Can ping openvpn server while connected but not others

Dispel · Post by **Dispel** » Thu Sep 22, 2011 12:49 pm

I'm thinking maybe the openvpn server hasn't pushed the correct routing info to the client? that's the only thing I can think of besides firewalls for why it wouldn't be able to get anywhere. should I just try to push individual IP's and see if that works maybe?

Dispel · Post by **Dispel** » Thu Sep 22, 2011 1:24 pm

Funny, can't even ping myself as a VPN client. (10.10.0.6 pinging 10.10.0.6 fails). Didn't help to try to individually forward IP's...

Post by **janjust** » Thu Sep 22, 2011 1:33 pm

10.10.0.6 pinging 10.10.0.6 fails

on windows XP ? is there some antivirus package causing problems? I'd go for reinstalling openvpn - this is definitely not normal.

In "default" mode the first VPN client is assigned 10.10.0.6 with remote endpoint 10.10.0.5 - this remote virtual endpoint cannot be reached, however. The server is always found at 10.10.0.1.

Dispel · Post by **Dispel** » Thu Sep 22, 2011 2:05 pm

No, from OSX as a client.

Post by **janjust** » Thu Sep 22, 2011 2:09 pm

whoops, I got confused with another post, sorry about that...

don't know why a MacOS client would not allow you to ping the tun adapter itself - and I cannot test it on MacOS right now as I don't use Macs regularly... what about the macOS firewall?

Dispel · Post by **Dispel** » Thu Sep 22, 2011 2:19 pm

No firewall to speak of. I've never encountered an issue like this with other VPN's. I can try to set up something else as a client and try that, but I seriously doubt that as the issue. Need some time elsewhere though, will be back to this a little later today. Thanks so much for the help up to this point by the way. I really need this to work by friday

Dispel · Post by **Dispel** » Thu Sep 22, 2011 3:52 pm

Also, if it was the clients firewall, I would expect pinging 192.168.5.1 to have the same issue, as well as 10.10.0.1. I think this points even more to the gateway/vpn server just not doing anything with what it receives. Maybe I should try redirecting my gateway through the VPN server to see what happens?

Post by **Mimiko** » Thu Sep 22, 2011 4:44 pm

server.conf has
port 8787
proto udp
dev tun
server 10.10.0.1 255.255.255.0
route 10.10.0.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"
push "route 10.10.0.0 255.255.255.0"
push "dhcp-option WINS 10.10.0.1"

It must be:

Code: Select all

server 10.10.0.0 255.255.255.0

You don't need to use

route 10.10.0.0 255.255.255.0
push "route 10.10.0.0 255.255.255.0"

as it is added automaticaly by OpenVPN.

On OpenVPN server do you have a WINS service? Why you are pushing that option?

Dispel · Post by **Dispel** » Thu Sep 22, 2011 5:38 pm

Yes, I do, I hope to have samba access working.

Dispel · Post by **Dispel** » Thu Sep 22, 2011 5:48 pm

Also, I have fixed that conf issue (server line) but has made no difference in the important test of ping access.

Post by **Mimiko** » Thu Sep 22, 2011 6:50 pm

Just show the iptables from OpenVPN server when client is connected including all tables; NAT, POSTROUTING, PREROUTING, FORWARD, INPUT, OUTPUT.

Also from the client do a: tracert 192.168.5.77
to see where it stucks.

Dispel · Post by **Dispel** » Thu Sep 22, 2011 7:24 pm

How do I show all iptables?

Post by **janjust** » Thu Sep 22, 2011 9:16 pm

Code: Select all

iptables -L -n -v
iptables -t nat -L -n -v

this info will be useful, but the fact that you cannot ping the tun device on the MacOS client itself worries me more...

Dispel · Post by **Dispel** » Thu Sep 22, 2011 9:24 pm

Sorry for the long post. Hopefully this is what you expected.
I am downloading a linux distro to try openvpn-ing from, but I've never set that up so I might be prone to other difficulties.

Code: Select all

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

78089   17M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

1881K  807M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state ESTABLISHED
 1132 71991 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED
88861 8478K input_int  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

35203 3944K input_ext  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

  634 47679 input_ext  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

    0     0 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET
'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

 120K 6601K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2784K  670M forward_int  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

3952K 4643M forward_ext  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

   52  5330 forward_ext  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTIN
G '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT 1243 packets, 49720 bytes)
 pkts bytes target     prot opt in     out     source               destination

78089   17M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

1857K  319M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
  754 30160 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
 pkts bytes target     prot opt in     out     source               destination

   81  4356 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 0
 1529  200K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3
   47  4814 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 5
3950K 4643M ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = multicast
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
   22  1848 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DE
FLT '
   15  2092 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DE
FLT '
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-
FWDext-DROP-DEFLT-INV '
   52  5330 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain forward_int (1 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 0
  408 29825 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 5
2782K  670M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = multicast
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
   55  8307 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DE
FLT '
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DE
FLT '
  790 37230 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-
FWDint-DROP-DEFLT-INV '
 1430 74193 reject_func  all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain input_ext (3 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 4
 2502 98274 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 8
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 tcp dpt:6666 flags:0x17/0x02 LOG flags 6 level
4 prefix `SFW2-INext-ACC-TCP '
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:6666
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 tcp dpt:8787 flags:0x17/0x02 LOG flags 6 level
4 prefix `SFW2-INext-ACC-TCP '
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:8787
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:6666
    2    84 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:8787
    7   448 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
    9   576 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = multicast
  804 43504 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
   82 11496 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEF
LT '
 1565  204K LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEF
LT '
   26  1397 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-
INext-DROP-DEFLT-INV '
33324 3892K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain input_int (1 references)
 pkts bytes target     prot opt in     out     source               destination

88861 8478K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain reject_func (1 references)
 pkts bytes target     prot opt in     out     source               destination

 1268 51956 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-port-unreachable
  162 22237 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-proto-unreachable

Code: Select all

Chain PREROUTING (policy ACCEPT 306K packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 13754 packets, 1150K bytes)
 pkts bytes target     prot opt in     out     source               destination

 123K 9320K MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

    0     0 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT 54071 packets, 4423K bytes)
 pkts bytes target     prot opt in     out     source               destination

Post by **janjust** » Thu Sep 22, 2011 9:54 pm

your forwarding iptables rules look complicated; try adding the following iptables rules to see if it helps:

Code: Select all

iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT

Dispel · Post by **Dispel** » Thu Sep 22, 2011 10:55 pm

So I might have been complicating things a bit here, but I installed a linux distro into a virtual machine and got it connected to the vpn. What I get is the complete opposite of my previous results. From the VM, I get assigned 10.10.0.6, which I can ping, and then I can't ping anything *else* including the 192.168.5.1 / 10.10.0.1, nothing.

...Feels like something really stupid is going on... Trying to arrange for testing from a different machine...

OpenVPN Support Forum

Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others

Re: Can ping openvpn server while connected but not others