Need help with routes -- copied original set up not working

[Naldinho]

With the help of this forum I got my site to site VPN working a while back. I upgraded the hardware and trying to set up the same thing but not working. I have duplicated the configuration files from the previous install but the route tables are not the same on the server.

I think the issue is the the clients-config file is not working properly. I don't really understand why as I copied it from the previous topic and my old setup worked

Both machines have tun0 and there seems to be a connection but the problem is with the routing.

The client machine can ping the server machine but none of the other computers on the server side.
The server can not ping the client machine.

server.conf

Code: Select all

local 10.1.1.100
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
client-config-dir /etc/openvpn/client-configs
route 192.168.2.0 255.255.255.0
keepalive 10 120
comp-lzo
max-clients 10
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
daemon

client-configs

Code: Select all

iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"
ifconfig-push 10.8.0.22 10.8.0.21

client.conf

Code: Select all

client
log /var/log/openvpn.log
dev tun
proto tcp
remote xx.xxx.xxx.xxx 1194
resolv-retry infinite
;nobind
ca ca.crt
cert client.crt
key client.key
;ns-cert-type server
comp-lzo
verb 3
;user nobody
;group nobody
persist-tun
persist-key
daemon

server route

Code: Select all

default         ControlPanel.Ho     0.0.0.0            UG    0      0         0 eth0
10.1.1.0                 *               255.255.255.0   U      0      0        0 eth0
10.8.0.0        10.8.0.2               255.255.255.0   UG    0      0        0 tun0
10.8.0.2             *                  255.255.255.255 UH    0      0        0 tun0
192.168.2.0     10.8.0.2             255.255.255.0   UG    0      0        0 tun0

client route

Code: Select all

default         192.168.2.1     0.0.0.0                  UG    0      0        0 eth0
10.1.1.0        10.8.0.5          255.255.255.0        UG    0      0        0 tun0
10.8.0.1        10.8.0.5          255.255.255.255    UGH   0      0        0 tun0
10.8.0.5         *                   255.255.255.255     UH    0      0        0 tun0
192.168.2.0     *                  255.255.255.0         U     0      0        0 eth0

[Traffic]

The client machine can ping the server machine but none of the other computers on the server side

Ip Forwarding & NAT on the server ..

The server can not ping the client machine

Firewall ..

[Naldinho]

IPforwarding is on for both machines. I remember that from last time so changed it right away.

cat /proc/sys/net/ipv4/ip_forward returns a 1

I don't know what NAT means.



With respect to a firewall that was something I considered. Both routers have the 1194 port open for both protocols and forwarding to the OpenVPN machines.

I consider the possibility of a software firewall so googled around and found that I could check that with ufw status which returns inactive for both machines.

[Traffic]

I don't know what NAT means.

You need to learn what NAT means ...

https://lmddgtfy.net/?q=NAT

[Naldinho]

Sorry I meant I don't know what you mean by NAT. I know what the acronym means and understand the basics.

My issue is that I don't understand why using the same configuration files which results in the same route table as my previous working setup I am having a negative result.

[Traffic]

You could post your full configs and logs ...

[maikcat]

please post the output of:

iptables -L -v
iptables -L -t nat -v

on BOTH openvpn server & client.

also pcs on server side , which router they use as default gateway?

Michael.

[Naldinho]

Sever
iptables -L -v

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -t nat -v

Code: Select all

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Client

iptables -L -v

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -t nat -v

Code: Select all

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Default Gateway on the server side is 10.1.1.1

[Naldinho]

Something that might be relevant but probably isn't.

Original configuration I used I was on udp but now I have to use tcp. If I try udp handshaking fails and the client tun0 never starts.

Both protocols are being forwarded in the router.

[maikcat]

Default Gateway on the server side is 10.1.1.1

your openvpn server has

local 10.1.1.100

for testing use your openvpn as default gateway.

Michael.

[Naldinho]

Maybe I answered the gateway incorrectly.

The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.

The other end the modem is 192.168.2.1 and there is an identical setup with the client being 192.168.2.100 and the default gateway is the router unless the traffic is 10.1.1.x in which case a rule sends it to the client machine.

If I change local to 10.1.1.1 then tun0 doesn't even start. On my old configuration I definitely had the server machine's IP as local.

As it currently stands

client can ping server
sever can't ping client
PCs can't ping anything except on their own lan

Client Route

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default          192.168.2.1     0.0.0.0         UG    0      0        0 eth0
10.1.1.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5          *                  255.255.255.255 UH    0      0        0 tun0
192.168.2.0     *                255.255.255.0   U     0      0        0 eth0

Server Route

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ControlPanel.Ho 0.0.0.0         UG    0      0        0 eth0
10.1.1.0        *               255.255.255.0   U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0

Looking at this and the routing table I had before there are two differences.

Code: Select all

link-local      *               255.255.0.0     U         0 0          0 eth0  

is missing from the current server table but was in the previous one.

Also 10.8.0.5 from client was 10.8.0.21 in previous set up.

[maikcat]

The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.

also add a static route for vpn network 10.8.0.0/24

client can ping server
sever can't ping client

can you write the exact commands used?
there is NO way ping can work one way while having routing issues,
usually there is a firewall which drops packets somewhere..

PCs can't ping anything except on their own lan

which pcs?client or server side?can you try to use tracert and post its results here?
also try to use to them openvpns server/client lan ip for default gateway in case
client/router not respond correctly to icmp redirect messages.

Michael.

[Naldinho]

The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.

also add a static route for vpn network 10.8.0.0/24

Can you be more specific?

client can ping server
sever can't ping client

can you write the exact commands used?
there is NO way ping can work one way while having routing issues,
usually there is a firewall which drops packets somewhere..

I am pinging the machines so

Ping 10.1.1.100 works on 192.168.2.100 but Ping 192.168.2.100 does not work on 10.1.1.100

I decided to ping the tun0 IP rather than the machine IP and that works both ways

Ping 10.8.0.6 from 10.1.1.100 works and ping 10.8.0.1 works from 192.168.2.100

PCs can't ping anything except on their own lan

which pcs?client or server side?can you try to use tracert and post its results here?
also try to use to them openvpns server/client lan ip for default gateway in case
client/router not respond correctly to icmp redirect messages.

The PCs on either network. There are a half-dozen computers on 192.168.2.x and 10.1.1.x they can ping each other and the openvpn machine on their network but none of them can ping anything on the other side including the server/client IP or the tun0: IP.

I tried to change the default gateway and I've lost contact with the remote machine so can't test anything until I physically reboot the machine later today.

[Naldinho]

Ok. I got it working. The problem was the client-conf file was not parsing because it was incorrectly named

As it stands now all PCs on 192.168.2.x can ping all PCs on 10.1.1.x and vice versa.

There is just one issue left.

The server 10.1.1.100 can ping the client 192.168.2.100 and vice versa but neither client nor server can ping any of the PCs on the other side. That is not say 10.1.1.100 can not ping 192.168.2.50 for example but 192.168.2.50 can ping 100.1.1.100.

I think to fix this I need to add a route to both the server and the client machine but that is as far as I can get.