Server receives ping requests but no reply

[chhsiao]

Hi all,

I just followed the HOWTO to set up an OpenVPN server,
and I successfully connect to the server from the client.
However, I cannot ping 10.8.0.1 from client with its firewall turned off.
When I used tcpdump -i tun0 to listen the tun0 interface at server side,
I got only ICMP requests but no ICMP replies.
Furthermore, I sometimes got some "Out ethertype Unknown (0x88a2), length 48"
I had veiwed some articles related to this, but I am not familiar to iptables,
so I am not sure what rules I should add into iptables.
Could you help me resolve this problem please?

The following are my configurations:

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

ipp.txt

Code: Select all

client,10.8.0.4

client.conf

Code: Select all

client
dev tun
proto udp
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

And here is my iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            ctstate ESTABLISHED 
ACCEPT     all  --  anywhere            !10.9.0.0/16         
ACCEPT     all  --  10.9.8.0/24          10.9.8.0/24         
ACCEPT     all  --  10.9.9.0/24          10.9.9.0/24         
X-default  all  --  anywhere             anywhere            
Y-default  all  --  anywhere             anywhere            
ACCEPT     all  --  10.9.9.0/24          10.9.9.0/24         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain X-default (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  a.b.c.0/24           10.9.8.0/24         tcp dpt:ssh 
ACCEPT     tcp  --  a.b.c.0/24           10.9.8.0/24         tcp dpts:tcpmux:65535 

Chain Y-default (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  a.b.c.0/24           10.9.9.0/24         tcp dpt:ssh 
ACCEPT     tcp  --  a.b.c.0/24           10.9.9.0/24         tcp dpts:tcpmux:65535

Thanks a lot,
chhsiao

[Mimiko]

May be something like this:

Code: Select all

iptables -A FORWARD -i tun0 -d 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -j ACCEPT

[janjust]

try it WITHOUT iptables at first; also post the output of

Code: Select all

iptables -t nat -L -n -v

[chhsiao]

Thanks to Mimiko and janjust,
but both adding rules into FORWARD and turning off iptables don't work.
I still get ICMP requests at server but no replies.

The output of iptables -t nat -L -n -v is:

Code: Select all

  Chain PREROUTING (policy ACCEPT 2895 packets, 256K bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 DNAT       tcp  --  *      *       10.9.0.0/16          169.254.169.254     tcp dpt:80 to:a.b.c.d:8773 

  Chain POSTROUTING (policy ACCEPT 182 packets, 40112 bytes)
   pkts bytes target     prot opt in     out     source               destination         
  39462 2376K MASQUERADE  all  --  *      *      !127.0.0.0/8         !10.9.0.0/16         

  Chain OUTPUT (policy ACCEPT 37398 packets, 2273K bytes)
   pkts bytes target     prot opt in     out     source               destination

Thanks,
chhsiao

[janjust]

hmmm, the NATting tables look weird but should not interfere with the tun0 pings not working...

which IP is assigned to the client? can you comment out the 'ifconfig-pool-persist' line, restart the server, reconnect the client and then verify the IP address assigned to the client (should be 10.8.0.6).

[chhsiao]

Hi,

Sorry for the late reply.
I'd tried the server setting with and without ifconfig-pool-persist.
In both cases, the client always has IP 10.8.0.6 and gateway 10.8.0.5.
BTW, I found that I ignored an error when starting openvpn:

Code: Select all

/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2

I guess it might because that I restarted openvpn so it tries to write the same rule into the routing table.
Here is the output of route:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.9.8.0        *               255.255.255.0   U     0      0        0 eth1
10.8.0.0        *               255.255.255.0   U     0      0        0 eth1
10.9.9.0        *               255.255.255.0   U     0      0        0 eth1
a.b.c.0         *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         a.b.c.254       0.0.0.0         UG    0      0        0 eth0

Not sure if it is normal but i thought there should be a gateway for 10.8.0.0/24?

Thanks,
chhsiao

[janjust]

you are definitely on to something. The output

10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 * 255.255.255.0 U 0 0 0 eth1

shows that the subnet 10.8.0.0/24 is already in use by ethernet adapter eth1! what happens if you switch the VPN subnet to something else, e.g 172.16.0.0/24 ?

[chhsiao]

Hey, I was too careless to ignore it .
I only know that this machine has a subnet of 10.9.0.0/24,
but didn't know that it also uses 10.8.0.0.
And I didn't check the routing table until today.
So stupid lol.

Anyway, very thanks to your help!
I'll change my subnet later and hope it will go smoothly.

Thanks,
chhsiao