Help - VPN tunnel up but unable to ping remote machines on LAN

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
brianbelden
OpenVpn Newbie
Posts: 3
Joined: Wed Feb 12, 2020 1:51 pm

Help - VPN tunnel up but unable to ping remote machines on LAN

Post by brianbelden » Wed Feb 12, 2020 2:09 pm

All,

I want to preface this topic that I have never set up an OpenVPN client before, so I apologize if I missed something or my terminology is incorrect. In our environment we currently have an OpenVPN Server and an OpenVPN Client. The tunnel is up and running, and this tunnel is used so two machines on each side of the VPN Tunnel have the ability to communicate through the tunnel. I have recently set up a secondary client to accomplish the same task of having a remote machine called PC-B communicate with a machine behind the OpenVPN Server called PC-A. The tunnel for the secondary Client is up and running, and I am able to ping both sides of the tunnel. From the OpenVPN server I can ping the client machine(192.168.1.29) and I can ping both sides of the tunnel. From the OpenVPN client (192.168.1.29) I can ping the OpenVPN server(172.21.7.13) and both sides of the the tunnel (172.17.0.1 & 172.17.0.10)

The following information is related to the setup:

NetworkA - 172.21.0.0/16
NetworkB - 192.168.1.0/24

PC-A (172.21.0.101) is behind the OpenVPN Server (172.21.7.13) and can ping the OpenVPN Server and the OpenVPN client (192.168.1.29). But it cannot ping the PC-B (192.168.1.240)

PC-B (192.168.1.240) is behind OpenVPN Client, and it can ping the OpenVPN client (192.168.1.29). PC-B cannot ping the OpenVPN Server or PC-A.

Ideally I need these machines to be able to talk, but I seem to be missing something.

Below is the config for the client.conf file on NetworkB OpenVPN client (192.168.1.29)

Code: Select all

client
dev tun
proto udp
remote 209.10.146.126 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-aws.crt
key /etc/openvpn/client-aws.key
ns-cert-type server
comp-lzo
verb 3
Below is the config for the server.conf file on NetworkA OpenVPN Server (172.21.7.13)

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  
dh /etc/openvpn/dh2048.pem
server 172.17.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.21.0.0 255.255.0.0"
client-config-dir /etc/openvpn/ccd
route 10.0.0.0 255.0.0.0
route 192.168.1.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Below is the output of the Openvpn-status.log

Code: Select all

OpenVPN CLIENT LIST
Updated,Wed Feb 12 09:06:37 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client,96.87.228.33:48122,74048621,84472650,Tue Feb 11 02:15:45 2020
client-aws,107.20.191.123:60210,9984,9642,Wed Feb 12 08:41:56 2020
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.2.2.26C,client,96.87.228.33:48122,Wed Feb 12 09:06:36 2020
10.2.2.25C,client,96.87.228.33:48122,Wed Feb 12 09:06:29 2020
10.2.2.35C,client,96.87.228.33:48122,Wed Feb 12 09:06:03 2020
10.0.0.0/8,client,96.87.228.33:48122,Tue Feb 11 02:15:45 2020
10.2.2.36C,client,96.87.228.33:48122,Wed Feb 12 09:06:33 2020
172.17.0.6,client,96.87.228.33:48122,Tue Feb 11 14:34:02 2020
172.17.0.10,client-aws,107.20.191.123:60210,Wed Feb 12 08:41:56 2020
192.168.1.0/24,client-aws,107.20.191.123:60210,Wed Feb 12 08:41:56 2020
GLOBAL STATS
Max bcast/mcast queue length,0
END
Below is the route table from PC-A:

Code: Select all

 IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.21.0.1     172.21.0.101    266
         10.0.0.0        255.0.0.0      172.21.7.13     172.21.0.101     11
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.21.0.0      255.255.0.0         On-link      172.21.0.101    266
     172.21.0.101  255.255.255.255         On-link      172.21.0.101    266
   172.21.255.255  255.255.255.255         On-link      172.21.0.101    266
      192.168.1.0    255.255.255.0      172.21.7.13     172.21.0.101     11
    192.168.1.240  255.255.255.255      172.21.7.13     172.21.0.101     11
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      172.21.0.101    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      172.21.0.101    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
         10.0.0.0        255.0.0.0      172.21.7.13       1
          0.0.0.0          0.0.0.0       172.21.0.1  Default 
      192.168.1.0    255.255.255.0      172.21.7.13       1
===========================================================================
Below is the Route Table from PC-B:

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.240     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  169.254.169.123  255.255.255.255      192.168.1.1    192.168.1.240     50
  169.254.169.249  255.255.255.255      192.168.1.1    192.168.1.240     50
  169.254.169.250  255.255.255.255      192.168.1.1    192.168.1.240     50
  169.254.169.251  255.255.255.255      192.168.1.1    192.168.1.240     50
  169.254.169.253  255.255.255.255      192.168.1.1    192.168.1.240     50
  169.254.169.254  255.255.255.255      192.168.1.1    192.168.1.240     50
       172.21.0.0      255.255.0.0     192.168.1.29    192.168.1.240     26
      192.168.1.0    255.255.255.0         On-link     192.168.1.240    281
    192.168.1.240  255.255.255.255         On-link     192.168.1.240    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.240    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.240    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.240    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
  169.254.169.254  255.255.255.255      192.168.1.1      25
  169.254.169.250  255.255.255.255      192.168.1.1      25
  169.254.169.251  255.255.255.255      192.168.1.1      25
  169.254.169.249  255.255.255.255      192.168.1.1      25
  169.254.169.123  255.255.255.255      192.168.1.1      25
  169.254.169.253  255.255.255.255      192.168.1.1      25
       172.21.0.0      255.255.0.0     192.168.1.29       1
===========================================================================
I have the firewalls on both remote PC's turned off at this time. PC-B is an EC2 instance in AWS, but I have allowed ICMP from any location at this time. I am kind of confused to why this would not be working, so any advice is much appreciated.

Thank you

User avatar
Pippin
Forum Team
Posts: 830
Joined: Wed Jul 01, 2015 8:03 am

Re: Help - VPN tunnel up but unable to ping remote machines on LAN

Post by Pippin » Wed Feb 12, 2020 5:41 pm

ip_forward is enabled on client 192.168.1.29?

brianbelden
OpenVpn Newbie
Posts: 3
Joined: Wed Feb 12, 2020 1:51 pm

Re: Help - VPN tunnel up but unable to ping remote machines on LAN

Post by brianbelden » Wed Feb 12, 2020 6:09 pm

Yup this is the setting on the client.

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

User avatar
Pippin
Forum Team
Posts: 830
Joined: Wed Jul 01, 2015 8:03 am

Re: Help - VPN tunnel up but unable to ping remote machines on LAN

Post by Pippin » Wed Feb 12, 2020 6:27 pm

How does your iroute for client 192.168.1.29 look like?

Edit:
Better post the client ccd file.

brianbelden
OpenVpn Newbie
Posts: 3
Joined: Wed Feb 12, 2020 1:51 pm

Re: Help - VPN tunnel up but unable to ping remote machines on LAN

Post by brianbelden » Wed Feb 12, 2020 9:35 pm

This has been resolved. I believe the issue was not related to OpenVPN, but it was related to AWS and how they handle Routes. I had to make a manual entry to the Route Table that is attached to the VPC to allow traffic going to the remote Subnet to use the OpenVPN client instance.

Thanks

User avatar
Pippin
Forum Team
Posts: 830
Joined: Wed Jul 01, 2015 8:03 am

Re: Help - VPN tunnel up but unable to ping remote machines on LAN

Post by Pippin » Thu Feb 13, 2020 2:50 pm

Thanks for letting us know.

Post Reply