Communication between client and server over vpn tunnel

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
williamk777
OpenVpn Newbie
Posts: 11
Joined: Sat Feb 06, 2021 11:13 pm

Communication between client and server over vpn tunnel

Post by williamk777 » Tue Nov 23, 2021 5:11 pm

Hi,

I have an openvpn site to site to site tunnel with multiple subnets going though it. Both server and client are running Debian Buster. Communication ie pings and other network traffic between pcs behind client and server works just fine. However pings or communication directly from client fail. For example my client debclient1 192.168.127.10 cannot ping debserver1 192.168.8.5, or any other PCs behind debserver1.

Here is the ping response from debclient1:
PING 172.16.200.2 (172.16.200.2) 56(84) bytes of data.
From 172.16.75.1 icmp_seq=1 Destination Port Unreachable
From 172.16.75.1 icmp_seq=2 Destination Port Unreachable
From 172.16.75.1 icmp_seq=3 Destination Port Unreachable
From 172.16.75.1 icmp_seq=4 Destination Port Unreachable
From 172.16.75.1 icmp_seq=5 Destination Port Unreachable

Here is the tun1 info from debclient1.
54: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.16.75.74 peer 172.16.75.73/32 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::8bc:d0c4:dca1:849/64 scope link stable-privacy
valid_lft forever preferred_lft forever

Is there a setting or static route I need to add to make this communication work?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Communication between client and server over vpn tunnel

Post by TinCanTech » Tue Nov 23, 2021 5:28 pm

Help us to help you, please see: viewtopic.php?f=30&t=22603

williamk777
OpenVpn Newbie
Posts: 11
Joined: Sat Feb 06, 2021 11:13 pm

Re: Communication between client and server over vpn tunnel

Post by williamk777 » Wed Nov 24, 2021 5:59 pm

Fair enough, I will provide requested tinfo. I was hoping it was a stupid easy fix.

I am using openvpn community edition version 2.4.7.

Here is the client config file:
Client Config

client
resolv-retry 20
keepalive 2 10
nobind
mute-replay-warnings
remote-cert-tls server
compress
verb 1
persist-key
persist-tun
explicit-exit-notify 1
pull-filter accept "route 172.16.200.0"
pull-filter accept "route 172.16.0.0"
pull-filter ignore "route 10."
pull-filter ignore "route 172.16."
pull-filter ignore "route 192.168."
dev tun1
proto udp
port 1194
cipher AES-128-CBC
cert keys/Guest-HA-P.crt
key keys/Guest-HA-P.key
ca keys/Guest-HA-P.crt
remote 1.1.1.1 1194 # public address
remote 1.1.1.1 1194 # static WAN 3
remote 2.2.2.2 1194 # static WAN 5


Here is the server config file:
Server Config

mode server
multihome
ca data/ca.crt
cert data/server.crt
key data/server.key
dh data/dh.pem
client-config-dir ccd
keepalive 2 10
user nobody
group nogroup
tls-server
compress
status openvpn-status.log
log /var/log/openvpn.log
verb 1
dev tun0
max-clients 2048
ccd-exclusive
persist-key
persist-tun
mute 20
ifconfig-pool-persist /etc/openvpn/address-pool-assignments.txt
push "register-dns"
proto udp
port 1194
cipher AES-128-CBC
server 172.16.75.0 255.255.255.128
management 127.0.0.1 1195
# Exports
push "route 172.16.200.0 255.255.252.0"
push "route 172.16.0.0 255.255.252.0"

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Communication between client and server over vpn tunnel

Post by TinCanTech » Wed Nov 24, 2021 6:20 pm


williamk777
OpenVpn Newbie
Posts: 11
Joined: Sat Feb 06, 2021 11:13 pm

Re: Communication between client and server over vpn tunnel

Post by williamk777 » Wed Nov 24, 2021 7:02 pm

Thank you. That is a huge document, what section specifically do you want me to review? Also, I did a packet capture to try and further trouble shoot the issue. This is a site to site vpn with NO NAT. A packet capture show that when pinging from a PC behind the client the source address shows up as the client pc ip address (As it should). However, when I ping from the client itself, the source ip address shows up as 172.16.75.74, which is the tun1 ip address on the client. Thoughts?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Communication between client and server over vpn tunnel

Post by TinCanTech » Wed Nov 24, 2021 8:50 pm

williamk777 wrote:
Wed Nov 24, 2021 5:59 pm

Code: Select all

pull-filter ignore "route 172.16."
Do you understand what this does ?

williamk777
OpenVpn Newbie
Posts: 11
Joined: Sat Feb 06, 2021 11:13 pm

Re: Communication between client and server over vpn tunnel

Post by williamk777 » Wed Nov 24, 2021 9:53 pm

Yes, the openvpn server is on an UnTangle router. By default their config pushes out ALL the routes on the server to clients. I can change that in the config file, but the next time I restart the server the Untangle software will overwrite any changes I have made. So to prevent every route on my network being pushed out to all my clients, I am using pull-filters. Kind of messed up, but it works. Good point though, that filter could be blocking traffic in question. I will try tweaking that and see what happens.

Post Reply