OpenVPN routing suddenly doesn't work! - not sure what to check to fix

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
wowiesy
OpenVPN User
Posts: 25
Joined: Mon Jul 10, 2017 6:33 am

OpenVPN routing suddenly doesn't work! - not sure what to check to fix

Post by wowiesy » Wed Mar 09, 2022 3:49 am

Been using OpenVPN to access services housed in a remote LAN for years. Past week, the remote LAN (192.168.100.0/24 network ) did some revisions in its network setup and suddenly, my OpenVPN setup (particularly the routing) doesn't work properly.

the actual link is working... when I'm at the server running the vpn link on the server side (192.168.100.0/24) with ip 192.168.100.253 (vpn ip of 10.8.0.1), my ping to other machines on the 100.x network comes out okay. From this machine, I also ping to the remote VPN box and it returns fine. But when I'm on the server running the vpn link on the client side (192.168.254.0/24) with ip of 192.168.254.1 (vpn ip of 10.8.0.245), can't ping the 100.x machines. But ping to the vpn ip (10.8.0.1) works.


default gateway on the 100.x network is 100.2, and it has the proper route statements setup. i asked the remote LAN to do some pings on my 254.x network.. and it came out okay. This tells me that routing setup on 100.x towards the client VPN network (254.x) is setup okay.



openvpn config at VPNSERVER (UBUNTUVPN)

Code: Select all

management localhost 7505
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/BULVPNSERVER.crt
key /etc/openvpn/BULVPNSERVER.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
client-config-dir ccd
route 192.168.254.0 255.255.255.0 
route 192.168.111.0 255.255.255.0 
client-config-dir ccd
route 10.8.0.245 255.255.255.0 
route 10.8.0.249 255.255.255.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC   # AES
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.BULVPN.log
verb 3

ifconfig on UBUNTUVPN (Note: tun0 is another VPN setup, seldom used. Not the issue here)

Code: Select all

kss1x@UBUNTUVPN:~$ ifconfig
eno1      Link encap:Ethernet  HWaddr 94:c6:91:13:63:d8  
          inet addr:192.168.100.253  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::96c6:91ff:fe13:63d8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:334 errors:0 dropped:93 overruns:0 frame:0
          TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:40900 (40.9 KB)  TX bytes:19186 (19.1 KB)
          Interrupt:16 Memory:dc100000-dc120000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:168 errors:0 dropped:0 overruns:0 frame:0
          TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:12152 (12.1 KB)  TX bytes:12152 (12.1 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.1.1  P-t-P:10.8.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         [b][color=#FF0000] inet addr:10.8.0.1[/color][/b]  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

routing table on UBUNTUVPN

Code: Select all

kss1x@UBUNTUVPN:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.2   0.0.0.0         UG    0      0        0 eno1
10.8.0.0        *               255.255.255.0   U     0      0        0 tun1
10.8.1.0        *               255.255.255.0   U     0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 eno1
192.168.100.0   *               255.255.255.0   U     0      0        0 eno1
192.168.111.0   [color=#FF0000]10.8.0.2[/color]        255.255.255.0   UG    0      0        0 tun1
192.168.254.0   [color=#FF0000]10.8.0.2[/color]        255.255.255.0   UG    0      0        0 tun1


kss1x@UBUNTUVPN:~$ ip route show
default via 192.168.100.2 dev eno1 onlink 
10.8.0.0/24 dev tun1  proto kernel  scope link  src 10.8.0.1 
10.8.1.0/24 dev tun0  proto kernel  scope link  src 10.8.1.1 
169.254.0.0/16 dev eno1  scope link  metric 1000 
192.168.100.0/24 dev eno1  proto kernel  scope link  src 192.168.100.253 
192.168.111.0/24 via [color=#FF0000]10.8.0.2 [/color]dev tun1 
192.168.254.0/24 via [color=#FF0000]10.8.0.2 [/color]dev tun1

from UBUNTUVPN box, ping to 254.x network..

