Destination Host Unreachable

[rub]

Hi

I've set up a bridged VPN with OpenVPN. I have a private network (192.168.224.0/21).

The server.conf file is as follows:

port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.224.29 255.255.248.0 192.168.224.46 192.168.224.47 # VPN client address pool
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

The server log ended with:

Sat Oct 2 23:43:43 2010 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Sat Oct 2 23:43:43 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Oct 2 23:43:43 2010 Diffie-Hellman initialized with 1024 bit key
Sat Oct 2 23:43:43 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sat Oct 2 23:43:43 2010 TLS-Auth MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Oct 2 23:43:43 2010 TUN/TAP device tap1 opened
Sat Oct 2 23:43:43 2010 TUN/TAP TX queue length set to 100
Sat Oct 2 23:43:43 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Oct 2 23:43:43 2010 GID set to openvpn
Sat Oct 2 23:43:43 2010 UID set to openvpn
Sat Oct 2 23:43:43 2010 Listening for incoming TCP connection on [undef]:1194
Sat Oct 2 23:43:43 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sat Oct 2 23:43:43 2010 TCPv4_SERVER link local (bound): [undef]:1194
Sat Oct 2 23:43:43 2010 TCPv4_SERVER link remote: [undef]
Sat Oct 2 23:43:43 2010 MULTI: multi_init called, r=256 v=256
Sat Oct 2 23:43:43 2010 IFCONFIG POOL: base=192.168.224.46 size=2
Sat Oct 2 23:43:43 2010 IFCONFIG POOL LIST
Sat Oct 2 23:43:43 2010 client,192.168.224.46
Sat Oct 2 23:43:43 2010 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Oct 2 23:43:43 2010 Initialization Sequence Completed

The client log ended with:

Sat Oct 2 23:48:31 2010 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Sat Oct 2 23:48:31 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 2 23:48:31 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sat Oct 2 23:48:31 2010 LZO compression initialized
Sat Oct 2 23:48:31 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Oct 2 23:48:31 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Oct 2 23:48:31 2010 Local Options hash (VER=V4): '31fdf004'
Sat Oct 2 23:48:31 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Sat Oct 2 23:48:31 2010 Attempting to establish TCP connection with [AF_INET]XX.XX.XX.XX:1194 [nonblock]
Sat Oct 2 23:48:32 2010 TCP connection established with [AF_INET]XX.XX.XX.XX:1194
Sat Oct 2 23:48:32 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sat Oct 2 23:48:32 2010 TCPv4_CLIENT link local: [undef]
Sat Oct 2 23:48:32 2010 TCPv4_CLIENT link remote: [AF_INET]XX.XX.XX.XX:1194
Sat Oct 2 23:48:33 2010 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:1194, sid=c61b420b 9e920589
Sat Oct 2 23:48:33 2010 VERIFY OK: depth=1, /C=FR/ST=FR/L=Test/O=Test-One/CN=Test-One_CA/emailAddress=test@test-one.com
Sat Oct 2 23:48:33 2010 VERIFY OK: nsCertType=SERVER
Sat Oct 2 23:48:33 2010 VERIFY OK: depth=0, /C=FR/ST=FR/L=Test/O=Test-One/CN=server/emailAddress=test@test-one.com
Sat Oct 2 23:48:35 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Oct 2 23:48:35 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct 2 23:48:35 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Oct 2 23:48:35 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct 2 23:48:35 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Oct 2 23:48:35 2010 [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194
Sat Oct 2 23:48:37 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Oct 2 23:48:38 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.224.29,ping 10,ping-restart 120,ifconfig 192.168.224.46 255.255.248.0'
Sat Oct 2 23:48:38 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sat Oct 2 23:48:38 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sat Oct 2 23:48:38 2010 OPTIONS IMPORT: route-related options modified
Sat Oct 2 23:48:38 2010 TUN/TAP device tap0 opened
Sat Oct 2 23:48:38 2010 TUN/TAP TX queue length set to 100
Sat Oct 2 23:48:38 2010 /sbin/ifconfig tap0 192.168.224.46 netmask 255.255.248.0 mtu 1500 broadcast 192.168.231.255
Sat Oct 2 23:48:38 2010 Initialization Sequence Completed

ifconfig / route [server side] :

