Only VPN server not accessible in the network behind VPN client

PiotrG · Post by **PiotrG** » Mon Sep 25, 2017 9:27 pm

Hello Everyone,
After spending some time on the tutorials, forums and OpenVPN manual / wiki, I have (almost) successfully configured my OpenVPN network.

Network diagram is below:

The goal was to be able to communicate from any host in netA to any host in netB and vice versa (without installing OpenVPN on client machines) and in emergency case to be able to reach both networks from clientC (explicit OpenVPN client, connected eg. via cellular connection + tethering).

Most important tutorial that helped achieving the goal was this one, as afterwards it started working fine... almost.

Summary as of now:

From any host in netA it's possible to reach any host from netB
From clientC it's possible to reach any host from netA or netB
From clientB it's possible to reach any host from netA
From a host behind clientB in netB it's not possible to reach 192.168.0.100, but it's possible to reach any other 192.168.0.x address

Most important configuration items are below:
serverA conf:

Code: Select all

dev tun
keepalive 10 60
reneg-sec 0
persist-key
persist-tun
duplicate-cn
script-security 3
client-to-client
ca ..
dh ..
key ..
cert ..
tls-auth ta.key 0
port 1194
proto udp
max-clients 10
local 192.168.0.100
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
route 192.168.1.0 255.255.255.0 10.8.0.2

client-config-dir /etc/openvpn/ccd
comp-lzo
cipher AES-256-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
topology subnet
ifconfig-pool-persist /etc/openvpn/ipp.txt
txqueuelen 1000

ccd/clientB:

Code: Select all

ifconfig-push 10.8.0.2 255.255.255.0
push "route 192.168.0.0 255.255.255.0 10.8.0.1"
iroute 192.168.1.0 255.255.255.0

ccd/clientC:

Code: Select all

ifconfig-push 10.8.0.3 255.255.255.0
push "route 192.168.0.0 255.255.255.0 10.8.0.1"
push "route 192.168.1.0 255.255.255.0 10.8.0.2"

clientB conf:

Code: Select all

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ..
cert ..
key ..
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
reneg-sec 0
keepalive 10 900
inactive 3600
topology subnet

serverA ifconfig:

Code: Select all

serverA # ifconfig  
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3623722 errors:0 dropped:1106 overruns:0 frame:0
          TX packets:3477425 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3128370891 (2.9 GiB)  TX bytes:3345804936 (3.1 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:79319 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79319 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:45864585 (43.7 MiB)  TX bytes:45864585 (43.7 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:866 errors:0 dropped:0 overruns:0 frame:0
          TX packets:875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:105221 (102.7 KiB)  TX bytes:73883 (72.1 KiB)

serverA ip route show:

Code: Select all

serverA # ip route show
default via 192.168.0.1 dev eth0 
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1 
127.0.0.0/8 dev lo  scope link 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.100 
192.168.1.0/24 via 10.8.0.2 dev tun0

clientB ifconfig -a:

Code: Select all

clientB # ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
 inet6 ::1 prefixlen 128 
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
 inet 127.0.0.1 netmask 0xff000000 
 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 options=8<VLAN_MTU>
 ether xx:xx:xx:xx:xx:xx
 inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 
 nd6 options=9<PERFORMNUD,IFDISABLED>
 media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
 status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
 options=80000<LINKSTATE>
 inet 10.8.0.2 --> 10.8.0.1 netmask 0xffffff00 
 nd6 options=1<PERFORMNUD>
 Opened by PID 75018

clientB netstat -r:

Code: Select all

clientB # netstat -r
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
0.0.0.0/1          10.8.0.1           UGS        tun0
default            192.168.0.1        UGS     epair0b
10.8.0.0           10.8.0.1           UGS        tun0
10.8.0.1           link#3             UH         tun0
10.8.0.2           link#3             UHS         lo0
localhost          link#1             UH          lo0
128.0.0.0/1        10.8.0.1           UGS        tun0
192.168.0.0        10.8.0.1           UGS        tun0
192.168.1.0        link#2             U       epair0b
clientB            link#2             UHS         lo0

As VPN server and client are not on default network gateways (.1), on both of them (both are Linksys EA6300) static routes have been configured:
gwA - 192.168.0.1:
192.168.1.0 / 255.255.255.0 via 192.168.0.100
10.8.0.0 / 255.255.255.0 via 192.168.0.100

gwB - 192.168.1.1:
192.168.0.0 / 255.255.255.0 via 192.168.1.3
10.8.0.0 / 255.255.255.0 via 192.168.1.3

Now when I try to ping 192.168.0.1 eg. from 192.168.1.100, it responds properly. But when I ping 192.168.0.100, it does not respond.

