Ping works - the rest does not

[petka82]

Hello,

I've been having problems with my VPN recently - perhaps I misconfigured something, or I am missing something in my configuration.

I have 2 networks that looks the same on both sides :
INTERNET -----> router (say 192.168.1.1) ----> SERVER (192.168.1.120 / 10.8.0.1)

the router gives wireless access for other computers. I installed openvpn on the server. On the server side I also enabled port forwarding and added "push 192.168.1.0 255.255.255.0" as well as I created static routes on my router:
destination: 10.8.0.0 gw: 192.168.1.120
there is also standard entry: dest: 0.0.0.0 gw: MY PUBLIC GW

there are the following routes on the server:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.120 0.0.0.0 UG 0 0 0 eth0


When I connect to the VPN - and get ip address (say 10.8.0.7) - I am able to ping everything in the network. I can get access to the router by typing http://192.168.1.1. I am also able to access my server via http://192.168.1.120. What I can't do is I can't access any services that are on wireless - e.g. wireless printer on 1.50 is pingable, but I can't access it's website via browser. The same applies for any other servers/services that are within my local area network. I can't ssh , cant web, nothing.

What can be wrong?
Thanks in advance for any answer - this problem drives me crazy ...

Peter

[janjust]

if you can ping a host but cannot reach it using TCP/UDP then you're most likely looking at a firewalling issue.
can you run tcpdump or wireshark on the openvpn server to watch the flow of packets?
is there a firewall/iptables rule blocking things?

[petka82]

on the server side - no :


iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

but once I started my futile tries to access the webpage, my log file increased widely by these entries (printer):

13:33:55.505031 IP 192.168.1.50.snmp > 10.8.0.6.55738: C=internal GetResponse(39) E:hp.2.3.9.4.2.1.1.2.55.0=1
13:33:55.567855 IP 10.8.0.6.55739 > 192.168.1.50.snmp: C=internal GetRequest(35) E:hp.2.3.9.4.2.1.1.6.8.2.0
13:33:55.575336 IP 192.168.1.50.snmp > 10.8.0.6.55739: C=internal GetResponse(40) E:hp.2.3.9.4.2.1.1.6.8.2.0=0
13:33:55.638869 IP 10.8.0.6.55740 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.15.0
13:33:55.647241 IP 192.168.1.50.snmp > 10.8.0.6.55740: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.15.0=00_00_00_00
13:33:55.708804 IP 10.8.0.6.55741 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.17.0
13:33:55.717150 IP 192.168.1.50.snmp > 10.8.0.6.55741: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.17.0=00_00_00_00
13:33:55.781028 IP 10.8.0.6.55742 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.16.0
13:33:55.788838 IP 192.168.1.50.snmp > 10.8.0.6.55742: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.16.0=00_00_00_00
13:33:56.778620 IP 10.8.0.6.55742 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.16.0
13:33:56.785874 IP 192.168.1.50.snmp > 10.8.0.6.55742: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.16.0=00_00_00_00
13:33:56.849920 IP 10.8.0.6.55743 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.28.0
13:33:56.859317 IP 192.168.1.50.snmp > 10.8.0.6.55743: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.28.0=00_00_00_00
13:33:56.926617 IP 10.8.0.6.55744 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.29.0
13:33:56.938124 IP 192.168.1.50.snmp > 10.8.0.6.55744: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.29.0=00_00_00_00
13:33:57.000024 IP 10.8.0.6.55745 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.24.0
13:33:57.011430 IP 192.168.1.50.snmp > 10.8.0.6.55745: C=internal GetResponse(44) E:hp.2.3.9.4.2.1.4.1.5.2.24.0=00_00_00_00
13:33:57.082771 IP 10.8.0.6.55746 > 192.168.1.50.snmp: C=internal GetRequest(36) E:hp.2.3.9.4.2.1.4.1.5.2.14.0

What is this all about ?

[janjust]

that's SNMP traffic - apparently when you try to access your printer an SNMP query is used as well.

does the printer have the right default GW configured, i.e. is return traffic sent to 192.168.1.1 ?

[petka82]

Yes it has.
I found where the issue is.

What I had to do, I had to add this line to my iptables on 192.168.1.120 (the server):

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 192.168.1.0/24 to:192.168.1.120

Say if I added the analogical chain on the other side - would it really help me? I would like to access the other side of the network, their servers, and their services from my local network without using openvpn client - is it possible?

Peter

[janjust]

I'm not sure what you're asking... if the GW on the 192.168.1.0/24 lan has the right route for the 10.8.0.0/24 network back to the VPN server (192.168.1.120) then the SNAT rule would not be necessary

in this setup you will need an OpenVPN client to access your home LAN - what you do mean by "other side" ?

[petka82]

I would like to reach communication between 2 networks.

WIRELESS clients A
|
ROUTER A ----- LINUX SERVER A
|
INTERNET
|
ROUTER B ----- LINUX SERVER B
|
WIRELESS clients B

I want wireless clients to be able to ping one another + have openvpn clients with the same.
My Linux servers are in DMZ - the configuration you know from the previous posts. The only difference on the B side is that their LAN is 2.168.0.0/24 (it's 2 - not 192).

Linux servers have got openvpn installed. Are there any special conditions to have these networks merged in terms of that clients would be able to ping one another, access shares ?

Please note that routers are rather cheap machines but capable of setting static routes.

So far I could not find any manual or "howto" that would describe my case.

P.

[janjust]

I'd set up openvpn on routers A and B using preshared static keys (see the HOWTO for that); the configs would look someting like:

router A:

Code: Select all

proto udp
port 1194
dev tun
secret secret.key
route 192.168.0.0 255.255.255.0

router B:

Code: Select all

proto udp
port 1194
dev tun
secret secret.key
route 2.168.0.0 255.255.255.0
remote <routerA>

(read chapter 1 of my book )

[petka82]

Thanks ! That was very helpful. I read the whole 1-st chapter, and it seems that I did not add the route on clients side:

"Make sure that on the Windows client on the client-side LAN there is a route back to the OpenVPN server
C:> route add 10.200.0.0 mask 255.255.255.0 192.168.4.5"

(page no 18 from your book).

Thing is, that I would like to "force" my lan computers to add (analogically different) route as described above. I am not talking about autoexec.bat or anything like this - I would like to force it somehow so any computer in my local network would be able to access computers on the other side without any startup scripts (there is something called icmp_redirect and someone said that allegedly I could force something like route add on windows...)

Pete

[janjust]

the lan clients are not aware of the openvpn connection; you'd have to add a default route on the lan GW to point to the openvpn client. This would trigger the 'icmp_redirect' .