ovpn nodes cannot ping each other

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ivaat
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 14, 2018 1:59 pm

ovpn nodes cannot ping each other

Post by ivaat » Thu Jun 14, 2018 3:04 pm

ovpn nodes cannot ping each other or see each other (telnet port 80 for example). what i'm missing?

here is all conf, logs and routing outputs

server conf:

Code: Select all

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto tcp4-server
cipher aes-128-cbc
auth md5
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
duplicate-cn
client-to-client
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 192.168.1.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
route push "192.168.1.1 255.255.255.0"
--log /var/log/openvpn.log
--duplicate-cn
client configure:

Code: Select all

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto tcp4-client
cipher aes-256-cbc
auth md5
remote 155.186.xxx.xxx 1194
comp-lzo adaptive
tun-mtu 1500
mtu-disc yes
ns-cert-type server
tls-auth /tmp/openvpncl/ta.key 1
route push "192.168.1.3 255.255.255.0 192.168.1.1"
--log /var/log/openvpn.log
ns-cert-type server
log server:

Code: Select all

Thu Jun 14 13:56:03 2018 155.186.168.170:34803 [client1] Peer Connection Initiated with [AF_INET]155.186.168.170:34803
Thu Jun 14 13:56:03 2018 client1/155.186.168.170:34803 MULTI_sva: pool returned IPv4=192.168.1.2, IPv6=(Not enabled)
Thu Jun 14 13:56:03 2018 client1/155.186.168.170:34803 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4ad811b00cd1b007.tmp
Thu Jun 14 13:56:03 2018 client1/155.186.168.170:34803 MULTI: Learn: 192.168.1.2 -> client1/155.186.xxx.xxx:34803
Thu Jun 14 13:56:03 2018 client1/155.186.168.170:34803 MULTI: primary virtual IP for client1/155.186.168.xxx.xxx:34803: 192.168.1.2
Thu Jun 14 13:56:04 2018 client1/155.186.168.170:34803 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 14 13:56:04 2018 client1/155.186.168.170:34803 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 192.168.1.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 192.168.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Jun 14 13:56:04 2018 client1/155.186.168.170:34803 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jun 14 13:56:04 2018 client1/155.186.168.170:34803 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 14 13:56:04 2018 client1/155.186.168.170:34803 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
log client:

Code: Select all

Thu Jun 14 07:56:01 2018 Attempting to establish TCP connection with [AF_INET]155.186.168.161:1194 [nonblock]
Thu Jun 14 07:56:02 2018 TCP connection established with [AF_INET]155.186.168.161:1194
Thu Jun 14 07:56:02 2018 TCPv4_CLIENT link local: (not bound)
Thu Jun 14 07:56:02 2018 TCPv4_CLIENT link remote: [AF_INET]155.186.168.161:1194
Thu Jun 14 07:56:02 2018 TLS: Initial packet from [AF_INET]155.186.168.161:1194, sid=09b3e315 e57b6355
Thu Jun 14 07:56:03 2018 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=Community, CN=server.example.com, name=server, emailAddress=admin@example.com
Thu Jun 14 07:56:03 2018 VERIFY OK: nsCertType=SERVER
Thu Jun 14 07:56:03 2018 NOTE: --mute triggered...
Thu Jun 14 07:56:03 2018 1 variation(s) on previous 3 message(s) suppressed by --mute
Thu Jun 14 07:56:03 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'
Thu Jun 14 07:56:03 2018 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Thu Jun 14 07:56:03 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Jun 14 07:56:03 2018 [server.example.com] Peer Connection Initiated with [AF_INET]155.186.xxx.xx:1194
Thu Jun 14 07:56:04 2018 SENT CONTROL [server.example.com]: 'PUSH_REQUEST' (status=1)
Thu Jun 14 07:56:04 2018 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 192.168.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Jun 14 07:56:04 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 14 07:56:04 2018 NOTE: --mute triggered...
Thu Jun 14 07:56:04 2018 6 variation(s) on previous 3 message(s) suppressed by --mute
Thu Jun 14 07:56:04 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jun 14 07:56:04 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 14 07:56:04 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 14 07:56:04 2018 RESOLVE: Cannot resolve host address: push: (Name does not resolve)
Thu Jun 14 07:56:04 2018 OpenVPN ROUTE: failed to parse/resolve route for host/network: push
Thu Jun 14 07:56:04 2018 TUN/TAP device tun1 opened
Thu Jun 14 07:56:04 2018 TUN/TAP TX queue length set to 100
Thu Jun 14 07:56:04 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jun 14 07:56:04 2018 /sbin/ifconfig tun1 192.168.1.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255
Thu Jun 14 07:56:04 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun 14 07:56:04 2018 Initialization Sequence Completed
openvpn server route:

