Can't ping beyond internal gateway

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
uni
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 08, 2013 7:32 pm

Can't ping beyond internal gateway

Post by uni » Fri Feb 08, 2013 8:15 pm

I have a OpenVPN Ubuntu server with two Nics, eth0 (internet), eth1 (local-192.168.1.6). When I connect to this server from a Windows 7 Openvpn client, I can ping eth1 fine (as well as the tun0 interface on the server) and even RDP to an internal box. However, I cannot ping any other hosts in the internal Lan from the Windows 7 machine. I can ping these internal devices from the Ubuntu server.



Server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server1.crt
key /etc/openvpn/server1.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

Client config:

client
remote x.x.x.x
port 1194
proto udp
script-security 2
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
comp-lzo yes
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Js-T520.crt"
key "C:\\Program Files\\OpenVPN\\config\\Js-T520.key"
management 127.0.0.1 1194
management-hold
management-query-passwords
auth-retry interact

Iptables output:

Code: Select all


Chain INPUT (policy ACCEPT 17 packets, 1891 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1157  166K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
   49  3392 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp spt:https state ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp spt:domain
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp spt:ssh
    2    96 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:smtp state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:imap2 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:pop3 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http limit: avg 25/min burst 100
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:openvpn
   10   658 DROP       udp  --  eth0   any     anywhere             anywhere
    0     0 DROP       tcp  --  eth0   any     anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT 13 packets, 1631 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3443  677K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    192.168.0.0/24       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  tun0   eth0    10.8.0.0/24          anywhere             ctstate NEW
    0     0 ACCEPT     all  --  tun0   eth1    10.8.0.0/24          192.168.1.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1411  228K ACCEPT     all  --  any    any     anywhere             anywhere             state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:http state ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:https state ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:ssh
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:smtp state ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:imap2 state ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:pop3 state ESTABLISHED
    0     0 ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:openvpn

NAT Rules:
root@server1:~#  iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 49 packets, 5410 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   204 DNAT       tcp  --  eth0   any     anywhere             anywhere             tcp dpt:3389 to:192.168.1.50:3389

Chain INPUT (policy ACCEPT 17 packets, 2474 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 81 packets, 6053 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 58 packets, 3911 bytes)
 pkts bytes target     prot opt in     out     source               destination
   42  4161 MASQUERADE  all  --  any    eth0    anywhere             anywhere
    0     0 MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere
Top
uni
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 08, 2013 7:32 pm

Re: Can't ping beyond internal gateway

Post by uni » Fri Feb 08, 2013 9:28 pm

Here's the issue, no ping replies....


Code: Select all

root@server1:~# tcpdump -nnl -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:15:21.439987 IP 10.8.0.6 > 192.168.1.50: ICMP echo request, id 1, seq 593, length 40
13:15:26.259584 IP 10.8.0.6 > 192.168.1.50: ICMP echo request, id 1, seq 594, length 40
13:15:31.259744 IP 10.8.0.6 > 192.168.1.50: ICMP echo request, id 1, seq 595, length 40
13:15:36.259195 IP 10.8.0.6 > 192.168.1.50: ICMP echo request, id 1, seq 596, length 40
This works, if I ping the eth1 internal NIC (notice the word "reply")

Code: Select all

root@server1:~# tcpdump -nnl -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:16:50.551290 IP 10.8.0.6 > 192.168.1.6: ICMP echo request, id 1, seq 601, length 40
13:16:50.551368 IP 192.168.1.6 > 10.8.0.6: ICMP echo reply, id 1, seq 601, length 40
Top
Post Reply

Return to “The OpenVPN Access Server”