Routing to LANs behind server

[amonkey]

Hi,

I've got a working VPN but i'm unable to give my clients access to subnets behind my server, I suspect a routing/firewalling issue, but have not quite got it right using the numerous guides google has thrown up.

Server
Ver - OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 26 2010
OS - Centos 5.5
Type - routed tun/tun
VPN server IP - 172.16.0.1
Range supplied to clients - 172.16.0.x
Target Subnet that I just can't hit - 10.12.176.x

Forwarding is enabled /proc/sys/net/ipv4/ip_forward = 1

I'm pushing the route out to the clients with push "route 10.12.176.0 255.255.255.0"

Under IPTables i've tried all manner of magic, so If someone could please advise me on the correct rules to get this working it would be much appreciated

Thanks

[maikcat]

good morning,

i suspect the 10.12.176.x subnet is the lan subnet of openvpn server..right?

from the client do you ping the lan ip of the vpn server?

if yes,what default gateway your pcs inside your lan have?

cheer,s

michael

[amonkey]

Morning,

i suspect the 10.12.176.x subnet is the lan subnet of openvpn server..right?

Correct

from the client do you ping the lan ip of the vpn server?

No, but I can SSH to the OpenVPN server on 172.16.0.1 from a VPN client

f yes,what default gateway your pcs inside your lan have?

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 50 0 en1
10.12.176/24 172.16.0.5 UGSc 0 0 tun0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 5 100322 lo0
169.254 link#6 UCS 0 0 en1
172.16.0.1/32 172.16.0.5 UGSc 0 0 tun0
172.16.0.5 172.16.0.6 UH 2 0 tun0
192.168.0 link#6 UCS 9 0 en1
192.168.0.1 UHLWI 62 153 en1 829
192.168.0.3 UHLWI 0 3 en1 1097
192.168.0.6 UHLWI 1 72 en1 845
192.168.0.7 UHLWI 1 109 en1 961
192.168.0.11 UHLWI 1 72 en1 546
192.168.0.12 2 60 en1 1071
192.168.0.16 UHLWI 0 0 en1 1026
192.168.0.17 UHS 0 0 lo0
192.168.0.21 UHLWI 0 0 en1 1123
192.168.0.255 link#6 UHLWbI 1 31 en1

Thanks for your help

[maikcat]

first,

1)if you disable iptables on centos ,does the ping to the lan interface of vpn server responds?
2)does the client actually receives the route that server sends?
3)if you traceroute from the client to the lan ip of the server ,is it to the correct path?
4)is selinux enabled?

cheers,

michael

[amonkey]

Thanks Michael,

1)if you disable iptables on centos ,does the ping to the lan interface of vpn server responds?

yes

2)does the client actually receives the route that server sends?

I push "route 10.12.176.0 255.255.255.0" from the server and on the client I can see:
10.12.176/24 172.16.0.5 UGSc 0 0 tun0

3)if you traceroute from the client to the lan ip of the server ,is it to the correct path?

Well, it's going via the OpenVPN server right now
traceroute to 10.12.176.237 (10.12.176.237), 64 hops max, 52 byte packets
1 172.16.0.1 (172.16.0.1) 156.255 ms 146.653 ms 139.927 ms

4)is selinux enabled?

No

[maikcat]

>Thanks Michael,
>
>Quote:
>1)if you disable iptables on centos ,does the ping to the lan interface of vpn server responds?
>yes

then its clearly iptables issue...

can you please post your iptables setup?

cheers,

michael

[amonkey]

iptables -L -v
Chain INPUT (policy DROP 48 packets, 18272 bytes)
pkts bytes target prot opt in out source destination
158K 9881K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
10 840 ACCEPT icmp -- any any anywhere anywhere
1 70 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
1982 119K ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 badflags tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN

Chain FORWARD (policy ACCEPT 141 packets, 6684 bytes)
pkts bytes target prot opt in out source destination
21 1280 ACCEPT all -- tun+ any anywhere anywhere

Chain OUTPUT (policy ACCEPT 160K packets, 9042K bytes)
pkts bytes target prot opt in out source destination

Chain badflags (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix `Badflags:'
0 0 DROP all -- any any anywhere anywhere

Thanks again

[maikcat]

may i assume that you dont perform any type of nat using iptables..?

michael.