# ifconfig
br0 Link encap:Ethernet HWaddr 22:d7:3e:76:7a:0c
inet addr:192.168.224.29 Bcast:192.168.231.255 Mask:255.255.248.0
inet6 addr: fe80::20d7:3eff:fe76:7a0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:728 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:56800 (55.4 KiB) TX bytes:936 (936.0 B)

eth0 Link encap:Ethernet HWaddr a6:e4:0e:4c:3c:1b
inet6 addr: fe80::a4e4:eff:fe4c:3c1b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1859203 errors:0 dropped:0 overruns:0 frame:0
TX packets:636573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2271575001 (2.1 GiB) TX bytes:2349803350 (2.1 GiB)
Interrupt:15

eth0:0 Link encap:Ethernet HWaddr a6:e4:0e:4c:3c:1b
inet addr:10.168.201.134 Bcast:10.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
Interrupt:15

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:9254 errors:0 dropped:0 overruns:0 frame:0
TX packets:9254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:119207189 (113.6 MiB) TX bytes:119207189 (113.6 MiB)

tap0 Link encap:Ethernet HWaddr 22:d7:3e:76:7a:0c
inet6 addr: fe80::20d7:3eff:fe76:7a0c/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:540 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

--------------------------------------------------------------------------

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.224.0 0.0.0.0 255.255.248.0 U 0 0 0 br0
10.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.168.201.12 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.224.1 0.0.0.0 UG 0 0 0 eth0

ifconfig / route [client side] :

# ifconfig
eth0 Link encap:Ethernet HWaddr 00:18:f3:0a:53:30
inet adr:192.168.1.11 Bcast:192.168.1.255 Masque:255.255.255.0
adr inet6: fe80::218:f3ff:fe0a:5330/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Packets reçus:3610120 erreurs:0 :0 overruns:0 frame:0
TX packets:3998802 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:651640795 (651.6 MB) Octets transmis:606439274 (606.4 MB)
Interruption:28 Adresse de base:0x6000

lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
Packets reçus:305973 erreurs:0 :0 overruns:0 frame:0
TX packets:305973 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
Octets reçus:45409166 (45.4 MB) Octets transmis:45409166 (45.4 MB)

tap0 Link encap:Ethernet HWaddr 9e:e3:01:4ba4
inet adr:192.168.224.46 Bcast:192.168.231.255 Masque:255.255.248.0
adr inet6: fe80::9ce3:1ff:fe4b:dea4/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
Octets reçus:0 (0.0 B) Octets transmis:6749 (6.7 KB)

--------------------------------------------------------------------------------

# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.224.0 0.0.0.0 255.255.248.0 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Port Forwarding settings for IPCop (FW) :

On server, I configured a virtual interface (eth0:0) with a virtual IP (10.168.201.134) for port forwarding. This enables an external host to access OpenVPN service behind the firewall.
On lan, my firewall ip address is 10.168.201.12.

root@ipcop:~ # iptables --list PORTFWACCESS | grep openvpn
ACCEPT tcp -- 551-1-58-125.w86-192.abo.free.fr 10.168.201.134 tcp dpt:openvpn

server:/etc/openvpn# ping 192.168.224.21
PING 192.168.224.21 (192.168.224.21) 56(84) bytes of data.
64 bytes from 192.168.224.21: icmp_seq=1 ttl=128 time=0.188 ms
64 bytes from 192.168.224.21: icmp_seq=2 ttl=128 time=0.204 ms

Problem is that I can't reach anyone.

Ping says Destination Host Unreachable.

# ping 192.168.224.29
PING 192.168.224.29 (192.168.224.29) 56(84) bytes of data.
From 192.168.224.46 icmp_seq=1 Destination Host Unreachable
From 192.168.224.46 icmp_seq=2 Destination Host Unreachable
From 192.168.224.46 icmp_seq=3 Destination Host Unreachable

Any ideas?

Best regards,

[palswim]

If you add the "client-to-client" directive to your server configuration (server.conf), it will allow traffic to pass from client to client.