Need help about VPN routing

[lpsvn]

I have setup one OpenVPN Server on CentoS Server with one interface with have WAN IP Adress.I have one Office Lan with have subnet : 192.168.1.0/24.The openvpn client on my LAN have IP 192.168.1.8 (Windows Server 2008)

My server.conf

port 1194
proto tcp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key # This file should be kept secret
dh easy-rsa/2.0/keys/dh1024.pem
server 10.199.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status logs/openvpn-status.log
log logs/openvpn.log
verb 3


The server when start openvpn have IP 10.199.1.1 dev tun0
My client ccd :

ifconfig-push 10.199.1.5 10.199.1.6
iroute 192.168.1.0 255.255.255.0



Now on my client (192.168.1.8) can ping the server IP 10.199.1.1 . But now i want all my LAN network on the subnet 192.168.1.0/24 can ping to 10.199.1.1 .So this is my steps :

1. Enable IP forwarding on my Linux Server
2. Enable IP forwarding on my openvpn client (IPEnableRouter=1)
3. Add static route on my ADSL router :10.199.1.0 to 192.168.1.8

But if i using one LAN PC have IP like 192.168.1.10 i can not ping the Open VPN server (10.199.1.1)

So please help me to troubleshoot this cause i have try several way but unsucess.

I'm a newbie

[janjust]

this is most likely a routing issue in Win2008 - check the output of

Code: Select all

ipconfig /all

and look for 'IP Forwarding' . Also check any firewalls on the tap-win32 adapter.

[lpsvn]

Interface Local Area Connection 2 Parameters
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 19
State : connected
Metric : 30
Link MTU : 1500 bytes
Reachable Time : 26000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 3
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : dhcp
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled

This is the Interface TAP on my Windows 2008 .Also turn off the firewall on both server.

[janjust]

Look OK (Forwarding = enabled, so the registry key was picked up0.

Install wireshark on the client and have it listen on the tap-win32 adapter; then ping the VPN client from a machine on the server side LAN - is any traffic coming through?

[lpsvn]

I have setup one OpenVPN Server on CentoS Server with one interface with have WAN IP Adress.I have one Office Lan with have subnet : 192.168.1.0/24.The openvpn client on my LAN have IP 192.168.1.8 (Windows Server 2008)

My server.conf

port 1194
proto tcp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key # This file should be kept secret
dh easy-rsa/2.0/keys/dh1024.pem
server 10.199.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status logs/openvpn-status.log
log logs/openvpn.log
verb 3


The server when start openvpn have IP 10.199.1.1 dev tun0
My client ccd :

ifconfig-push 10.199.1.5 10.199.1.6
iroute 192.168.1.0 255.255.255.0



Now on my client (192.168.1.8) can ping the server IP 10.199.1.1 . But now i want all my LAN network on the subnet 192.168.1.0/24 can ping to 10.199.1.1 .So this is my steps :

1. Enable IP forwarding on my Linux Server
2. Enable IP forwarding on my openvpn client (IPEnableRouter=1)
3. Add static route on my ADSL router :10.199.1.0 to 192.168.1.8

But if i using one LAN PC have IP like 192.168.1.10 i can not ping the Open VPN server (10.199.1.1)

So please help me to troubleshoot this cause i have try several way but unsucess.

I'm a newbie

Update : Now on my LAN network(192.168.10) can ping the OpevnVPN server (10.199.1.1).Sorry i have some mistake with routing on openvpn client on my LAN(192.168.1.8) so it can not routing correctly.

But now i have one question : I create a new client name client2 (for my laptop) .I have create the ccd file for my client2 like that :
ifconfig-push 10.199.1.9 10.199.1.10
push "route 192.168.1.0 255.255.255.0"

I connect this client.On this client can ping to OpevnVPN server (10.199.1.1) , can ping openvpn client on my LAN(192.168.1.8), but can not ping the PC on my LAN network(192.168.10) . So what i need to do next ?

[janjust]

run a traceroute (or 'tracert') to 192.168.1.10 ; run 'tcpdump -nnel -i tun0' on the server to watch the flow of packets going from the laptop to 192.168.1.10.
And finally, this may seem odd, but try *disabling* client-to-client and make sure your iptables is set up to forward tun-to-tun packets, e.g.

