OpenVPN not forwarding packets to tunnel

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
manjuv.storage
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 20, 2023 6:48 am

OpenVPN not forwarding packets to tunnel

Post by manjuv.storage » Fri Jun 23, 2023 4:26 am

The problem I'm facing is that, not able to ping or connect from 10.91.40.x/24 network to 10.91.0.x network. But I can ping only from 10.91.1.1 to 10.91.40.x network systems not 10.91.1.x network systems. Here I'm giving config, routing table, ping stats , iptables rules and logs.

We're unable to resolve above issue. Kindly help us on this.

################ Server Side #####################
# cat /etc/redhat-release
Rocky Linux release 8.8 (Green Obsidian)
[root@hub-fw1 ~]#
# rpm -qa | grep -i openvpn
openvpn-2.4.12-1.el8.x86_64
# rpm -qa | grep -i openssl
openssl-libs-1.1.1k-9.el8_7.x86_64
openssl-1.1.1k-9.el8_7.x86_64
openssl-pkcs11-0.4.10-3.el8.x86_64
apr-util-openssl-1.6.1-6.el8_8.1.x86_64
#

local w.x.y.z
port 2197
proto tcp4
dev tun0
ca ca.crt
cert issued/server.crt
key private/server.key
tls-crypt ta.key
auth-nocache
dh dh.pem
server 10.8.0.0 255.255.255.0
topology subnet
client-config-dir ccd
route 10.91.0.0 255.255.0.0 10.8.0.1
route 10.91.4.0 255.255.255.0
route 10.10.0.0 255.255.255.0
push "route 10.91.40.0 255.255.255.0"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4
daemon


routing table
# route -n | grep tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.10.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.91.0.0 10.8.0.1 255.255.0.0 UG 0 0 0 tun0
10.91.4.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
#

# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
#

# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=188 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=37.1 ms
64 bytes from 10.8.0.2: icmp_seq=3 ttl=64 time=40.9 ms
64 bytes from 10.8.0.2: icmp_seq=4 ttl=64 time=64.7 ms
^C
--- 10.8.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 37.099/82.734/188.260/61.836 ms
#



IPtables Rules
# grep -r "tun0" /etc/rc.firewall
$IPTABLES -A INPUT -i tun0 -j ACCEPT
$IPTABLES -A FORWARD -i tun0 -j ACCEPT
$IPTABLES -A OUTPUT -o tun0 -j ACCEPT
#

# grep -r "a.b.c.d" /etc/rc.firewall
$IPTABLES -A INPUT -p tcp -s a.b.c.d --dport 2197 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s a.b.c.d --dport 443 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s a.b.c.d --dport 873 -j allowed
$IPTABLES -A FORWARD -d a.b.c.d -s 10.91.40.0/24 -j ACCEPT
#

Log after staring openvpn-server service at server side


OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
Diffie-Hellman initialized with 2048 bit key
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
ROUTE_GATEWAY 14.98.2.129/255.255.255.252 IFACE=enp1s0 HWADDR=68:05:ca:2d:8e:a0
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
/sbin/ip route add 10.91.0.0/16 via 10.8.0.1
/sbin/ip route add 10.91.4.0/24 via 10.8.0.2
/sbin/ip route add 10.10.0.0/24 via 10.8.0.2
Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Socket Buffers: R=[87380->87380] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]w.x.y.z:2197
TCPv4_SERVER link local (bound): [AF_INET]w.x.y.z:2197
TCPv4_SERVER link remote: [AF_UNSPEC]
GID set to nobody
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed



