 pm

Re: one way ping

Post by 300000 » Mon Feb 15, 2021 2:55 am

You are setting client to server so from client you can ping to every client on server subnet but from server you can't ping on client subnet that is what you want to ask.

you need to setup site to site connection so from server client subnet you can ping and connect to every client subnet.

you need to make change to server . that is when you need to looking up the answer. basis on server folder you need create a folder call CDD and inside that folder you need create a file as the same common certificate openvpn client , open that file add this line on


iroute 192.168.49.0 255.255.255.0

after that open openvpn server config and add this line

route 192.168.49.0 255.255.255.0


at the client openvpn Lukowa you need to do NAT and IP forward as the same openvpn server so after that you can connect subnet from server to subnet from client .

On the cable modem you need to add static roure so all clients can connect to openvpn client subnet

Destination subnet gateway

192.168.49.0 255.255.255.0 192.168.50.2

If you got anything suck just post in here I will help you .
Last edited by 300000 on Mon Feb 15, 2021 12:50 pm, edited 3 times in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8661
Joined: Fri Jun 03, 2016 1:17 pm

Re: one way ping

Post by TinCanTech » Mon Feb 15, 2021 4:48 am

kb wrote:
Mon Feb 15, 2021 1:54 am
I play ~100-120 gigs per year. About 45 gigs yearly are gigs with most known Polish singer (comparable to Barbra Streisand or Cher). I'm doing it for living
We all work for a living.
kb wrote:
Mon Feb 15, 2021 1:54 am
But we have a pandemic now and our government forbade us to work
They did the same to me ......
kb wrote:
Mon Feb 15, 2021 1:54 am
I understand you don't want to help me
I'll help for a small fee.
kb wrote:
Mon Feb 15, 2021 1:54 am
I hoped forums.openvpn.net are created for such questions
Questions about openvpn .. but your questions are far more complex than simply openvpn ..
kb wrote:
Mon Jan 18, 2021 1:37 am
I've read dozens of pages and I've tried to do it for 10 hours now... Can you help me, please?
10 hours is about how long it takes to read and understand the howto.

Here is my offer:

Considering how much time it will take for me to learn about your QNAP and Lukowa and then integrate your devices and networking into working with openvpn, I believe asking for a small fee is perfectly acceptable.

It is your choice ..

kb
OpenVpn Newbie
Posts: 9
Joined: Mon Jan 18, 2021 12:19 am

Re: one way ping

Post by kb » Fri Feb 19, 2021 3:29 pm

300000 wrote:
Mon Feb 15, 2021 2:55 am
If you got anything suck just post in here I will help you .
:)

I think I had all the settings you wrote (maybe except one iptables entry on client). But during searching for an answer I've found topology: net30 setting and this webpage: https://community.openvpn.net/openvpn/wiki/Topology . So I changed it to subnet and changed the ifconfig-push to 192.168.48.8 255.255.255.0.

I also uncomment the username-as-common-name (as there were some UNDEF in status, so maybe the file from client-configuration-dir hasn't been read) and everything works now.

Thank you, 300000!

Post Reply