No Traffic To Internal Lan with iroute

[ClontarfX]

OpenVPN Server: 172.16.2.0/24 255.255.255.0
Internal LAN: 172.16.1.0/24 255.255.255.0
Internal LAN GW: 172.16.1.1
Internal LAN IP of client with iroute: 172.16.1.10
Internal VPN IP of client with iroute: 172.16.2.10

As you can see I am using iroute, expecting client 172.16.2.10 to advertise it's 172.16.1.0 route. However I cannot ping any other hosts on the 172.16.1.0 network, except for the client hosting the iroute. Logs confirm that the iroute is being picked up;

Code: Select all

Sep 27 18:00:55 *** ovpn-server-udp[4374]: vpnclient1/***.***.***.***:60502 MULTI: primary virtual IP for vpnclient1/***.***.***.***:60502: 172.16.2.10
Sep 27 18:00:55 *** ovpn-server-udp[4374]: vpnclient1/***.***.***.***:60502 MULTI: internal route 172.16.1.0/24 -> vpnclient1/***.***.***.***:60502
Sep 27 18:00:55 *** ovpn-server-udp[4374]: vpnclient1/***.***.***.***:60502 MULTI: Learn: 172.16.1.0/24 -> vpnclient1/***.***.***.***:60502
Sep 27 18:00:55 *** ovpn-server-udp[4374]: vpnclient1/***.***.***.***:60502 REMOVE PUSH ROUTE: 'route 172.16.1.0 255.255.255.0'

Example of learn entry showing that an attempt to ping another internal LAN ip is directed to the right host

Code: Select all

Sep 27 18:25:31 *** ovpn-server-udp[4374]: vpnclient3/***.***.***.***:62429 MULTI: Learn: 172.16.1.20 -> vpnclient1/***.***.***.***:60502

Server Configuration (excluding keys e.t.c)

Code: Select all

proto udp
port 443
dev tun
user nobody
group nogroup
persist-key
persist-tun

topology subnet
server 172.16.2.0 255.255.255.0

# Routed lans
route 172.16.1.0 255.255.255.0
push "route 172.16.2.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"

client-to-client
client-config-dir /etc/openvpn/ccd-udp
ifconfig-pool-persist /etc/openvpn/ipp-udp.txt

CCD file used to route via internal router - Has IP forwarding enabled

Code: Select all

iroute 172.16.1.0 255.255.255.0

No routing options are being used in client configuration.

The only way I have been able to have this work is by adding the following lines

Code: Select all

route 172.16.1.0 255.255.255.0

and

Code: Select all

push "route 172.16.1.0 255.255.255.0"

to the server configuration, except then all internal LAN clients route all internal LAN traffic to the openvpn server, which I don't want. Local LAN traffic should be hitting the local LAN router (172.16.1.1).

[ClontarfX]

An image to hopefully illustrate my dramas;

[flint2003]

Hi!
IMHO, first of all I would recommend you to abidy with common accepted rules: internal VPN network has to be 10.8.0.0/24, clients' networks have to be different, e.g. 192.168.x.y/24 where x = 10, 11 and so on (x != 0 or 1). In future, when your VPN will work fine, you can change network ranges as you want without limitations.
The next steps you should change your CCD file's name and check its path (placement):
1) put your CCD file in folder "CCD" directly in "config" folder.
2) give the same name as its client. For example, I've got the client "client9". It means that the file in the folder "CCD" has got the same name
3) Check the content of your file. I usually write as follows:
ifconfig-push 10.8.0.2 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "route-gateway 10.8.0.1"
iroute 192.169.0.0 255.255.255.0
The order of entries (or rows) matters! Pay attention on it.

The last step - try to ping VPN nodes: 10.8.0.1 (VPN Server) and 10.8.0.2 (VPN client) can be pinged in both direction.
So, if it is truth, adjust routing in your PCs and you can ping local addresses.

Any questions - write here

[ClontarfX]

Thanks

1) CCD file is in place and is correct. iroute is correctly advertised and learned by clients.