#After starting openvpn-service at client side

MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initializing
Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]a.b.c.d:35812
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]a.b.c.d:35812
Ra.b.c.d:35812 TLS: Initial packet from [AF_INET]a.b.c.d:35812, sid=7a5dd1d8 a26c2980
WRRWWWRRRWRa.b.c.d:35812 VERIFY OK: depth=1, CN=ionhubfw
a.b.c.d:35812 VERIFY OK: depth=0, CN=ionhubfw
a.b.c.d:35812 peer info: IV_VER=2.4.3
a.b.c.d:35812 peer info: IV_PLAT=linux
a.b.c.d:35812 peer info: IV_PROTO=2
a.b.c.d:35812 peer info: IV_NCP=2
a.b.c.d:35812 peer info: IV_LZ4=1
a.b.c.d:35812 peer info: IV_LZ4v2=1
a.b.c.d:35812 peer info: IV_LZO=1
a.b.c.d:35812 peer info: IV_COMP_STUB=1
a.b.c.d:35812 peer info: IV_COMP_STUBv2=1
a.b.c.d:35812 peer info: IV_TCPNL=1
WRa.b.c.d:35812 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
a.b.c.d:35812 [ionhubfw] Peer Connection Initiated with [AF_INET]a.b.c.d:35812
ionhubfw/a.b.c.d:35812 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
ionhubfw/a.b.c.d:35812 MULTI: Learn: 10.8.0.2 -> ionhubfw/a.b.c.d:35812
ionhubfw/a.b.c.d:35812 MULTI: primary virtual IP for ionhubfw/a.b.c.d:35812: 10.8.0.2
Rionhubfw/a.b.c.d:35812 PUSH: Received control message: 'PUSH_REQUEST'
ionhubfw/a.b.c.d:35812 SENT CONTROL [ionhubfw]: 'PUSH_REPLY,route 10.91.40.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
ionhubfw/a.b.c.d:35812 Data Channel: using negotiated cipher 'AES-256-GCM'
ionhubfw/a.b.c.d:35812 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
ionhubfw/a.b.c.d:35812 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
ionhubfw/a.b.c.d:35812 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWR^C
[root@hub-fw1 server]#


################ CLient Side #####################

# rpm -qa | grep -i openvpn
openvpn-2.4.3-1.el7.x86_64
openvpn-auth-ldap-2.0.3-14.1.el7.x86_64
# rpm -qa | grep -i openssl
openssl-libs-1.0.2k-25.el7_9.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
openssl-1.0.2k-25.el7_9.x86_64
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
#


remote w.x.y.z 2197
dev tun4
client
float
proto tcp4
ca ca.crt
cert ionfwhub.crt
key ionfwhub.key
tls-crypt ta.key
auth-nocache
keepalive 10 60
cipher AES-256-CBC
comp-lzo
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
verb 5
mute 5
daemon
status openvpn-status.log
log openvpn.log
auth-nocache



# route -n | grep tun4
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun4
10.91.40.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun4
#

# ifconfig tun4
tun4: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.2 netmask 255.255.255.0 destination 10.8.0.2


# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=203 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=119 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=160 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=76.1 ms
^C
--- 10.8.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 76.129/139.938/203.960/47.495 ms
#
################ CLient Side #####################
Top
manjuv.storage
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 20, 2023 6:48 am

Re: OpenVPN not forwarding packets to tunnel

Post by manjuv.storage » Fri Jun 23, 2023 5:43 am

I already enabled IP forwarding

# cat /proc/sys/net/ipv4/ip_forward
1
Top
manjuv.storage
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 20, 2023 6:48 am

Re: OpenVPN not forwarding packets to tunnel

Post by manjuv.storage » Fri Jun 23, 2023 5:51 am

tcpdump output from server to client,

# tcpdump -ni tun0 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
11:12:17.275832 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 1, length 64
11:12:18.295008 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 2, length 64
11:12:19.318974 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 3, length 64
11:12:20.343000 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 4, length 64
11:12:21.366998 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 5, length 64
11:12:22.391002 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 6, length 64
11:12:23.415003 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 7, length 64
11:12:24.440010 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 8, length 64
11:12:25.462999 IP 10.8.0.1 > 10.91.1.1: ICMP echo request, id 68, seq 9, length 64
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
[root@hub-fw1 ~]#
Top
Post Reply

Return to “Server Administration”