[Solved] client-to-client problem

[supm0667]

Hi,

My linux server of OpenVPN released version is 2.2.1.
And I use the "client-to-client" option.
But may be some problem occured.
I ping the client to client each other,
it is not work.

Could you help me, please.

Thanks a lot.

Peter Lai

ps : My server config :
==>
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/myserver.crt
key /etc/openvpn/keys/myserver.key
auth-user-pass-verify /usr/sbin/vpn_check_account via-env
client-cert-not-required
username-as-common-name
no-name-remapping
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
duplicate-cn
keepalive 10 60
reneg-sec 0
cipher AES-128-CBC
comp-lzo
max-clients 5
client-connect /etc/openvpn/connect.sh
client-disconnect /etc/openvpn/disconnect.sh
management localhost 7505
persist-key
persist-tun
status /var/log/openvpn-status.log
log /tmp/openvpn.log
verb 9

[janjust]

what happens if you do the ping from VPN client to VPN client?
with

log /tmp/openvpn.log
verb 9

you should see tons of output in the VPN server log during this (I'd use 'verb 5' personally).

[supm0667]

Hi,

Thaks a lot.

I use the "verb 5" in server config.
And ==>
1. If I ping 10.8.0.1
then /tmp/openvpn.log
==>
WWRRWWRRWWRRWWRwrWRwrWRwrWRRwrWWRWRW

2. If I ping 10.8.0.6 (in the other client 10.8.0.10)
then /tmp/openvpn.log
==>
RRRWWRWRRWWRWRWRWRWRWRWRWRW

Could you help me, Please.

Thanks,

Peter Lai

[janjust]

the server log shows R's and W's which means data is coming in and is written out ; perhaps the client you're trying to reach is blocking pings? (windows 7 clients are known to do this).

when pinging in 10.8.0.1 you also see lowercase r's and w's which means data is read from and written to the tun device; as you're using client-to-client you won't see the lowercase r's and w's when pinging one client from another

[supm0667]

Hi,

Thanks first !

Could you tell me how can I use the "client-to-client" option.
And If it is some thing wrong (in local domain)(ex: 192.168.0.0/24),
how can I check it which is wrong.

Thanks a lot.

Peter Lai

[Mimiko]

supm0667, please read the manual.

[supm0667]

Hi,

Thanks a lot first !

"
--client-to-client
Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.

When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules.
"

Now, I cannot ping the other clients which are currently connected. So, how could I do or check these ?! Could you help me, please ! Thanks !

Peter Lai

[janjust]

what exactly do you mean by

Now, I cannot ping the other clients which are currently connected.

does it mean you could do so before?
what's inside the client-connect/client-disconnect scripts? perhaps something is blocking traffic there. Also, are you sure the clients themselves are not firewalled/not accepting connections via the VPN?

[supm0667]

Hi,

Thanks a lot, first !

I try this case and
If enable "redirect-gateway def1"
and use "iptables" in linux OpenVPN server
(==> MASQUERADE all -- 10.12.0.0/24 anywhere)
then
I use ssh service from OpenVPN client to another OpenVPN client,
it is work. But ping the OpenVPN each other not work.

Could you help me, please !
Thanks

PeterLai

[janjust]

you can SSH from one client to another? and ping is not working? then you're definitely looking at a firewalling issue (which is , strictly speaking, off-scope for this forum).

[supm0667]

Hi,

Thanks a lot, first !!

Now I understand that is my win7 firewall problems(OpenVPN clients in win7).
When I stopped my win7 firewall and it is work very nice.
Off-scope for this forum, please.
I felt very embarrassed.

And
Thank you very much !!

Peter Lai