[Solved] Client Can't Ping Other Interfaces on Server from Client

Samples of working configurations.
Locked
User avatar
cpal
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 20, 2017 2:00 am

[Solved] Client Can't Ping Other Interfaces on Server from Client

Post by cpal » Mon Mar 20, 2017 3:39 am

Hello,

I have been trying to set up OpenVPN on a server (among other things) for the better part of two days now and I can not for the life of me figure out what the problem is. If anyone can shed any light on the situation I would be forever grateful!

Everything OpenVPN oriented seems to be working fine. The server is up and running and and the client connects just fine. The problem is that I need to be able to ping from the server to an interface other than the OpenVPN interface on the client and also from the client to the an interface other than the OpenVPN interface on the server.

Right now the client is able to ping all other interfaces on the server but the server can not ping any interface aside from the active OpenVPN tun interface on the client.

My end game is communicating among all interfaces on 2 different physical servers running CentOS7 connected to each other with an OpenVPN tunnel between them for management purposes so that I can set up an active/active high availability redundant configuration between them with clients connecting to either machine and in the case of server failure having all clients move from the the inactive server to the active server. Before I get that far I need help solving this puzzle.

I have stripped down my configuration to the following for the sake of troubleshooting.
I have removed all routes from my configuration and added the necessary routes using the ip route command again.
I also created an IP alias on the Ethernet interface of both hosts to simulate the other 2 tun interfaces that clients will be connecting to.

OpenVPN Version

Code: Select all

OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  7 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2016 OpenVPN Technologies, Inc. 
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
Server Configuration:
SERVER
#mode server
dev tun1
proto udp
port 11950
keepalive 5 30
max-clients 6
comp-lzo
user nobody
group nobody
auth-nocache
persist-key
persist-tun
script-security 2

tls-server
tls-auth /full/path/to/ta.key 0
remote-cert-tls client

cipher AES-256-CBC
auth SHA256

ca /full/path/to/ca.crt
crl-verify /full/path/to/crl.pem
cert /full/path/to/vpn1mgmt.crt
key /full/path/to/vpn1mgmt.key
dh /full/path/to/dh2048.pem

ifconfig 10.255.254.1 255.255.255.248
ifconfig-pool 10.255.254.3 10.255.254.7
topology subnet

client-config-dir /full/path/to/ccd
ccd-exclusive

verb 4
mute 10
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log

management 127.0.0.1 5554
Client Configuration:
CLIENT
client
proto udp
remote vpn1.somedomainname.com
port 11950
dev tun1
nobind
cipher AES-256-CBC
auth SHA256
comp-lzo
remote-cert-tls server
tls-auth /full/path/to/ta.key 1
ca /full/path/to/ca.crt
cert /full/path/to/vpn2mgmt.crt
key /full/path/to/vpn2mgmt.key
dh /full/path/to/dh2048.pem
auth-nocache
user nobody
group nobody
topology subnet
verb 4
mute 10
keepalive 5 30
resolv-retry infinite
persist-key
persist-tun
status /var/log/openvpn/mgmt-status.log
log-append /var/log/openvpn/mgmt-openvpn.log
Server Log File:

Code: Select all

Mon Mar 20 04:53:38 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  7 2016
Mon Mar 20 04:53:38 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Mon Mar 20 04:53:38 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5554
Mon Mar 20 04:53:38 2017 Diffie-Hellman initialized with 2048 bit key
Mon Mar 20 04:53:38 2017 Control Channel Authentication: using '/full/path/to/ta.key' as a OpenVPN static key file
Mon Mar 20 04:53:38 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:53:38 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:53:38 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Mar 20 04:53:38 2017 TUN/TAP device tun1 opened
Mon Mar 20 04:53:38 2017 TUN/TAP TX queue length set to 100
Mon Mar 20 04:53:38 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Mar 20 04:53:38 2017 /usr/sbin/ip link set dev tun1 up mtu 1500
Mon Mar 20 04:53:38 2017 /usr/sbin/ip addr add dev tun1 10.255.254.1/29 broadcast 10.255.254.7
Mon Mar 20 04:53:38 2017 GID set to nobody
Mon Mar 20 04:53:38 2017 UID set to nobody
Mon Mar 20 04:53:38 2017 UDPv4 link local (bound): [undef]
Mon Mar 20 04:53:38 2017 UDPv4 link remote: [undef]
Mon Mar 20 04:53:38 2017 MULTI: multi_init called, r=256 v=256
Mon Mar 20 04:53:38 2017 IFCONFIG POOL: base=10.255.254.3 size=5, ipv6=0
Mon Mar 20 04:53:38 2017 Initialization Sequence Completed

Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:54758, sid=9283152e 8558ad38
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 CRL CHECK OK: CN=CDXVPN
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY OK: depth=1, CN=CDXVPN
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 Validating certificate key usage
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 ++ Certificate has key usage  0080, expects 0080
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY KU OK
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 Validating certificate extended key usage
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 VERIFY EKU OK
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 CRL CHECK OK: CN=vpn2mgmt
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 6 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 xxx.xxx.xxx.xxx:54758 [vpn2mgmt] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:54758
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 OPTIONS IMPORT: reading client specific options from: /full/path/to/ccd/vpn2mgmt
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 MULTI: Learn: 10.255.254.2 -> vpn2mgmt/xxx.xxx.xxx.xxx:54758
Mon Mar 20 04:56:50 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 MULTI: primary virtual IP for vpn2mgmt/xxx.xxx.xxx.xxx:54758: 10.255.254.2
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 PUSH: Received control message: 'PUSH_REQUEST'
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 send_push_reply(): safe_cap=940
Mon Mar 20 04:56:53 2017 vpn2mgmt/xxx.xxx.xxx.xxx:54758 SENT CONTROL [vpn2mgmt]: 'PUSH_REPLY,ping 5,ping-restart 30,ifconfig 10.255.254.2 255.255.255.248' (status=1)
Client Log File:

Code: Select all

Mon Mar 20 04:56:50 2017 us=657589 Current Parameter Settings:
Mon Mar 20 04:56:50 2017 us=657709   config = 'vpn2mgmt.conf'
Mon Mar 20 04:56:50 2017 us=657728   mode = 0
Mon Mar 20 04:56:50 2017 us=657743   persist_config = DISABLED
Mon Mar 20 04:56:50 2017 us=657757   persist_mode = 1
Mon Mar 20 04:56:50 2017 us=657900   show_ciphers = DISABLED
Mon Mar 20 04:56:50 2017 us=657958   show_digests = DISABLED
Mon Mar 20 04:56:50 2017 us=658015   show_engines = DISABLED
Mon Mar 20 04:56:50 2017 us=658072   genkey = DISABLED
Mon Mar 20 04:56:50 2017 us=658182 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 us=658243 266 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 us=658300 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  7 2016
Mon Mar 20 04:56:50 2017 us=658362 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Mon Mar 20 04:56:50 2017 us=670760 Control Channel Authentication: using '/full/path/to/ta.key' as a OpenVPN static key file
Mon Mar 20 04:56:50 2017 us=670832 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:56:50 2017 us=670853 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Mar 20 04:56:50 2017 us=670898 LZO compression initialized
Mon Mar 20 04:56:50 2017 us=670998 Control Channel MTU parms [ L:1570 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Mar 20 04:56:50 2017 us=671053 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Mar 20 04:56:50 2017 us=807136 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
Mon Mar 20 04:56:50 2017 us=807217 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Mar 20 04:56:50 2017 us=807237 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Mar 20 04:56:50 2017 us=807280 Local Options hash (VER=V4): '73e43c96'
Mon Mar 20 04:56:50 2017 us=807304 Expected Remote Options hash (VER=V4): '8a3b3cca'
Mon Mar 20 04:56:50 2017 us=807494 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Mar 20 04:56:50 2017 us=807521 UDPv4 link local: [undef]
Mon Mar 20 04:56:50 2017 us=807578 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:11950
Mon Mar 20 04:56:50 2017 us=808878 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:11950, sid=935946a5 d9ae95ca
Mon Mar 20 04:56:50 2017 us=819514 VERIFY OK: depth=1, CN=CDXVPN
Mon Mar 20 04:56:50 2017 us=819756 Validating certificate key usage
Mon Mar 20 04:56:50 2017 us=819777 ++ Certificate has key usage  00a0, expects 00a0
Mon Mar 20 04:56:50 2017 us=819791 VERIFY KU OK
Mon Mar 20 04:56:50 2017 us=819810 Validating certificate extended key usage
Mon Mar 20 04:56:50 2017 us=819825 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Mar 20 04:56:50 2017 us=819843 VERIFY EKU OK
Mon Mar 20 04:56:50 2017 us=819858 VERIFY OK: depth=0, CN=vpn1mgmt
Mon Mar 20 04:56:50 2017 us=845168 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Mar 20 04:56:50 2017 us=845232 NOTE: --mute triggered...
Mon Mar 20 04:56:50 2017 us=845299 4 variation(s) on previous 10 message(s) suppressed by --mute
Mon Mar 20 04:56:50 2017 us=845318 [vpn1mgmt] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:11950
Mon Mar 20 04:56:53 2017 us=261686 SENT CONTROL [vpn1mgmt]: 'PUSH_REQUEST' (status=1)
Mon Mar 20 04:56:53 2017 us=262521 PUSH: Received control message: 'PUSH_REPLY,ping 5,ping-restart 30,ifconfig 10.255.254.2 255.255.255.248'
Mon Mar 20 04:56:53 2017 us=262681 OPTIONS IMPORT: timers and/or timeouts modified
Mon Mar 20 04:56:53 2017 us=262702 OPTIONS IMPORT: --ifconfig/up options modified
Mon Mar 20 04:56:53 2017 us=262992 TUN/TAP device tun1 opened
Mon Mar 20 04:56:53 2017 us=263040 TUN/TAP TX queue length set to 100
Mon Mar 20 04:56:53 2017 us=263070 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Mar 20 04:56:53 2017 us=263102 /usr/sbin/ip link set dev tun1 up mtu 1500
Mon Mar 20 04:56:53 2017 us=265090 /usr/sbin/ip addr add dev tun1 10.255.254.2/29 broadcast 10.255.254.7
Mon Mar 20 04:56:53 2017 us=267791 GID set to nobody
Mon Mar 20 04:56:53 2017 us=267862 UID set to nobody
Mon Mar 20 04:56:53 2017 us=267877 Initialization Sequence Completed
Server's ip route Output