Code: Select all

iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

[lpsvn]

Dear janjust,

Thank you very much for help me to troubleshoot.Now this is my update :

I have try to

And finally, this may seem odd, but try *disabling* client-to-client and make sure your iptables is set up to forward tun-to-tun packets, e.g.
Code:
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

like your suggest but no luck.After have a review i have found some strange thing :

On my OpenVPN Server i can not ping to 192.168.1.10 too :

Below is my traceroute :

On my OpenVPN Server : ping 192.168.1.10

Tcpdump : tcpdump -nnel -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
09:46:02.783696 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 1, length 64
09:46:03.783564 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 2, length 64
09:46:04.783540 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 3, length 64
09:46:05.783467 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 4, length 64
09:46:06.783500 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 5, length 64
09:46:07.783531 ip: 10.199.1.1 > 192.168.1.10: ICMP echo request, id 51979, seq 6, length 64

Wireshark on client1 (192.168.1.8) :



On my OpenVPN Server : traceroute 192.168.1.10

traceroute to 192.168.1.10 (192.168.1.10), 30 hops max, 60 byte packets
1 10.199.1.9 (10.199.1.9) 2.613 ms 5.054 ms 46.779 ms
2 * * *
3 192.168.1.10 (192.168.1.10) 46.579 ms 3.366 ms 5.537 ms

On my OpenVPN Server :

tcpdump -nnel -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
09:53:57.188551 ip: 10.199.1.1.36756 > 192.168.1.10.33434: UDP, length 32
09:53:57.188584 ip: 10.199.1.1.37597 > 192.168.1.10.33435: UDP, length 32
09:53:57.188602 ip: 10.199.1.1.42653 > 192.168.1.10.33436: UDP, length 32
09:53:57.188620 ip: 10.199.1.1.51017 > 192.168.1.10.33437: UDP, length 32
09:53:57.188640 ip: 10.199.1.1.39804 > 192.168.1.10.33438: UDP, length 32
09:53:57.188657 ip: 10.199.1.1.46296 > 192.168.1.10.33439: UDP, length 32
09:53:57.188672 ip: 10.199.1.1.44111 > 192.168.1.10.33440: UDP, length 32
09:53:57.188686 ip: 10.199.1.1.49539 > 192.168.1.10.33441: UDP, length 32
09:53:57.188701 ip: 10.199.1.1.33666 > 192.168.1.10.33442: UDP, length 32
09:53:57.188716 ip: 10.199.1.1.33988 > 192.168.1.10.33443: UDP, length 32
09:53:57.188732 ip: 10.199.1.1.37534 > 192.168.1.10.33444: UDP, length 32
09:53:57.188778 ip: 10.199.1.1.55147 > 192.168.1.10.33445: UDP, length 32
09:53:57.188797 ip: 10.199.1.1.50918 > 192.168.1.10.33446: UDP, length 32
09:53:57.188816 ip: 10.199.1.1.43739 > 192.168.1.10.33447: UDP, length 32
09:53:57.188832 ip: 10.199.1.1.36467 > 192.168.1.10.33448: UDP, length 32
09:53:57.188847 ip: 10.199.1.1.38644 > 192.168.1.10.33449: UDP, length 32
09:53:57.191147 ip: 10.199.1.9 > 10.199.1.1: ICMP time exceeded in-transit, length 68
09:53:57.193635 ip: 10.199.1.9 > 10.199.1.1: ICMP time exceeded in-transit, length 68
09:53:57.233896 ip: 10.199.1.1.58802 > 192.168.1.10.33450: UDP, length 32
09:53:57.233976 ip: 10.199.1.1.50121 > 192.168.1.10.33451: UDP, length 32
09:53:57.235378 ip: 10.199.1.9 > 10.199.1.1: ICMP time exceeded in-transit, length 68
09:53:57.235423 ip: 192.168.1.10 > 10.199.1.1: ICMP 192.168.1.10 udp port 33449 unreachable, length 68
09:53:57.237253 ip: 192.168.1.10 > 10.199.1.1: ICMP 192.168.1.10 udp port 33450 unreachable, length 68
09:53:57.239506 ip: 192.168.1.10 > 10.199.1.1: ICMP 192.168.1.10 udp port 33451 unreachable, length 68

Please help me out

[janjust]

hmmm seems like the packet SRC=10.199.1.1 DST=192.168.1.10 never reaches the client - can you run wireshark on the 192.168.1.10 host to see if packets arrive there? also, is the return route and/or default GW set up correctly on this client? What happens if you manually add a route on the client

Code: Select all

route add 10.199.1.0 mask 255.255.255.0 192.168.1.8

?