[amonkey]

That's correct

I've done a tcpdump -i tun0 from the client attempting to connect to the server on the LAN and I get the following

11:56:41.081759 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388491 0,sackOK,eol>
11:56:41.985186 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388500 0,sackOK,eol>
11:56:42.986622 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388510 0,sackOK,eol>
11:56:43.988177 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388520 0,sackOK,eol>
11:56:44.988340 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388530 0,sackOK,eol>
11:56:45.988826 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388540 0,sackOK,eol>
11:56:47.991465 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,nop,wscale 3,nop,nop,timestamp 831388560 0,sackOK,eol>
11:56:52.000266 IP 172.16.0.6.54482 > 10.12.176.237.ssh: S 4188728417:4188728417(0) win 65535 <mss 1368,sackOK,eol>

Now I read this as either the traffic is not routing correctly in the first place or that no return traffic is coming back ?

[maikcat]

the only way to troubleshoot iptables is logging....

enable logs on your rules and see what comes up.

ps:i dont think routing is your problem ,because when you drop the tables everything works..

michael.

[amonkey]

Ok thanks for the suggestion, I'll give it a whirl.

As a note, if I drop the firewall I can't route to the server on the LAN behind the OpenVPN server on 10.12.176.237

[maikcat]

sorry amonkey

>Quote:
>1)if you disable iptables on centos ,does the ping to the lan interface of vpn server responds?
>yes

does the lan ip on vpn server responds without firewall or not? (you confused me m8..)

m.

[amonkey]

The server on the LAN behind the VPN server doesn't respond, the only response I can get is when I ping/ssh to the openvpn server itself

Apologies for the confusion

[maikcat]

ok..

does the server behind the vpn has default gateway the vpn server itself?
or
does the server behind the vpn has a static route for the vpn ips (172.16.0.x) pointing to the vpn server?
does the server behind the vpn has firewall enabled? if yes ,have you configured inbound access from 172.16.0.x subnet?

cheers,

michael.

[amonkey]

ok..

does the server behind the vpn has default gateway the vpn server itself?

no

or
does the server behind the vpn has a static route for the vpn ips (172.16.0.x) pointing to the vpn server?

does the server behind the vpn has firewall enabled? if yes ,have you configured inbound access from 172.16.0.x subnet?

No firewall enabled


Thanks

[maikcat]

hi amonkey,

you answered 2 out of 3 questions there...

does the server behind the vpn has a static route for the vpn ips (172.16.0.x) pointing to the vpn server?

you MUST route packets for the vpn subnet to the vpn server....

cheers,

[amonkey]

No, there is no static route in place

Thanks

[maikcat]

add it and let us know what happened...

cheers,

michael

[sameerrrr]

hey maikcat

i am also having problem in my openvpn server on centos. can you help me out please?

i am able to connec to my openvpn server, but unable to ping my local network at office.

LAN network: (172.17.0.0/16) servers=172.17.1.0/24, users 172.17.3.0/24 & onwards.
VPN server LAN ip: 172.17.17.17
VPN Server tun0: 172.17.16.1

VPN Users: 172.17.16.0/24

openvpn connects but unable to ping or access anything.

i can ping the gw (tun0) but cant ping vpn server (lan ip) or my local network.

my server.conf:

local 172.17.17.17
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.17.16.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.17.1.0 255.255.255.0"
push "redirect-gateway"
client-to-client
keepalive 10 120
comp-lzo
max-clients 150
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
mute 20

client.ovpn:

client
dev tap
proto udp

remote mydomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

auth-user-pass

comp-lzo

verb 3

routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.17.1.3 0.0.0.0 UG 0 0 0 eth0

iptables are off/stopped.

please help me in this regards. i am damn in need of help. because i am already tardy the deadline in my office. i created and had running the openvpn server before, it was working fine but due to some disaster, the server was crashed and now i am creating again the new openvpn server on centos but this time where am i mistaking, i really dont know. i am stuck in it.

anxiously waiting for reply

regards

Sam

[maikcat]

hi sameerrrr,

did you enable port forwarding on your server?

ps:its better to create a new topic....


cheers,

michael.