client-to-client ping works but ssh does not work

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
DV9V
OpenVpn Newbie
Posts: 1
Joined: Sat Sep 15, 2018 2:43 am

client-to-client ping works but ssh does not work

Post by DV9V » Sat Sep 15, 2018 3:42 am

First of all, I want to compliment the OpenVPN on the work they are doing. OpenVPN is amazing. I have it running in one deployment where we have site to site and road warrior connections all working together and the users love it compared to what we were previously using. We used pfsense to set that up so while it had some challenges, it didn't turn out to be as challenging as this new project, which we are manually setting up. I feel success nearly in my grasp but I keep falling just short of my goal.

All the machines are Ubuntu 18.04 running OpenVPN 2.4.4 (I don't think this is related to verions of the software, just some config detail I have wrong)

We got all the basic config in place and the clients are connecting with the server. They seem to kind of work how we want them to, but not 100%.

Our goal is to connect cloud machines from various clouds back to a cloud based VPN server so that in the end the clients can also see other clients. This is so we can get licenses to them from a network license server on Hub Cloud A. The clients also need to be able to see each other so they can pass little commands back and forth:

Code: Select all

                                 CLOUD B
                               +----------+
                               | Client 1 | 10.80.51.47   ( 10.80.48.0/20 )
                               +----------+
                             /              
      CLOUD A               /   10.83.240.5  (10.83.240.0/20)
    +----------------------+     Client 1 and Client 2 need to be able to route to each other 
    | Hub (OpenVPN Server) |     but that's all. We don't need to see the rest of their network.
    +----------------------+     Client 1 and Client 2 need to see the Hub network also.         
                            \ 
                             \
                              \   CLOUD C
                               +----------+
                               | Client 2 |  10.80.6.153   ( 10.80.0.0/20 )
                               +----------+
I have my server configured according to the documentation with client-to-client, push routes and routes. ip_forward in enabled on the server. As I mentioned earlier, the clients connect to the server VPN fine and can even ssh to the server via the VPN. I can ping from client to client over the vpn, however I can't ssh from client to client.

Here is the output of ping when I ping client to client. I think there are some clues in this since this is not the typical response. Redirect Host?:

Code: Select all

$ ping 10.80.6.153
PING 10.80.6.153 (10.80.6.153) 56(84) bytes of data.
From 10.32.0.1: icmp_seq=2 Redirect Host(New nexthop: 10.32.0.2)
From 10.32.0.1: icmp_seq=3 Redirect Host(New nexthop: 10.32.0.2)
From 10.32.0.1: icmp_seq=4 Redirect Host(New nexthop: 10.32.0.2)
Here is our server config:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.32.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "route 10.83.240.0 255.255.240.0"
push "route 10.80.0.0 255.255.240.0"
push "route 10.80.48.0 255.255.240.0"

client-config-dir ccd

route 10.80.0.0 255.255.240.0
route 10.80.48.0 255.255.240.0
route 10.83.240.0 255.255.240.0

client-to-client

# clients reuse the same cert and cn
duplicate-cn

keepalive 10 120

tls-auth ta.key 0 # This file is secret
key-direction 0
auth SHA256
cipher AES-128-CBC

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 4

explicit-exit-notify 1

Here is the client config

Code: Select all

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
auth SHA256
key-direction 1
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3

### inline certs and keys
<ca>
# redacted
</ca>
<cert>
# redacted
</cert>
<key>
# redacted
</key>
<tls-auth>
# redacted
</tls-auth>

Post Reply