[lpsvn]

Dear janjust,

Thank you very much for help me to troubleshoot.Now this is my update :

I have take serveral test and found that :

On My OpenVPN server if i ping the IP 192.168.1.10 it can not on the first time.But if i'm on 192.168.1.10 and ping 10.199.1.1 ( the IP of OpenVPN Server) then after that my OpenVPN Server can ping to 192.168.1.10.On my Open VPN server traceroute to 192.168.1.10

traceroute 192.168.1.10
traceroute to 192.168.1.10 (192.168.1.10), 30 hops max, 60 byte packets
1 10.199.1.9 (10.199.1.9) 2.369 ms 4.830 ms 43.042 ms
2 192.168.1.10 (192.168.1.10) 43.074 ms 43.094 ms 43.113 ms

But if there is no network activity( about 5 mins) the route is lost.I mean about after 5 min on OpenVPN Server can not ping to 192.168.1.10 again .The same thing with my second client

My server.conf

port 1194
proto tcp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key # This file should be kept secret
dh easy-rsa/2.0/keys/dh1024.pem
server 10.199.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /opt/openvpn/ccd
#push "route 10.199.1.0 255.255.255.0"
#push "route 192.168.1.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
push "dhcp-option DNS 192.168.1.8"
#push "redirect-gateway def1"
client-to-client
keepalive 10 120
tls-auth /opt/openvpn/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status logs/openvpn-status.log
log logs/openvpn.log
verb 3

My first client1

client


;dev tap
dev tun


;dev-node MyTap

;proto tcp
proto tcp


remote x.x.x.x 1194



resolv-retry infinite


nobind


persist-key
persist-tun


;mute-replay-warnings


ca ca.crt
cert office.crt
key office.key


ns-cert-type server


tls-auth ta.key 1


cipher BF-CBC
route-delay 3

comp-lzo


verb 3


;mute 20

My first client ccd file

ifconfig-push 10.199.1.9 10.199.1.10
iroute 192.168.1.0 255.255.255.0

My second client ccd file

ifconfig-push 10.199.1.5 10.199.1.6
push "route 192.168.1.0 255.255.255.0"

Now I'm stuck at this .

[janjust]

this is strange - if the server can the client for a couple of minutes after client pings the server first, then you're looking at an ARP issue; are there any virtual machines involved?
Check the arp table on the client after the .1.10 machine has reached the VPN server, then wait a few minutes to see if the ARP entry was deleted.

[lpsvn]

On My CentOS server (open vpn server) have virbr0 interface .

On my Lan client server ( 192.168.1.8) have Hyper-V

Sorry because this server is being configured not by me

If the virtual machine is the problem so how to fix ? Please help me out. Thank you

[janjust]

I have no experience using HyperV ... I do know that some virtualization products (VPS, OpenVZ, VMware ESXi) need different tweaks to get ARP to work.
I'll leave the question open to see if someone else has an answer.

[preid]

You're using TCP for your connection. I'd be willing to bet that the router on one end or the other is timing out the connection. This is a common problem with VoIP phones that open a connection, and then let it sit idle for a few minutes - the router will close the connection to keep it's NAT state table clean. This could be happening to your VPN idle VPN connection.

Snoop around your router's interface and see if you can find anything to do with "TCP Timeout". You'll likely find the router on one end or the other has it set for 5 minutes.

If this is the problem, you have three options:

1. Increase the timeout value, but be aware that it's possible the router will run out of NAT state table entry slots, and start refusing connections if it runs out.

2. Have something on the VPN do a heartbeat to keep the connection alive. A background single ping every few minutes would do it.

3. Some routers have the ability to set the timeout value on a per-filewall rule basis. If yours is one of these types of routers, you can enter an allow firewall rule for the traffic on your VPN port, and set the TCP timeout value to some high value - or even disable it, if it offers that option.