Can ping in one direction, but not the other

[trebordadda]

Hi there. I have been trying to get my OpenVPN configured for weeks, and I seem to be close, but never quite there. My goal is to route all my web traffic from one client )my laptop when I am travelling) through my VPN server.

My Server (192.168.1.x) is running Vista Ultimate (32-bit)--(OVPN gui in admin mode). The server sits behind an Actiontec router.
My client (192.168.2.x) is running Win 7 (64-bit)-- It sits behind a Linksys E3000 router.

My server config file is:

proto udp
dev tun
if config 10.8.0.1 10.8.0.2
secret "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\static.key"
push "DHCP-option DNS 8.8.8.8"
route 192.168.2.0 255.255.255.0
verb 5

My client config file is:

proto udp
dev tun
remote [my server address] 1194
ifconfig 10.8.0.2 10.8.0.1
redirect-gateway def1
secret "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\static.key"
verb 5

The connection *looks* fine, meaning the right virtual IPs get assigned when I connect. From the client I can ping 10.8.0.1 However, from the server, when I ping 10.8.0.2 I get a time out error.

On the server, I have Routing and Remote Access service started;
I have the IPEnableRouter registry setting to 1;

I also have temporarily turned off the firewalls on both ends.
I have port forwarded UDP 1194 to the VPN server.

I am stumped. I had started with a bridged configuration. It didn't work, so I thought I would try a very simple configuration instead. I am still hitting a brick wall. Any help appreciated.

[maikcat]

hi there,

i suggest you to setup your scenario step-by-step
that means first try to establish vpn connectivity then try
to solve your internet access..

so

disable RAS for start

which openvpn version you used on both systems?
please post netstat -nr output from both systems
where the 192.168.2.0 subnet is located?

cheers,
Michael

[trebordadda]

Michael,

First of all, thank you for responding to my post. I apprecate it a lot.

I think my problem is with the route configuration.

At any rate, I have followed your suggestion and went back to a basic, bare-bones configuration. For that, I followed the static key mini How-to on this site pretty much verbatim.

I also disabled RAS
I believe I am using Open VPN 2.2 Beta 3 (11/10/2010) with the 1.0.3 windows gui on both the client and the server. (not sure where to look for the version number--"about" only refers to the gui version.)

I can still ping from the client (10.8.0.2) to the server (10.8.0.1).
I still cannot ping the client from the server.




Here is the output of netstat -nr for the VPN server:


===========================================================================
Interface List
16 ...00 ff bc 34 e5 35 ...... TAP-Win32 Adapter V9
13 ...00 1e 4c cc 65 7e ...... Bluetooth Device (Personal Area Network)
11 ...00 1e c9 50 25 e8 ...... Intel(R) 82566DC-2 Gigabit Network Connection
1 ........................... Software Loopback Interface 1
20 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
27 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
18 ...00 00 00 00 00 00 00 e0 isatap.{BC34E535-3FC6-4701-A1A5-66E3AE072FE8}
19 ...00 00 00 00 00 00 00 e0 isatap.{D0C7E2D4-94F9-4851-8452-4D61260D6CD8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.9 266
10.8.0.0 255.255.255.252 On-link 10.8.0.1 286
10.8.0.1 255.255.255.255 On-link 10.8.0.1 286
10.8.0.3 255.255.255.255 On-link 10.8.0.1 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 192.168.1.9 30
169.254.255.255 255.255.255.255 On-link 192.168.1.9 266
192.168.1.0 255.255.255.0 On-link 192.168.1.9 266
192.168.1.9 255.255.255.255 On-link 192.168.1.9 266
192.168.1.255 255.255.255.255 On-link 192.168.1.9 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.8.0.1 286
224.0.0.0 240.0.0.0 On-link 192.168.1.9 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.8.0.1 286
255.255.255.255 255.255.255.255 On-link 192.168.1.9 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.1 Default
0.0.0.0 0.0.0.0 192.168.1.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
16 286 fe80::/64 On-link
11 266 fe80::/64 On-link
11 266 fe80::8d73:afe6:9f12:3c2a/128
On-link
16 286 fe80::b4a4:1422:853b:f2d/128
On-link
1 306 ff00::/8 On-link
16 286 ff00::/8 On-link
11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Here is the output of netstat -nr for the client (subnet 192.168.2.0 is located in the UK):

===========================================================================
Interface List
16...00 ff ad 7e 5f 0e ......TAP-Win32 Adapter V9
11...90 fb a6 df cd 0b ......NVIDIA nForce 10/100/1000 Mbps Ethernet
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.114 10
10.8.0.0 255.255.255.252 On-link 10.8.0.2 286
10.8.0.2 255.255.255.255 On-link 10.8.0.2 286
10.8.0.3 255.255.255.255 On-link 10.8.0.2 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.114 266
192.168.2.114 255.255.255.255 On-link 192.168.2.114 266
192.168.2.255 255.255.255.255 On-link 192.168.2.114 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.114 266
224.0.0.0 240.0.0.0 On-link 10.8.0.2 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.114 266
255.255.255.255 255.255.255.255 On-link 10.8.0.2 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 4106 ::/0 fe80::6a7f:74ff:feb9:13dc
1 306 ::1/128 On-link
11 18 2002:5210:985b::/64 On-link
11 266 2002:5210:985b:0:7d9e:822c:c884:9793/128
On-link
11 266 2002:5210:985b:0:bc24:9c83:75de:80f8/128
On-link
11 266 fe80::/64 On-link
16 286 fe80::/64 On-link
16 286 fe80::905:aa78:4c20:94c/128
On-link
11 266 fe80::7d9e:822c:c884:9793/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
16 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

I look forward to your insights.

Robert

[janjust]

if the client can ping the server, but not vice versa then you're looking at a firewalling issue; check the network location of the tap-win32 adapter on both client and server; make sure the adapter is in the 'private' network, or disable firewalling on the tap-win32 adapter altogether.

[maikcat]

hi there,

check your firewall on your client.

Michael

[trebordadda]

Thank you Michael and Jan for taking the time to review my posts and respond.

The problem is solved: The client-side firewall automatically restarts after 4 hours. So even though I thought I had turned it off, it was actually back on and interfered with my VPN tunnel.

Michael, I appreciate your suggestion to set-up the VPN in basic, step-by-step mode. It helped a lot to reduce the number of variables.

Thanks again. I am thrilled with the speed and responsiveness--I had anticipated much slower performance and am happily surprised.

Robert

[maikcat]

Glad to help you out.

closing topic.

Michael