Server cannot ping client and client's network

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jpaos
OpenVpn Newbie
Posts: 3
Joined: Fri Apr 08, 2016 5:32 pm

Server cannot ping client and client's network

Post by jpaos » Fri Apr 08, 2016 6:31 pm

Hi,

I want to connect two private networks through vpn. I just want them to access each other without any nat.

It seems that the client can ping the server, (and with proper routing the server's network), but the server cannot ping the client.
(both can ping the endpoints of the tunnel)

I've been playing around with tcpdump and it seems that the packets from server go to the tunnel but they don't appear at the client's endpoint.

Here is my setup:

LAN Client: 10.0.1.0/24
vpnclient: 10.0.1.5

LAN Server: 192.168.1.0/24
vpnserver: 192.168.1.7

Server config:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert MyVPN.crt
key MyVPN.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"
route 10.0.1.0 255.255.255.0

client-config-dir ccd
client-to-client

keepalive 10 120
comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3
Client config:

Code: Select all

client
dev tun
proto udp
remote myhostname 1194

resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert rasp.crt
key rasp.key
ns-cert-type server
comp-lzo

verb 3
Server routing table:

Code: Select all

/etc/openvpn $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.0.1.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
Client routing table:

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.1.1        0.0.0.0         UG    202    0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     202    0        0 eth0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.1.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0
I have all iptables rules as ACCEPT.

Client pinging Server:

Code: Select all

ping -c 2 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=64 time=3.24 ms
64 bytes from 192.168.1.7: icmp_seq=2 ttl=64 time=2.94 ms

--- 192.168.1.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 2.949/3.097/3.245/0.148 ms
tcpdump -i tun0 @ client:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:15:35.890820 IP 10.8.0.6 > 192.168.1.7: ICMP echo request, id 727, seq 1, length 64
19:15:35.893897 IP 192.168.1.7 > 10.8.0.6: ICMP echo reply, id 727, seq 1, length 64
19:15:36.892786 IP 10.8.0.6 > 192.168.1.7: ICMP echo request, id 727, seq 2, length 64
19:15:36.895627 IP 192.168.1.7 > 10.8.0.6: ICMP echo reply, id 727, seq 2, length 64
tcpdump -i tun0 @ server:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:15:35.890550 IP 10.8.0.6 > 192.168.1.7: ICMP echo request, id 727, seq 1, length 64
19:15:35.890741 IP 192.168.1.7 > 10.8.0.6: ICMP echo reply, id 727, seq 1, length 64
19:15:36.892310 IP 10.8.0.6 > 192.168.1.7: ICMP echo request, id 727, seq 2, length 64
19:15:36.892453 IP 192.168.1.7 > 10.8.0.6: ICMP echo reply, id 727, seq 2, length 64
Server pinging Client:

Code: Select all

ping -c 2 10.0.1.5
PING 10.0.1.5 (10.0.1.5) 56(84) bytes of data.

--- 10.0.1.5 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms
tcpdump -i tun0 @ client: nothing appears

tcpdump -i tun0 @ server:

Code: Select all

19:18:17.605007 IP 10.8.0.1 > 10.0.1.5: ICMP echo request, id 5086, seq 1, length 64
19:18:18.612822 IP 10.8.0.1 > 10.0.1.5: ICMP echo request, id 5086, seq 2, length 64
From several tests I made with iptables and different hosts, it seems that packets only pass through the tunnel:
- from client to server if the source IP is the client tunnel endpoint, i.e., 10.8.0.6
- from server to client if destination IP is the client tunnel endpoint, i.e., 10.8.0.6

Can anyone have any idea of what is happening? Both server and client are running raspbian on raspberrypi's and are up-to-date...
Openvpn version: OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015

Thanks,
Best João

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Server cannot ping client and client's network

Post by Traffic » Fri Apr 08, 2016 6:39 pm


jpaos
OpenVpn Newbie
Posts: 3
Joined: Fri Apr 08, 2016 5:32 pm

Re: Server cannot ping client and client's network

Post by jpaos » Fri Apr 08, 2016 7:29 pm

I have read that HOWTO and many other docs and forums before my post.
It seams that most people struggle with firewall rules and improper routing, but this is not the case... (I think :| )

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Server cannot ping client and client's network

Post by Traffic » Fri Apr 08, 2016 8:16 pm

jpaos wrote:I have read that HOWTO
Did you see the Forum rules (top of this page)

jpaos
OpenVpn Newbie
Posts: 3
Joined: Fri Apr 08, 2016 5:32 pm

Re: Server cannot ping client and client's network

Post by jpaos » Fri Apr 08, 2016 9:01 pm

When I was generating a log file (with verb 4) I notice that I wrongly typed the ip address of "iroute x.x.x.x x.x.x.x" on ccd client file.
Problem solved! Thank you very much!

Post Reply