Code: Select all

default via xxx.xxx.xxx.xxx dev enp2s0 
10.0.0.0/24 dev enp2s0  proto kernel  scope link  src 10.0.0.1 
10.0.0.2 via 10.255.254.1 dev tun1 
10.255.254.0/29 dev tun1  proto kernel  scope link  src 10.255.254.1 
xxx.xxx.xxx.xxx  dev enp2s0  proto kernel  scope link  src xxx.xxx.xxx.xxx  
169.254.0.0/16 dev enp2s0  scope link  metric 1002 
Client's ip route Output

Code: Select all

default via xxx.xxx.xxx.xxx dev enp2s0 
10.0.0.0/24 dev enp2s0  proto kernel  scope link  src 10.0.0.2 
10.0.0.1 via 10.255.254.2 dev tun1 
10.255.254.0/29 dev tun1  proto kernel  scope link  src 10.255.254.2 
xxx.xxx.xxx.xxx dev enp2s0  proto kernel  scope link  src xxx.xxx.xxx.xxx 
169.254.0.0/16 dev enp2s0  scope link  metric 1002
Ping from Server to IP Alias on Client

Code: Select all

ping -c3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.

--- 10.0.0.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
Server's tcpdump Output for Interface tun1 Durring Ping from Server to Client

Code: Select all

05:20:33.724602 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 1, length 64
05:20:34.723801 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 2, length 64
05:20:35.723817 IP vpn1 > 10.0.0.2: ICMP echo request, id 3523, seq 3, length 64
Client's tcpdump Output for Interface tun1 Durring Ping from Server to Client Ping from Client to IP Alias on Server

Code: Select all

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.752 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.680 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.644 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.644/0.692/0.752/0.044 ms
Server's tcpdump Output for Interface tun1 Durring Ping from Client to Server

Code: Select all

05:22:24.568511 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 1, length 64
05:22:24.568532 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 1, length 64
05:22:25.569010 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 2, length 64
05:22:25.569022 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 2, length 64
05:22:26.568958 IP 10.255.254.2 > vpn1: ICMP echo request, id 3389, seq 3, length 64
05:22:26.568969 IP vpn1 > 10.255.254.2: ICMP echo reply, id 3389, seq 3, length 64
Client's tcpdump Output for Interface tun1 Durring Ping from Client to Server

Code: Select all

05:22:24.568130 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 1, length 64
05:22:24.568849 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 1, length 64
05:22:25.568643 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 2, length 64
05:22:25.569311 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 2, length 64
05:22:26.568626 IP vpn2 > 10.0.0.1: ICMP echo request, id 3389, seq 3, length 64
05:22:26.569260 IP 10.0.0.1 > vpn2: ICMP echo reply, id 3389, seq 3, length 64
Any insight anyone?
Thanks in advance! :D

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client Can't Ping Other Interfaces on Server from Client

Post by TinCanTech » Mon Mar 20, 2017 3:19 pm

cpal wrote:The problem is that I need to be able to ping from the server to an interface other than the OpenVPN interface on the client and also from the client to the an interface other than the OpenVPN interface on the server.
See:
HOWTO: Expanding the scope of the VPN to include additional machines

Also:
cpal wrote:I have stripped down my configuration to the following for the sake of troubleshooting.
I have removed all routes from my configuration and added the necessary routes using the ip route command again
This is not sufficient because the server needs to have --iroute correctly configured also, as above.

User avatar
cpal
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 20, 2017 2:00 am

Re: Client Can't Ping Other Interfaces on Server from Client

Post by cpal » Tue Mar 21, 2017 1:42 am

Thank you very much TinCanTech! Everything works as it should now!
I added the following iroute to the ccd file for the client:

Code: Select all

iroute 172.20.1.0 255.255.255.0
Again..Thanks!!!

Locked