I was able to run tcpdump on tun1 on clientB and I see ping packets:

Code: Select all

clientB # tcpdump -i tun0 -v
tcpdump: listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
23:16:23.245640 IP (tos 0x0, ttl 63, id 46130, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.100 > 192.168.0.100: ICMP echo request, id 61996, seq 0, length 64
23:16:24.271135 IP (tos 0x0, ttl 63, id 46133, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.100 > 192.168.0.100: ICMP echo request, id 61996, seq 1, length 64


23:16:32.609610 IP (tos 0x0, ttl 63, id 46242, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.100 > 192.168.0.1: ICMP echo request, id 63532, seq 0, length 64
23:16:32.647133 IP (tos 0x0, ttl 63, id 32260, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.100: ICMP echo reply, id 63532, seq 0, length 64
23:16:33.612350 IP (tos 0x0, ttl 63, id 46274, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.100 > 192.168.0.1: ICMP echo request, id 63532, seq 1, length 64
23:16:33.670000 IP (tos 0x0, ttl 63, id 32261, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.100: ICMP echo reply, id 63532, seq 1, length 64

Unfortunately on QNAP the tcpdump is not available.

Any kind of help or hint will be much appreciated. If anything else is necessary, please also let me know.

Thanks a lot in advance for your help

.

TinCanTech · Post by **TinCanTech** » Mon Sep 25, 2017 11:13 pm

PiotrG wrote: ↑
Mon Sep 25, 2017 9:27 pm
Summary as of now:

From a host behind clientB in netB it's not possible to reach 192.168.0.100, but it's possible to reach any other 192.168.0.x address

PiotrG wrote: ↑
Mon Sep 25, 2017 9:27 pm
serverA # ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0

Firewall on your server.

PiotrG · Post by **PiotrG** » Tue Sep 26, 2017 1:41 am

TinCanTech wrote: ↑
Mon Sep 25, 2017 11:13 pm
Firewall on your server.

Thanks for the suggestion.

What I see is:

Code: Select all

serverA # iptables -L -v
Chain INPUT (policy ACCEPT 989 packets, 249K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 60 packets, 4804 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 794 packets, 197K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
serverA # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 59 packets, 8698 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 58 packets, 8634 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 142 packets, 30829 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 143 packets, 30893 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere

As I was never adding the MASQUERADE rule, it must have been added by the service startup script (custom for OpenVPN @ QNAP).
I have managed to verify it - when starting openvpn service this rule gets added and when stopping it gets removed.

How exactly should the firewall look like?

Post by **Pippin** » Tue Sep 26, 2017 12:19 pm

Since you are using the directive --client-to-client, packets are routed internally by OpenVPN meaning the firewall does not see these packets. Every client can see another client that way but without being able to firewall them.
.....Yes, they pass the firewall on eth0 but at that point they are still encrypted, meaning the "true" destination is unknown to the firewall. --client-to-client can be a security issue.....
Off course, the traffic on eth0 needs to be allowed.
In above firewall config everything is allowed, it`s wide open. All Chains have policy ACCEPT and there are no DROP rules.

The need for MASQUERADE depends on the routers/gateways involved.
If routes can be added on them, that would be the way to go because generally routing is seen as the better option.

TinCanTech · Post by **TinCanTech** » Tue Sep 26, 2017 1:23 pm

What Pippin says is true .. however ..

This statement:

PiotrG wrote: ↑
Mon Sep 25, 2017 9:27 pm
Summary as of now:

From a host behind clientB in netB it's not possible to reach 192.168.0.100, but it's possible to reach any other 192.168.0.x address

essentially means the entire 192.168.0.0/24 subnet is reachable so packets are flowing to and from that subnet and are correctly routed.

This statement:

PiotrG wrote: ↑
Mon Sep 25, 2017 9:27 pm
serverA # ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0

shows that the server is in the 192.168.0.0/24 subnet and is as reachable as all the other host IP's in that subnet.

This statement:

PiotrG wrote: ↑
Mon Sep 25, 2017 9:27 pm
Now when I try to ping 192.168.0.1 eg. from 192.168.1.100, it responds properly. But when I ping 192.168.0.100, it does not respond.

If you cannot ping the server IP from the netB client as you can all the other hosts on the 192.168.0.0/24 subnet then the most likely cause is the server firewall.

OpenVPN Support Forum

Only VPN server not accessible in the network behind VPN client

Only VPN server not accessible in the network behind VPN client

Re: Only VPN server not accessible in the network behind VPN client

Re: Only VPN server not accessible in the network behind VPN client

Re: Only VPN server not accessible in the network behind VPN client

Re: Only VPN server not accessible in the network behind VPN client