OpenVPN cilents can't ping each other

[torontob]

Hi everyone,

I have trouble with client's not picking static IPs and also not being able to ping each other. Can someone plese tell me what is wrong in the settings below?

Server is on CentOS (Redhat)
Client's are on Microsoft Windows 2008 R2 Server

Server
---------------------------------------------------

Code: Select all

port 1194
proto udp
dev tun

server 172.16.1.0 255.255.255.0
management 127.0.0.1 7505

ca ca.crt   
cert certificate.crt
key certificate.key 
dh dh1024.pem

push "route 172.16.1.0 255.255.255.0"
push "route 172.16.0.1 255.255.255.255"

client-to-client

keepalive 10 120         
comp-lzo                   
persist-key                
persist-tun                
verb 3    

Client
---------------------------------------------------

Code: Select all

client
dev tun
proto udp
remote mydomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert certificate-1.crt
key certificate-1.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

I tried "ccd" and "ipp.txt" but it's no help. For static IP ifconfig-push options is it necessary for those IPs to be out of the server range of "172.16.0.0/24" ? Also, for static IP for Windows do I have to use specific pairs of IPs and how?

For client to client, I tried inserting client-to-client in server.conf but it didn't help. Is there anything else I ahve to do to get it running?

Thanks.

[torontob]

***orrection: Both server and client are on Windows machines.

[mwandelaar]

The first thing i noticed in your config is the line

Code: Select all

push "route 172.16.0.1 255.255.255.255"

Who's owning this ip-address? It's out of the server-scope so it's routed via 172.16.1.1 (the servers vpn-ip-address)

On my first impression i can't really find an error in the configfiles, so lets try to cut things down in pieces:

• After connection, can you, on the client, ping the local vpn-ip-address?

• After connection, can you ping the remote server-vpn-ip-address from the client?

• After connection, can you ping the remote client-vpn-ip-address from the server?

These steps can figure out if you have firewall / routing-issues

Your other question about fixed ip-addresses with ipp/ccd: No, it's easier to have them in the normal range, to prevent routing-problems. Allthough it is possible to configure them outside the dynamic range of the server.

[torontob]

mwandelaar - Thanks for the input.

The same server has the IP range 172.16.0.1/24 so that's why you see the line below. This line works fine and is not an issue. I have also removed this to test things and still fail:

push "route 172.16.0.1 255.255.255.255"

After connection, can you, on the client, ping the local vpn-ip-address?

YES - I can ping the local IP OpenVPN gives me as a client which is something like 172.16.1.6

After connection, can you ping the remote server-vpn-ip-address from the client?

YES - I can ping 172.16.1.1 which is the OpenVPN server

After connection, can you ping the remote client-vpn-ip-address from the server?

NO - I can't ping the openvpn client of 172.16.1.6 from openvpn server of 172.16.1.1

My other questions:
1- For fixed IP, can you please detail what I need in ccd folder and in server.ovpn for it to assign fixed IPs?
2- Why doesn't my client-to-client option work? Is there something else I am missing?

***All the servers and clients involved are Windows 7, Windows 2008 Server. Client doesn't have firewall other than windows firewall which is set by default.

Thanks

[mwandelaar]

NO - I can't ping the openvpn client of 172.16.1.6 from openvpn server of 172.16.1.1

As the other 2 tests where positive (as they are both outbound) it should be something on the client-side, this looks really like a firewall-issue on the client-side.
Today i had a similir issue with one of my Windows 7 clients. Allthough i'm not a Windows-user, i can quote the solution we found here.
The user had in his firewall several trusted zones, but not the VPN-range. After including this range (which should be 172.16.1.0/24 in your case) and restarting the firewall-application, things went smoothly.

If you want client-to-client traffic, the clients must accept inbound traffic from the VPN-addres-space.

For the CCD-options, here's how a CCD for your setup should look like:

Server

Code: Select all

client-config-dir /etc/openvpn/ccd

File /etc/openvpn/ccd/mwandelaar (where mwandelaar is the common name from the client-cert)

Code: Select all

ifconfig-push 172.16.1.24 255.255.255.0
push "route-gateway 172.16.1.1"

Hope that helps

[torontob]

Thanks again mwandelaar. Turning the Windows Firewall OFF just did it. You were right.

ifconfig-push 172.16.1.24 255.255.255.0
push "route-gateway 172.16.1.1"

1- So, if I understand right, the ifconfig-push would push static IP 172.16.1.24 from the server dynamic DHCP pool to client that is defined by it's name in ccd\ folder. Client uses Windows so is the subnet 255.255.255.0 right thing to use or should that be the gateway like 172.16.1.1? (I think I read something about that somewhere that Windows clients are different from Linux client - specifically something about IP pairs...)

2- What does push "route-gateway 172.16.1.1" do?

3- The OpenVPN server has a local IP of 192.168.20.10 and I can push that in server.conf by doing:
push "route 192.168.20.0 255.255.255.0". But there are also other servers on the OpenVPN lan side that I want my client to be able to reach but it can't. As you can see I push the whole 192.168.10.0/24 network but client is only able to ping 192.168.10.10 which is the local IP of OpenVPN server. How can I fix that?

Thanks again.

[mwandelaar]

Oops, i made a small mistake in giving you an answer. I'm sorry to confuse you.
I'm using the:

Code: Select all

topology subnet

directive in my server-conf, where the entire network is a subnet and thus only needing a single ip-address for every connecting client.
In this format you need to push the subnet (172.16.1.0/24) to the client and the gateway to this subnet.

If you do not have this directive and therefor have the point-to-point connections, the ccd-file is a little different:

Code: Select all

ifconfig-push 172.16.1.24 172.16.1.25
push "route-gateway 172.16.1.25"

where in this case your client will still be the 172.16.1.24 and the point-to-point connection on the other side of the tunnel will be 172.16.1.25 (the server in this case)

Depending on the config, you need to choose which config to use. Allthough i really can advise you to use the directive "topology subnet" as maintaining ip-adresses is easier. And it works on all the OS-es.