Connects OK, but cannot ping server from client

[zaudo]

Server: Linux (CentOS 5.6)
Client: Windows 7 x64 Ultimate

Goal: The goal is for the clients to be able to remotely access Samba shares on the server. No internet tunneling through the VPN or anything like that is required.

The client connects OK but I can't get as far as testing Samba as I cannot ping the server's VPN IP address. But the server can ping the client's VPN IP address though.

I'll let the configs and logs do the talking.

(aaa.bbb.ccc.ddd is the server's public IP)

Config files

server.conf:
port 3366
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.214.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC # AES
comp-lzo

client.ovpn:
client
float
dev tun
proto udp
remote aaa.bbb.ccc.ddd 3366
resolv-retry infinite
nobind
persist-key
persist-tun
ca C:/VPN/ca.crt
cert C:/VPN/vpnclient-will.crt
key C:/VPN/vpnclient-will.key
ns-cert-type server
tls-auth C:/VPN/ta.key 1
keepalive 10 120
cipher AES-256-CBC
auth SHA1
comp-lzo
status openvpn-status.log
verb 3
tun-mtu 1500
mssfix 1400
route-method exe


Client log

Thu Apr 28 14:27:38 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Thu Apr 28 14:27:38 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Apr 28 14:27:38 2011 Control Channel Authentication: using 'C:/VPN/ta.key' as a OpenVPN static key file
Thu Apr 28 14:27:38 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 28 14:27:38 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 28 14:27:38 2011 LZO compression initialized
Thu Apr 28 14:27:38 2011 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Apr 28 14:27:38 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Apr 28 14:27:38 2011 Data Channel MTU parms [ L:1558 D:1400 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Apr 28 14:27:38 2011 Local Options hash (VER=V4): '9e7066d2'
Thu Apr 28 14:27:38 2011 Expected Remote Options hash (VER=V4): '162b04de'
Thu Apr 28 14:27:38 2011 UDPv4 link local: [undef]
Thu Apr 28 14:27:38 2011 UDPv4 link remote: aaa.bbb.ccc.ddd:3366
Thu Apr 28 14:27:38 2011 TLS: Initial packet from aaa.bbb.ccc.ddd:3366, sid=c4673254 8249c3d3
Thu Apr 28 14:27:38 2011 Replay-window backtrack occurred [1]
Thu Apr 28 14:27:39 2011 Replay-window backtrack occurred [2]
Thu Apr 28 14:27:39 2011 VERIFY OK: depth=1, /C=UK/ST=London/L=London/O=O/CN=CN_CA/emailAddress=admin@domain.com
Thu Apr 28 14:27:39 2011 VERIFY OK: nsCertType=SERVER
Thu Apr 28 14:27:39 2011 VERIFY OK: depth=0, /C=UK/ST=London/L=London/O=O/CN=server/emailAddress=admin@domain.com
Thu Apr 28 14:27:39 2011 Replay-window backtrack occurred [3]
Thu Apr 28 14:27:40 2011 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 28 14:27:40 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 28 14:27:40 2011 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 28 14:27:40 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 28 14:27:40 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Apr 28 14:27:40 2011 [server] Peer Connection Initiated with aaa.bbb.ccc.ddd:3366
Thu Apr 28 14:27:42 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Apr 28 14:27:43 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.214.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.214.6 192.168.214.5'
Thu Apr 28 14:27:43 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Apr 28 14:27:43 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 28 14:27:43 2011 OPTIONS IMPORT: route options modified
Thu Apr 28 14:27:43 2011 ROUTE default_gateway=192.168.1.1
Thu Apr 28 14:27:43 2011 TAP-WIN32 device [TAP-Win32] opened: \\.\Global\{FCA7806F-6B68-4D62-9D89-B536F5E1EC10}.tap
Thu Apr 28 14:27:43 2011 TAP-Win32 Driver Version 9.8
Thu Apr 28 14:27:43 2011 TAP-Win32 MTU=1500
Thu Apr 28 14:27:43 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.214.6/255.255.255.252 on interface {FCA7806F-6B68-4D62-9D89-B536F5E1EC10} [DHCP-serv: 192.168.214.5, lease-time: 31536000]
Thu Apr 28 14:27:43 2011 Successful ARP Flush on interface [18] {FCA7806F-6B68-4D62-9D89-B536F5E1EC10}
Thu Apr 28 14:27:48 2011 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Apr 28 14:27:48 2011 C:\WINDOWS\system32\route.exe ADD 192.168.214.1 MASK 255.255.255.255 192.168.214.5
OK!
Thu Apr 28 14:27:48 2011 Initialization Sequence Completed


Port 3366 is open on the server

# iptables -nL |grep 3366
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3366
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3366
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3366
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3366


Server's NICs

# ifconfig
eth0 Link encap:Ethernet HWaddr 00:25:64:3D:15:ED
inet addr:aaa.bbb.ccc.ddd Bcast:aaa.bbb.ccc.ddd+13 Mask:255.255.255.240
inet6 addr: fe80::225:64ff:fe3d:15ed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70565 errors:0 dropped:0 overruns:0 frame:0
TX packets:69505 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23180558 (22.1 MiB) TX bytes:41116965 (39.2 MiB)
Interrupt:169 Memory:dfdf0000-dfe00000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1682 errors:0 dropped:0 overruns:0 frame:0
TX packets:1682 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:863201 (842.9 KiB) TX bytes:863201 (842.9 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.214.1 P-t-P:192.168.214.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:228 (228.0 b) TX bytes:168 (168.0 b)


Client routes

>route print
===========================================================================
Interface List
18...00 ff fc a7 80 6f ......TAP-Win32 Adapter V9
13...1c 6f 65 83 f3 2a ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 266
192.168.1.2 255.255.255.255 On-link 192.168.1.2 266
192.168.1.255 255.255.255.255 On-link 192.168.1.2 266
192.168.214.1 255.255.255.255 192.168.214.5 192.168.214.6 31
192.168.214.4 255.255.255.252 On-link 192.168.214.6 286
192.168.214.6 255.255.255.255 On-link 192.168.214.6 286
192.168.214.7 255.255.255.255 On-link 192.168.214.6 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 266
224.0.0.0 240.0.0.0 On-link 192.168.214.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 266
255.255.255.255 255.255.255.255 On-link 192.168.214.6 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 58 ::/0 On-link
1 306 ::1/128 On-link
16 58 2001::/32 On-link
16 306 2001:0:5ef5:79fd:2046:2b28:3f57:fefd/128
On-link
13 266 fe80::/64 On-link
18 286 fe80::/64 On-link
16 306 fe80::/64 On-link
15 266 fe80::5efe:192.168.1.2/128
On-link
16 306 fe80::2046:2b28:3f57:fefd/128
On-link
13 266 fe80::9847:f006:9645:b4b6/128
On-link
18 286 fe80::a0f9:b599:1baf:f943/128
On-link
1 306 ff00::/8 On-link
16 306 ff00::/8 On-link
13 266 ff00::/8 On-link
18 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

[janjust]

sounds like things are working, mostly; if ping server -> client works, but ping client -> server does not, then check the firewall on the server. Try adding something like

Code: Select all

iptables -I INPUT -i tun+ -j ACCEPT

to allow all incoming traffic from the VPN

[zaudo]

sounds like things are working, mostly; if ping server -> client works, but ping client -> server does not, then check the firewall on the server. Try adding something like

Code: Select all

iptables -I INPUT -i tun+ -j ACCEPT

to allow all incoming traffic from the VPN

Fantastic. This was indeed the problem.

Thanks so much. Hopefully this helps others who make such a basic mistake with iptables in the future.