[Solved] Routing not working, can't connect to lan devices

[robster]

hey there.

I set up my openVPN server and clients are able to connect.

I would like to enable the clients to access the other devices in my lan.

Therefor I enabled IP Forwarding and added the push route in my openvpn.conf, which looks like:

Code: Select all

dev tun
proto udp
port 1194

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

user nobody
group nogroup

server 10.8.0.0 255.255.255.0
management 127.0.0.1 1195

persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client

push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"

push "dhcp-option DNS 192.168.0.1"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120

tls-auth ta.key 0
mode server
tls-server
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
auth-nocache
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

My goal is that clients will be members of the 192.168.0.0 subnet and access other devices in that subnet.

When my client connects this is the log:

Code: Select all

Sat Nov 11 15:36:14 2017 109.45.0.214:35593 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:XXXXX, sid=1de3208e 8b6c637c
Sat Nov 11 15:36:16 2017 109.45.0.214:35593 VERIFY OK: depth=1, CN=server
Sat Nov 11 15:36:16 2017 109.45.0.214:35593 VERIFY OK: depth=0, CN=mobile
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 [mobile] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:XXXXX
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI: Learn: 10.8.0.6 -> mobile/XXX.XXX.XXX.XXX:XXXXX
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI: primary virtual IP for mobile/XXX.XXX.XXX.XXX:XXXXX: 10.8.0.6
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 PUSH: Received control message: 'PUSH_REQUEST'
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 send_push_reply(): safe_cap=940
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Once connected my client can access the internet and gets the WAN IP of my server, but the client is not able to connect to other lan devices.

What am I missing here? Where can I continue looking?

Any help is very much appriciated!

robster

[TinCanTech]

my client can access the internet and gets the WAN IP of my server, but the client is not able to connect to other lan devices

NOTE:

• Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

• You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
  For example: 192.168.143.0/24

That could be the reason ..

Please post your client log at --verb 4

[robster]

Hey TinCanTech.

Thanks for the advice. I will change the subnet at some point. But for now it would be too much effort and I consider it rather a last option before I go crazy

This is the server log at verbose 4 when my client connects.

Code: Select all

Sat Nov 11 20:29:44 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:xxx
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx VERIFY OK: depth=1, CN=server
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx VERIFY OK: depth=0, CN=mobile
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: tls_multi_process: untrusted session promoted to semi-trusted
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx PUSH: Received control message: 'PUSH_REQUEST'
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx send_push_reply(): safe_cap=940
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

[TinCanTech]

Have you read these:

• HOWTO: Expanding the scope of the VPN to include additional machines
• HOWTO: Routing all client traffic (including web-traffic) through the VPN

[robster]

Have you read these:

• HOWTO: Expanding the scope of the VPN to include additional machines
• HOWTO: Routing all client traffic (including web-traffic) through the VPN

I followed the instructions and I solved it.

Those to routing information were missing:
route 192.168.0.0 255.255.255.0
client-config-dir /etc/openvpn

Plus I had to create a file that comtains the iroute information for the client.

I can access my lan devices now

Thanks TinCanTech

[robster]

Can I ask you one more thing? Even though it works, my log throws me errors. Sooner or later this will have side effects I guess, so I better ask now

First the log:

Code: Select all

Mon Nov 13 22:53:07 2017 event_wait : Interrupted system call (code=4)
Mon Nov 13 22:53:07 2017 /sbin/ip route del 10.8.0.0/24
Mon Nov 13 22:53:07 2017 ERROR: Linux route delete command failed: external program did not exit normally
Mon Nov 13 22:53:07 2017 Closing TUN/TAP interface
Mon Nov 13 22:53:07 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:07 2017 Linux ip addr del failed: external program exited with error status: 2
Mon Nov 13 22:53:07 2017 SIGTERM[hard,] received, process exiting
Mon Nov 13 22:53:07 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:07 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mon Nov 13 22:53:07 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Mon Nov 13 22:53:07 2017 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Mon Nov 13 22:53:07 2017 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Mon Nov 13 22:53:07 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Nov 13 22:53:07 2017 Diffie-Hellman initialized with 2048 bit key
Mon Nov 13 22:53:07 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Nov 13 22:53:07 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:07 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:07 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Nov 13 22:53:07 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:df:df:e5
Mon Nov 13 22:53:07 2017 TUN/TAP device tun0 opened
Mon Nov 13 22:53:07 2017 TUN/TAP TX queue length set to 100
Mon Nov 13 22:53:07 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 13 22:53:07 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 13 22:53:07 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Nov 13 22:53:07 2017 /sbin/ip route add 192.168.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Mon Nov 13 22:53:07 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Nov 13 22:53:07 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Nov 13 22:53:07 2017 GID set to nogroup
Mon Nov 13 22:53:07 2017 UID set to nobody
Mon Nov 13 22:53:07 2017 UDPv4 link local (bound): [undef]
Mon Nov 13 22:53:07 2017 UDPv4 link remote: [undef]
Mon Nov 13 22:53:07 2017 MULTI: multi_init called, r=256 v=256
Mon Nov 13 22:53:07 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Nov 13 22:53:07 2017 Initialization Sequence Completed
Mon Nov 13 22:53:08 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:08 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mon Nov 13 22:53:08 2017 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:08 2017 Exiting due to fatal error
Mon Nov 13 22:53:32 2017 event_wait : Interrupted system call (code=4)
Mon Nov 13 22:53:32 2017 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:32 2017 ERROR: Linux route delete command failed: external program exited with error status: 2
Mon Nov 13 22:53:32 2017 Closing TUN/TAP interface
Mon Nov 13 22:53:32 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:32 2017 Linux ip addr del failed: external program exited with error status: 2
Mon Nov 13 22:53:32 2017 SIGTERM[hard,] received, process exiting
Mon Nov 13 22:53:32 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:32 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mon Nov 13 22:53:32 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Mon Nov 13 22:53:32 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Nov 13 22:53:32 2017 Diffie-Hellman initialized with 2048 bit key
Mon Nov 13 22:53:32 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Nov 13 22:53:32 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:32 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:32 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Nov 13 22:53:32 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:df:df:e5
Mon Nov 13 22:53:32 2017 TUN/TAP device tun0 opened
Mon Nov 13 22:53:32 2017 TUN/TAP TX queue length set to 100
Mon Nov 13 22:53:32 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 13 22:53:32 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 13 22:53:32 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Nov 13 22:53:33 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Nov 13 22:53:33 2017 GID set to nogroup
Mon Nov 13 22:53:33 2017 UID set to nobody
Mon Nov 13 22:53:33 2017 UDPv4 link local (bound): [undef]
Mon Nov 13 22:53:33 2017 UDPv4 link remote: [undef]
Mon Nov 13 22:53:33 2017 MULTI: multi_init called, r=256 v=256
Mon Nov 13 22:53:33 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Nov 13 22:53:33 2017 Initialization Sequence Completed
Mon Nov 13 22:53:33 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:33 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mon Nov 13 22:53:33 2017 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error
Mon Nov 13 22:55:08 2017 xxx.xxx.xxx.xxx:52548 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:52548, sid=4bc92b8f 775edc7e
Mon Nov 13 22:55:09 2017 xxx.xxx.xxx.xxx:52548 VERIFY OK: depth=1, CN=server
Mon Nov 13 22:55:09 2017 xxx.xxx.xxx.xxx:52548 VERIFY OK: depth=0, CN=mobile
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 [mobile] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:52548
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI: Learn: 10.8.0.6 -> mobile/xxx.xxx.xxx.xxx:52548
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI: primary virtual IP for mobile/xxx.xxx.xxx.xxx:52548: 10.8.0.6
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 PUSH: Received control message: 'PUSH_REQUEST'
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 send_push_reply(): safe_cap=940
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Code: Select all

MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error

First of all I wonder why openvpn wants to bind MANAGEMENT to port 1195. Because it already is bound, as you can see here:

Code: Select all

sudo lsof -i TCP:1195
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
openvpn 5773 nobody    3u  IPv4  25238      0t0  TCP localhost:1195 (LISTEN)

Code: Select all

RTNETLINK answers: Operation not permitted

The second problem is that openvpn is not allowed add or delete ip addresses. What should or can I do about it?

Could you please give me another hint here?

[TinCanTech]

MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error

Because openvpn is already running and using that port.

RTNETLINK answers: Operation not permitted

Because you are dropping privileges with:

Code: Select all

user nobody
group nogroup

and openvpn cannot make any more changes. (delete those lines and try it)

[robster]

MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error

Because openvpn is already running and using that port.

Mhh, I really do not understand why openvpn is already running as I am stopping and starting it everytime. Well, but then again, maybe it doesn't matter as the server is running well.

RTNETLINK answers: Operation not permitted

Because you are dropping privileges with:

Code: Select all

user nobody
group nogroup

and openvpn cannot make any more changes. (delete those lines and try it)

Ok but it is not bad that I am dropping privileges as far as I understand. So I guess this is an error which I can consider just a warning, right?

So I guess I' happy Thanks again.

[TinCanTech]

It is an error not a warning ..

I presume you can connect to your LAN devices ..

[robster]

Those to routing information were missing:
route 192.168.0.0 255.255.255.0
client-config-dir /etc/openvpn

Plus I had to create a file that comtains the iroute information for the client.

Yes, I worked it out by reading the documentary links you gave me. Three things were missing.