Accessing Client from network behind OpenVPN AS

[mietzekotze0815]

Hi all,

I have a question concerning Routing with OpenVPN AS.

Current setup:
physical Network where the OpenVPN Server resides: 10.0.9.0/24
physical Network where the client resides: 192.168.12.0./24
static network for OpenVPN clients: 192.168.253.0/24
OpenVPN IP if the client is connected: 192.168.253.100
physical IP of the OpenVPN Server: 10.0.9.4
physical IP of a server which should be reached: 10.0.9.5

What I want to do:
I have to reach the server from client side (e.g. 192.168.12.28 -> 10.0.9.5) and I have to reach the client from server side (e.g. 10.0.9.5 -> 192.168.253.100).

What I have done:
I've setup user and enabled routing to 10.0.9.4 on OpenVPN server.

The problem is:
I was able to ping 10.0.9.4 (OpenVPN Server) but am not able to ping 10.0.9.5. It works if I setup NAT instead of Routing, but this will leave me unable to connect from server to client. So i switched back to Routing.
In this setup I am able to ping 192.168.253.100 on Gateway but not on Server (ping from 10.0.9.5 to 192.168.253.100).
Thus, I am not able to connect from server to openvpn client. I think there might be a static route missing, so I added route 192.168.253.0 mask 255.255.255.0 gw 10.0.9.4, but failed.

Is there any chance to get this running? If you need server config please let me know how can I get this and I will post it here.

View OriginalClient config

# Automatically generated OpenVPN client config file
# Generated on Thu Apr 16 07:25:28 2020 by OVPNGateway

# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=client
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=client@13.81.82.114/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=13.81.82.114:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
SNIP
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 13.81.82.114 1194 udp
remote 13.81.82.114 1194 udp
remote 13.81.82.114 443 tcp
remote 13.81.82.114 1194 udp
remote 13.81.82.114 1194 udp
remote 13.81.82.114 1194 udp
remote 13.81.82.114 1194 udp
remote 13.81.82.114 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

<ca>
-----BEGIN CERTIFICATE-----
SNIP
-----END CERTIFICATE-----
</ca>

Anybody has some hints for me?

Thanks a lot
Michael

[mietzekotze0815]

Hi all,

I want to add that OpenVPN AS is installed on a Microsoft Azure VM. Maybe there are some security features here? I have tried to add a route table to the specific vnet, but it does not help.

Furthermore, I have checked if a ping request from the client can even reach the server, but no ping request is transmitted to the client. Hence no ping reply will be ever sent to the client.

I think this is an Azure issue.

Does anyone have a clue how to fix it?

Thanks
Michael

[mietzekotze0815]

Hi,

one more thing:
If I run ICMP on the OpenVPN GW I see that there is an incoming ICMP Packet, but no reply from the specific server.

Code: Select all

05:59:53.346940 Out 00:0d:3a:a9:85:96 ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 62, length 40
05:59:58.157099  In ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 63, length 40
05:59:58.157121 Out 00:0d:3a:a9:85:96 ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 63, length 40
06:00:03.158887  In ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 64, length 40
06:00:03.158900 Out 00:0d:3a:a9:85:96 ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 64, length 40
06:00:08.160855  In ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 65, length 40
06:00:08.160875 Out 00:0d:3a:a9:85:96 ethertype IPv4 (0x0800), length 76: 192.168.253.100 > 10.0.9.5: ICMP echo request, id 1, seq 65, length 40

It seems the ICMP request is forwarded, right? But why it is not received at 10.0.9.5?

Thanks
Michael

[mietzekotze0815]

Hi,

another information:

I just noticed that after adding the Route Table to Azure, the server is able to ping the client. But in the other direction the server do not receive the ping request from the client.

Any ideas?

[5toedsloth]

dude same issue with Azure OpenVPN Access Server, hopefully some one can help as i was about to post then found this, unless you figured it out can you let me know. Thanks

[soukh]

i have the same proplem