OpenVpn client-to-site scenario creating tun0 interface with different ips in client than in server

[sara4pfc09]

Hi!
I'm new to OpenVPN. I have followed an online [url]ttps://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04[/url] with two ubuntu server and client in 2 virtual machines.
Below you'll find my server config and client.ovpn files:

View OriginalServer Config

# This is a comment
local 192.168.56.101
port 1194
proto udp
dev tun
ca ca.crt
cert servervpn.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

View Originalclient1.ovpn

# This is a comment
client
dev tun
proto udp
remote 192.168.56.101 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 3
<ca>
(omitted for clarity)
</ca>
<cert>
...
</cert>
<key>
..
</key>
<tls-auth>
..
</tls-auth>

Server seems to start ok and creates a tun0 interface with 10.8.0.1 -10.8.0.2 endpoints:

Code: Select all

sara@servervpn:~$ sudo systemctl status openvpn@server
[sudo] password for sara:
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled)
   Active: active (running) since Thu 2020-01-23 10:38:39 UTC; 1h 25min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 903 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 2318)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─903 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvp

Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_PROTO=2
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_LZ4=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_LZ4v2=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_LZO=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_COMP_STUB=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_COMP_STUBv2=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 peer info: IV_TCPNL=1
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 23 11:55:16 servervpn ovpn-server[903]: client1/192.168.56.103:35978 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
lines 1-22/22 (END)

server ifconfig shows (among other local interfaces):

Code: Select all

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::5328:2cfe:210:bfd5  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11  bytes 528 (528.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

However, client1 starts as follows:

Code: Select all

sara@LINC1:~$ sudo openvpn --config client1.ovpn
[sudo] contraseña para sara: 
Thu Jan 23 13:08:44 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Thu Jan 23 13:08:44 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Thu Jan 23 13:08:44 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jan 23 13:08:44 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 23 13:08:44 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 23 13:08:44 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.56.101:1194
Thu Jan 23 13:08:44 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jan 23 13:08:44 2020 UDP link local: (not bound)
Thu Jan 23 13:08:44 2020 UDP link remote: [AF_INET]192.168.56.101:1194
Thu Jan 23 13:08:44 2020 TLS: Initial packet from [AF_INET]192.168.56.101:1194, sid=ff16a8cc 14ad3423
Thu Jan 23 13:08:44 2020 VERIFY OK: depth=1, CN=serverca
Thu Jan 23 13:08:44 2020 VERIFY KU OK
Thu Jan 23 13:08:44 2020 Validating certificate extended key usage
Thu Jan 23 13:08:44 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 23 13:08:44 2020 VERIFY EKU OK
Thu Jan 23 13:08:44 2020 VERIFY OK: depth=0, CN=servervpn
Thu Jan 23 13:08:44 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jan 23 13:08:44 2020 [servervpn] Peer Connection Initiated with [AF_INET]192.168.56.101:1194
Thu Jan 23 13:08:45 2020 SENT CONTROL [servervpn]: 'PUSH_REQUEST' (status=1)
Thu Jan 23 13:08:45 2020 PUSH:[color=#FFFF00] Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 1,cipher AES-256-GCM'[/color]
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: route options modified
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: peer-id set
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Jan 23 13:08:45 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Jan 23 13:08:45 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jan 23 13:08:45 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 23 13:08:45 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 23 13:08:45 2020 ROUTE: default_gateway=UNDEF
Thu Jan 23 13:08:45 2020 TUN/TAP device tun0 opened
Thu Jan 23 13:08:45 2020 TUN/TAP TX queue length set to 100
Thu Jan 23 13:08:45 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jan 23 13:08:45 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Jan 23 13:08:45 2020 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Thu Jan 23 13:08:45 2020 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.10 10.8.0.9 init
Thu Jan 23 13:08:45 2020 /sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Thu Jan 23 13:08:45 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 23 13:08:45 2020 Initialization Sequence Completed

In result, client ifconfig has created a tun0 in different IPs from server's:

Code: Select all

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.10  netmask 255.255.255.255  destination 10.8.0.9
        inet6 fe80::d05a:4a8c:483f:6099  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 96 (96.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As a curiousity, client route table has both server and client tunnels:

Code: Select all

sara@LINC1:~$ route
Tabla de rutas IP del núcleo
Destino         Pasarela        Genmask         Indic Métric Ref    Uso Interfaz
10.8.0.1        10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 enp0s3

As far as I know, client should create the tun0 in the same server Ips, but exchanging endpoints. Could anybody point me what I'm doing wrong, please?

Thank you in advance.

[amaclay]

Hi sara4pfc09,

Were you able to find a solution? I'm trying to troubleshoot this exact issue and your post is the closest description to my issue I've found.