Code: Select all

ovpn-server-udp[536]: vpnclient3/*.*.*.*:49781 MULTI: Learn: 172.16.1.0/24 -> vpnclient1/*.*.*.*:49781

2) See above
3) No need to ifconfig because addresses are assigned by ipp (topology subnet).

Unfortunately with your changes, vpnclient3 (172.16.2.30) still cannot contact clients behind vpnclient1 (172.16.2.10 -> 172.16.1.0/24).
Additionally, with the above configuration, clients connected to the VPN on the 172.16.1.0/24 network are routing their traffic over the VPN to other LAN clients.

e.g PING 172.16.1.10 from 172.16.1.20 is going over the VPN (172.16.2.1), instead of being routed locally. This is bad.

172.16.1.10/172.16.2.10 Routing Table (iroute client advertising 172.16.1.0/24)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp4s0
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 enp4s0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

172.16.1.20/172.16.2.20 Routing Table

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.1.1      172.16.1.20     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.16.1.0    255.255.255.0         On-link       172.16.1.20    281
       172.16.1.0    255.255.255.0       172.16.2.1      172.16.2.20     35
      172.16.1.20  255.255.255.255         On-link       172.16.1.20    281
     172.16.1.255  255.255.255.255         On-link       172.16.1.20    281
       172.16.2.0    255.255.255.0         On-link       172.16.2.20    291
       172.16.2.0    255.255.255.0       172.16.2.1      172.16.2.20     35
      172.16.2.20  255.255.255.255         On-link       172.16.2.20    291
     172.16.2.255  255.255.255.255         On-link       172.16.2.20    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       172.16.1.20    281
        224.0.0.0        240.0.0.0         On-link       172.16.2.20    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       172.16.1.20    281
  255.255.255.255  255.255.255.255         On-link       172.16.2.20    291
===========================================================================

[ClontarfX]

Removing the following from server.conf allows my local LAN clients to route properly over LAN and not over VPN

Code: Select all

push "route 172.16.1.0 255.255.255.0"

Makes sense, I don't want to advertise that 172.16.1.0/24 goes over the VPN. That's just wrong.

So, how *do* I tell VPN clients (that are not also on the LAN), that 172.16.1.0/24 *is* accessible over VPN via 172.16.1.10?

VPN Server Routing Table

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         45.76.114.1     0.0.0.0         UG    0      0        0 ens3
45.76.114.0     0.0.0.0         255.255.254.0   U     0      0        0 ens3
169.254.169.254 45.76.114.1     255.255.255.255 UGH   0      0        0 ens3
172.16.1.0      172.16.2.2      255.255.255.0   UG    0      0        0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

Notice the wrong "gateway" for the 172.16.1.0 route. There is no VPN client with 172.16.2.2. The client hosting the iroute is 172.16.2.10.

[ClontarfX]

This is my current configuration;

View Originalserver.conf

topology subnet
server 172.16.2.0 255.255.255.0
route 172.16.1.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"

iroute client (172.16.2.10)

Code: Select all

iroute 172.16.1.0 255.255.255.0

VPN Server routes

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         45.76.114.1     0.0.0.0         UG    0      0        0 ens3
45.76.114.0     0.0.0.0         255.255.254.0   U     0      0        0 ens3
169.254.169.254 45.76.114.1     255.255.255.255 UGH   0      0        0 ens3
172.16.1.0      172.16.2.2      255.255.255.0   UG    0      0        0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

I got ping to work by adding the following to the iroute client IPTables

Code: Select all

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp4s0 -s 172.16.2.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp4s0 -s 172.16.2.0/255.255.255.0 -j MASQUERADE

However: LAN ping is still going over VPN for LAN clients connected to VPN. LAN ping should be going over LAN!

[TinCanTech]

As you can see I am using iroute, expecting client 172.16.2.10 to advertise it's 172.16.1.0 route. However I cannot ping any other hosts on the 172.16.1.0 network, except for the client hosting the iroute. Logs confirm that the iroute is being picked up;

Which means openvpn is working normally.

Notice the wrong "gateway" for the 172.16.1.0 route. There is no VPN client with 172.16.2.2. The client hosting the iroute is 172.16.2.10.

You need a fixed VPN IP for this client. Add --ifconfig details to this client CCD file.