Code: Select all

# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 155-186-168-129 0.0.0.0 UG 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
155.186.168.128 * 255.255.255.128 U 0 0 0 vlan2
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 tun2
openvpn client route:

Code: Select all

# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 155-186-168-129 0.0.0.0 UG 0 0 0 vlan1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
155.186.168.128 * 255.255.255.128 U 0 0 0 vlan1
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 tun1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 tun1
iptables openvpn server:

Code: Select all

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn 
ACCEPT udp -- anywhere anywhere udp dpt:openvpn 
DROP tcp -- anywhere anywhere tcp dpt:telnet 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
ACCEPT 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere 
ACCEPT 0 -- 192.168.1.0/24 anywhere 
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED 
lan2wan 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere 
ACCEPT udp -- anywhere base-address.mcast.net/4 
ACCEPT tcp -- anywhere 192.168.1.59 tcp dpt:telnet 
ACCEPT udp -- anywhere 192.168.1.59 udp dpt:23 
ACCEPT tcp -- anywhere 192.168.1.200 tcp dpt:5160 
ACCEPT udp -- anywhere 192.168.1.200 udp dpt:5160 
ACCEPT tcp -- anywhere 192.168.1.200 tcp dpt:webmin 
ACCEPT udp -- anywhere 192.168.1.200 udp dpt:10000 
ACCEPT tcp -- anywhere 192.168.1.59 tcp dpt:1972 
ACCEPT udp -- anywhere 192.168.1.59 udp dpt:1972 
ACCEPT tcp -- anywhere 192.168.1.200 tcp dpts:20000:20050 
ACCEPT udp -- anywhere 192.168.1.200 udp dpts:20000:20050 
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0 
trigger_out 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere state NEW 
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT 0 -- 192.168.1.0/24 anywhere 
REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable 
REJECT tcp -- anywhere anywhere reject-with tcp-reset
iptables openvpn client:

Code: Select all

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc 
DROP udp -- anywhere anywhere udp dpt:route 
DROP udp -- anywhere anywhere udp dpt:route 
ACCEPT udp -- anywhere anywhere udp dpt:route 
ACCEPT tcp -- anywhere building3.lan tcp dpt:www 
ACCEPT tcp -- anywhere building3.lan tcp dpt:ssh 
DROP icmp -- anywhere anywhere 
DROP igmp -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere state NEW 
ACCEPT 0 -- anywhere anywhere state NEW 
DROP 0 -- anywhere anywhere 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
ACCEPT 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT gre -- 192.168.1.0/24 anywhere 
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723 
lan2wan 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere 
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0 
trigger_out 0 -- anywhere anywhere 
ACCEPT 0 -- anywhere anywhere state NEW 
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination 
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Top
ivaat
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 14, 2018 1:59 pm

Re: ovpn nodes cannot ping each other

Post by ivaat » Sat Jun 16, 2018 4:48 pm

I got it working by reconf to bridge mode and removing not needed routes
Top
Post Reply

Return to “Configuration”