[Resolved]Site-to-Site VPN is not working

tkmr.akhs · Post by **tkmr.akhs** » Mon Sep 05, 2022 8:07 am

Hi,

I am now trying to configure a site-to-site vpn.

When I ping from openvpn-client to desktop, I get a response, but from laptop to desktop, no response.

My network environment is as follows:

My configuration files are as follows:

server

1

port 1194

2

proto udp

3

dev tun

4

ca ca.crt

5

cert server.crt

6

key server.key

7

dh dh2048.pem

8

server 10.8.0.0 255.255.255.0

9

ifconfig-pool-persist ipp.txt

10

push "route 192.168.11.0 255.255.255.0"

11

client-config-dir ccd

12

route 192.168.255.0 255.255.255.0

13

client-to-client

14

keepalive 10 120

15

tls-auth ta.key 0

16

auth SHA512

17

cipher AES-256-GCM

18

tls-version-min 1.2

19

tls-cipher ECDHE+AESGCM:DHE+aRSA+AESGCM:ECDHE+AESCCM:DHE+aRSA+AESCCM:+AES256

20

tls-cipher ECDHE+CHACHA20:DHE+aRSA+CHACHA20:+DHE:ECDHE+AES128:ECDHE+CAMELLIA128

21

tls-cipher ECDHE+AES:ECDHE+CAMELLIA:+ECDHE+SHA:DHE+aRSA+AES128

22

tls-cipher DHE+aRSA+CAMELLIA128:DHE+aRSA+AES:DHE+aRSA+CAMELLIA:+DHE+aRSA+SHA

23

user nobody

24

group nobody

25

persist-key

26

persist-tun

27

status /var/log/openvpn/openvpn-status.log

28

log-append /var/log/openvpn/openvpn.log

29

verb 3

30

explicit-exit-notify 1

client

1

client

2

dev tun

3

proto udp

4

remote myvpn.example.net 1194

5

resolv-retry infinite

6

nobind

7

persist-key

8

persist-tun

9

ca ca.crt

10

cert client.crt

11

key client.key

12

remote-cert-tls server

13

tls-auth ta.key 1

14

auth SHA512

15

cipher AES-256-GCM

16

verb 3

17

status /var/log/openvpn/openvpn-status.log

18

log /var/log/openvpn/openvpn.log

ping from openvpn-client to desktop
result: My laptop can connect to my desktop.

tun0 on openvpn-client captures plain packets. (10.8.0.6 -> 192.168.11.11)

enp3s0 on openvpn-server captures encrypted packets.

tun0 on openvpn-server captures palin packets. (10.8.0.6 -> 192.168.11.11)

enp3s0 on openvpn-server captures palin packets. (192.168.11.254 -> 192.168.11.11)

ping from laptop to desktop
result: My laptop can not connect to my desktop.

tun0 on openvpn-client captures plain packets. (192.168.255.159 -> 192.168.11.11)

enp3s0 on openvpn-server captures encrypted packets.

tun0 on openvpn-server dose not capture any packets.

Pinging 8.8.8.8 from laptop gets a response, so openvpn-client has forwarding enabled.

And, the routing table for each node is correct.

Code: Select all

root@openvpn-server:~# ip route
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.11.0/24 dev enp3s0 proto kernel scope link src 192.168.11.254 metric 100 
192.168.255.0/24 via 10.8.0.2 dev tun0

Code: Select all

root@openvpn-client:~# ip route
default via 172.20.10.1 dev wlan0 proto dhcp metric 600 
10.8.0.0/24 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 
169.254.0.0/16 dev eth0 scope link metric 1000 
172.20.10.0/28 dev wlan0 proto kernel scope link src 172.20.10.2 metric 600 
192.168.11.0/24 via 10.8.0.5 dev tun0 
192.168.255.0/24 dev eth0 proto kernel scope link src 192.168.255.254 metric 100

I assume that the packets are being discarded by OpenVPN. How do I keep it from being discarded?

tkmr.akhs · Post by **tkmr.akhs** » Tue Sep 06, 2022 5:21 am

Sorry, I was able to solve the issue myself.

The /etc/openvpn/ccd directory and files in it was owned by openvpn group. I changed "group nobody" to "group openvpn" in the config file accordingly and it works as intended.

TinCanTech · Post by **TinCanTech** » Tue Sep 06, 2022 12:15 pm

This is another example of how to use CCD files correctly.

This problem could have been more easily diagnosed by the use of --ccd-exclusive,
which can be found in the manual.

Moved to Examples.

* Locked *

For me2 posters, please start here.

OpenVPN Support Forum

[Resolved]Site-to-Site VPN is not working

[Resolved]Site-to-Site VPN is not working

Re: Site-to-Site VPN is not working

Re: [Resolved]Site-to-Site VPN is not working