[ClontarfX]

Notice the wrong "gateway" for the 172.16.1.0 route. There is no VPN client with 172.16.2.2. The client hosting the iroute is 172.16.2.10.

You need a fixed VPN IP for this client. Add --ifconfig details to this client CCD file.

Thanks TinCanTech for the reply, not sure why I need ifconfig in the CCD file. Does this tell OpenVPN to use this IP as a reference to the client? The reason I ask this is because the client is correctly allocated an IP address from the ipp pool. Adding the ifconfig statement to the CCD did not change anything regarding the advertised routes or the IP assigned to the host

In either case, as I posted above, adding NAT rules to my iptables seems to have resolved the routing issue on the iroute gateway. Why does the routing work only when I configure the NAT on the iroute gateway? Am I fundamentally misunderstanding the purpose of iroute and it's internal routing capabilities (OpenVPN)?

Final (working) configuration (except VPN clients on LAN still route via VPN for LAN route);

server.conf routing configuration

Code: Select all

topology subnet
server 172.16.2.0 255.255.255.0
route 172.16.1.0 255.255.255.0

push "route 172.16.1.0 255.255.255.0"

ccd file for iroute client

Code: Select all

ifconfig 172.16.2.10 255.255.255.0
iroute 172.16.1.0 255.255.255.0

OpenVPN routing table

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.1.0      172.16.2.2      255.255.255.0   UG    0      0        0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

iroute client routing table

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp4s0
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 enp4s0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

IPTables on iroute client to allow cross-network (172.16.1.0 <-> 172.16.2.0)

Code: Select all

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp4s0 -s 172.16.2.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp4s0 -s 172.16.2.0/255.255.255.0 -j MASQUERADE

[TinCanTech]

the client is correctly allocated an IP address from the ipp pool

But this is not a fixed IP. Only CCD --ifconfig gives a fixed IP.

Am I fundamentally misunderstanding the purpose of iroute and it's internal routing capabilities (OpenVPN)?

Yes .. Openvpn sets up a VPN and routing for the end points. It does not configure your network, you must do that yourself.

Final (working) configuration (except VPN clients on LAN still route via VPN for LAN route);

This does not make sense .. perhaps you can elaborate.

[ClontarfX]

the client is correctly allocated an IP address from the ipp pool

But this is not a fixed IP. Only CCD --ifconfig gives a fixed IP.

Are you meaning fixed IP as in the IP stays allocated to the interface when the VPN is offline? When a VPN client connects, OpenVPN server allocates the IP assigned to the host via ipp. This is why I asked whether ifconfig has something to do with internal routing or OpenVPN server behaviour, because putting ifconfig into the CCD file did nothing (IP already allocated via OpenVPN server IPP).

/etc/openvpn/ipp-udp.txt

Code: Select all

vpnclient1,172.16.2.10
vpnclient2,172.16.2.20
vpnclient3,172.16.2.30

Am I fundamentally misunderstanding the purpose of iroute and it's internal routing capabilities (OpenVPN)?

Yes .. Openvpn sets up a VPN and routing for the end points. It does not configure your network, you must do that yourself.

So what I probably need then is some instruction on correctly setting up the routing (docs suggest the reason my NAT fix works is because routing is not right).

Final (working) configuration (except VPN clients on LAN still route via VPN for LAN route);

This does not make sense .. perhaps you can elaborate.

With the above config, I can ping LAN clients from an external VPN client.
However, with the above config, VPN clients which sit on the LAN (so have both routes), route all LAN traffic via the VPN.

So client2 has 172.16.1.20 (LAN) and 172.16.2.20 (VPN). It sits on the 172.16.1.0/24 network.
When client2 pings lanclient1 (172.16.1.10), the traffic goes to the VPN server first (172.16.2.1), then back to lanclient1 (172.16.1.10).

This obviously isn't desired. LAN clients should prefer the LAN route and not use the VPN route when the traffic is destined for the same network.

[TinCanTech]

LAN clients should prefer the LAN route and not use the VPN route when the traffic is destined for the same network

You are pushing that route to the clients and so they use it ..

See --pull-filter in The Manual v24x