Code: Select all

kss1x@UBUNTUVPN:~$ ping -c 5 192.168.254.198
PING 192.168.254.198 (192.168.254.198) 56(84) bytes of data.
64 bytes from 192.168.254.198: icmp_seq=1 ttl=63 time=117 ms
64 bytes from 192.168.254.198: icmp_seq=2 ttl=63 time=133 ms
64 bytes from 192.168.254.198: icmp_seq=3 ttl=63 time=62.4 ms
64 bytes from 192.168.254.198: icmp_seq=4 ttl=63 time=78.9 ms
64 bytes from 192.168.254.198: icmp_seq=5 ttl=63 time=105 ms

--- 192.168.254.198 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 62.401/99.628/133.305/25.711 ms

on the client side (U1010ROUTER 192.168.254.1), ifconfig (Note: tun0 and tun1 are for different VPN purpose no relation to this issue)

Code: Select all

kss1x@U1010ROUTER:~$ ifconfig
enp1s0    Link encap:Ethernet  HWaddr 18:d6:c7:03:23:5e  
          inet addr:192.168.254.1  Bcast:192.168.254.255  Mask:255.255.255.0
          inet6 addr: fe80::1ad6:c7ff:fe03:235e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:199030458 errors:0 dropped:1707 overruns:0 frame:0
          TX packets:367982786 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:49937625629 (49.9 GB)  TX bytes:366924536429 (366.9 GB)

enp2s0    Link encap:Ethernet  HWaddr 88:d7:f6:3d:78:a2  
          inet addr:192.168.1.103  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::8ad7:f6ff:fe3d:78a2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:372444775 errors:0 dropped:0 overruns:0 frame:0
          TX packets:212034950 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:363766771328 (363.7 GB)  TX bytes:70171730923 (70.1 GB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:198468 errors:0 dropped:0 overruns:0 frame:0
          TX packets:198468 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:14220585 (14.2 MB)  TX bytes:14220585 (14.2 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.6.1.1  P-t-P:10.6.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:1610 (1.6 KB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.6.0.1  P-t-P:10.6.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1173 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:82864 (82.8 KB)

tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.245  P-t-P:10.8.0.245  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:118534 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72470 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:11230028 (11.2 MB)  TX bytes:7311324 (7.3 MB)


route table

Code: Select all

kss1x@U1010ROUTER:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp2s0
10.6.0.0        *               255.255.255.0   U     0      0        0 tun1
10.6.1.0        *               255.255.255.0   U     0      0        0 tun0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun2
link-local      *               255.255.0.0     U     1000   0        0 tun1
192.168.1.0     *               255.255.255.0   U     0      0        0 enp2s0
192.168.100.0   10.8.0.1        255.255.255.0   UG    0      0        0 tun2
192.168.254.0   *               255.255.255.0   U     0      0        0 enp1s0

ping to 100.x from 254.x


Code: Select all

kss1x@U1010ROUTER:~$ ping -c 5 192.168.100.245
PING 192.168.100.245 (192.168.100.245) 56(84) bytes of data.

--- 192.168.100.245 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

I suspected it has something to do with the route table setting 10.8.0.2 as the vpn ip to go to for 10.8.0.x network, where in fact there is no 10.8.0.2 machine (the VPN box has 10.8.0.1).. but even if I manually change these entries to 10.8.0.1, it still won't work.. And besides, as it is, ping from 100.x network to 254.x network works.... only pinging from 254.x network to 100.x doesn't...

Not sure how to proceed. Help appreciated =)
Top
wowiesy
OpenVPN User
Posts: 25
Joined: Mon Jul 10, 2017 6:33 am

Re: OpenVPN routing suddenly doesn't work! - not sure what to check to fix

Post by wowiesy » Mon Mar 14, 2022 11:13 am

I haven't fixed this. really need help on this.

while I"m on the 192.168.254.1 network (w/ the VPN link between 192.168.254.1 and 192.168.100.253 up):
- default gateway on the 100.x has the following route entries:
- 10.8.0.0/24 via 192.168.100.253
- 192.168.254.0/24 via 192.168.100.253

from the 192.168.254.1 LAN.. I am able to ping 100.2 (the default gateway in the 100.x network) and 100.5 and 100.112 (both are access points in the 100.x network).. but the other Windows Servers that I am trying to acces... i get failed pings.

dont know where else to look =(
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN routing suddenly doesn't work! - not sure what to check to fix

Post by TinCanTech » Tue Mar 15, 2022 12:14 am

If all else fails then you can contact me privately tincantech at protonmail dot com
(Fees will apply, or simply ignore this)
Top
Post Reply

Return to “Server Administration”