Page 1 of 1
Need help with routes -- copied original set up not working
Posted: Wed Feb 04, 2015 4:32 pm
by Naldinho
With the help of this forum I got my site to site VPN working a while back. I upgraded the hardware and trying to set up the same thing but not working. I have duplicated the configuration files from the previous install but the route tables are not the same on the server.
I think the issue is the the clients-config file is not working properly. I don't really understand why as I copied it from the previous topic and my old setup worked
Both machines have tun0 and there seems to be a connection but the problem is with the routing.
The client machine can ping the server machine but none of the other computers on the server side.
The server can not ping the client machine.
server.conf
Code: Select all
local 10.1.1.100
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
client-config-dir /etc/openvpn/client-configs
route 192.168.2.0 255.255.255.0
keepalive 10 120
comp-lzo
max-clients 10
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
daemon
client-configs
Code: Select all
iroute 192.168.2.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"
ifconfig-push 10.8.0.22 10.8.0.21
client.conf
Code: Select all
client
log /var/log/openvpn.log
dev tun
proto tcp
remote xx.xxx.xxx.xxx 1194
resolv-retry infinite
;nobind
ca ca.crt
cert client.crt
key client.key
;ns-cert-type server
comp-lzo
verb 3
;user nobody
;group nobody
persist-tun
persist-key
daemon
server route
Code: Select all
default ControlPanel.Ho 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
client route
Code: Select all
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
Re: Need help with routes -- copied original set up not work
Posted: Wed Feb 04, 2015 5:57 pm
by Traffic
Naldinho wrote:The client machine can ping the server machine but none of the other computers on the server side
Ip Forwarding & NAT on the server ..
Naldinho wrote:The server can not ping the client machine
Firewall ..
Re: Need help with routes -- copied original set up not work
Posted: Wed Feb 04, 2015 6:21 pm
by Naldinho
IPforwarding is on for both machines. I remember that from last time so changed it right away.
cat /proc/sys/net/ipv4/ip_forward returns a 1
I don't know what NAT means.
With respect to a firewall that was something I considered. Both routers have the 1194 port open for both protocols and forwarding to the OpenVPN machines.
I consider the possibility of a software firewall so googled around and found that I could check that with ufw status which returns inactive for both machines.
Re: Need help with routes -- copied original set up not work
Posted: Wed Feb 04, 2015 9:33 pm
by Traffic
Naldinho wrote:I don't know what NAT means.
You need to
learn what NAT means ...
https://lmddgtfy.net/?q=NAT
Re: Need help with routes -- copied original set up not work
Posted: Wed Feb 04, 2015 11:23 pm
by Naldinho
Sorry I meant I don't know what you mean by NAT. I know what the acronym means and understand the basics.
My issue is that I don't understand why using the same configuration files which results in the same route table as my previous working setup I am having a negative result.
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 12:02 am
by Traffic
You could post your full configs and logs ...
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 9:35 am
by maikcat
please post the output of:
iptables -L -v
iptables -L -t nat -v
on BOTH openvpn server & client.
also pcs on server side , which router they use as default gateway?
Michael.
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 5:03 pm
by Naldinho
Sever
iptables -L -v
Code: Select all
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables -L -t nat -v
Code: Select all
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Client
iptables -L -v
Code: Select all
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables -L -t nat -v
Code: Select all
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Default Gateway on the server side is 10.1.1.1
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 5:36 pm
by Naldinho
Something that might be relevant but probably isn't.
Original configuration I used I was on udp but now I have to use tcp. If I try udp handshaking fails and the client tun0 never starts.
Both protocols are being forwarded in the router.
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 6:29 pm
by maikcat
Default Gateway on the server side is 10.1.1.1
your openvpn server has
local 10.1.1.100
for testing use your openvpn as default gateway.
Michael.
Re: Need help with routes -- copied original set up not work
Posted: Thu Feb 05, 2015 7:05 pm
by Naldinho
Maybe I answered the gateway incorrectly.
The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.
The other end the modem is 192.168.2.1 and there is an identical setup with the client being 192.168.2.100 and the default gateway is the router unless the traffic is 10.1.1.x in which case a rule sends it to the client machine.
If I change local to 10.1.1.1 then tun0 doesn't even start. On my old configuration I definitely had the server machine's IP as local.
As it currently stands
client can ping server
sever can't ping client
PCs can't ping anything except on their own lan
Client Route
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
Server Route
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
default ControlPanel.Ho 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Looking at this and the routing table I had before there are two differences.
Code: Select all
link-local * 255.255.0.0 U 0 0 0 eth0
is missing from the current server table but was in the previous one.
Also 10.8.0.5 from client was 10.8.0.21 in previous set up.
Re: Need help with routes -- copied original set up not work
Posted: Fri Feb 06, 2015 7:36 am
by maikcat
The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.
also add a static route for vpn network 10.8.0.0/24
client can ping server
sever can't ping client
can you write the exact commands used?
there is NO way ping can work one way while having routing issues,
usually there is a firewall which drops packets somewhere..
PCs can't ping anything except on their own lan
which pcs?client or server side?can you try to use tracert and post its results here?
also try to use to them openvpns server/client lan ip for default gateway in case
client/router not respond correctly to icmp redirect messages.
Michael.
Re: Need help with routes -- copied original set up not work
Posted: Fri Feb 06, 2015 3:13 pm
by Naldinho
maikcat wrote:The modem on the server side is 10.1.1.1 which is the default gateway for all the PCs but they also route all traffic for 192.168.2.x to 10.1.1.100 which is the server.
also add a static route for vpn network 10.8.0.0/24
Can you be more specific?
client can ping server
sever can't ping client
can you write the exact commands used?
there is NO way ping can work one way while having routing issues,
usually there is a firewall which drops packets somewhere..
I am pinging the machines so
Ping 10.1.1.100 works on 192.168.2.100 but Ping 192.168.2.100 does not work on 10.1.1.100
I decided to ping the tun0 IP rather than the machine IP and that works both ways
Ping 10.8.0.6 from 10.1.1.100 works and ping 10.8.0.1 works from 192.168.2.100
PCs can't ping anything except on their own lan
which pcs?client or server side?can you try to use tracert and post its results here?
also try to use to them openvpns server/client lan ip for default gateway in case
client/router not respond correctly to icmp redirect messages.
The PCs on either network. There are a half-dozen computers on 192.168.2.x and 10.1.1.x they can ping each other and the openvpn machine on their network but none of them can ping anything on the other side including the server/client IP or the tun0: IP.
I tried to change the default gateway and I've lost contact with the remote machine so can't test anything until I physically reboot the machine later today.
Re: Need help with routes -- copied original set up not work
Posted: Sun Feb 08, 2015 5:37 am
by Naldinho
Ok. I got it working. The problem was the client-conf file was not parsing because it was incorrectly named
As it stands now all PCs on 192.168.2.x can ping all PCs on 10.1.1.x and vice versa.
There is just one issue left.
The server 10.1.1.100 can ping the client 192.168.2.100 and vice versa but neither client nor server can ping any of the PCs on the other side. That is not say 10.1.1.100 can not ping 192.168.2.50 for example but 192.168.2.50 can ping 100.1.1.100.
I think to fix this I need to add a route to both the server and the client machine but that is as far as I can get.