Client cannot ping correctly the same subnet under VPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ThaunuMA
OpenVpn Newbie
Posts: 1
Joined: Wed May 25, 2022 1:19 pm

Client cannot ping correctly the same subnet under VPN

Post by ThaunuMA » Wed May 25, 2022 1:21 pm

Hello guys,

I have a question related to OpenVPN, that's keep me crazy :D

I have a OpenVPN Server, a Debian VM, and the IP is in DMZ. My project is connect over the Lan, and i have only this machine for connection.

So, i have done everything, i have this network connection:

Code: Select all

2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state                                                                                                              UP group default qlen 1000

3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group                                                                                                              default qlen 1000
    
    inet 172.16.0.10/24 brd 172.16.0.255 scope global br0


4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 100

The private ip of the br0 is correctly publish on WAN, at the VPN port.

In this test the DMZ can communicate with other 2 VLan, Vlan0 and Vlan1

Vlan0 have subnet 192.168.0.x/24

Vlan1 have subnet 192.168.1.x/24

So the device from DMZ can ping Vlan0 and Vlan1 and both from Vlan0 and Vlan1.

I have set the machine with 172.16.0.10 with this configuration:

Code: Select all

port 8443
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
topology subnet
server-bridge 172.16.0.10 255.255.255.0 172.16.0.150 172.16.0.152 
push "route 172.16.0.0 255.255.255.0 vpn_gateway"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1


And the client.conf is:

Code: Select all

client
dev tap0
proto udp
remote myippublic 8443
;remote my-server-2 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1

The certificate, ta.key and ca.crt are correctly insert with a script.sh

I can connect, i can ping everything in Vlan0 and Vlan1 but, i cannot ping fast the other machines in DMZ (example, i have a VM with ip 172.16.0.151, when i try to ping this machine for, 10-20 or 100 packet i can see packet lost or host not recognized, and after this packet i can ping like the other Vlan's).

I think is a strange behaviour, it's seems like the 172.16.0.150 machine client connect send packet, and after a few times is recognized ONLY in the same subnet, because the Vlan1 and Vlan0 are recognized immediately.

Post Reply