OpenVPN routing suddenly doesn't work! - not sure what to check to fix
Posted: Wed Mar 09, 2022 3:49 am
Been using OpenVPN to access services housed in a remote LAN for years. Past week, the remote LAN (192.168.100.0/24 network ) did some revisions in its network setup and suddenly, my OpenVPN setup (particularly the routing) doesn't work properly.
the actual link is working... when I'm at the server running the vpn link on the server side (192.168.100.0/24) with ip 192.168.100.253 (vpn ip of 10.8.0.1), my ping to other machines on the 100.x network comes out okay. From this machine, I also ping to the remote VPN box and it returns fine. But when I'm on the server running the vpn link on the client side (192.168.254.0/24) with ip of 192.168.254.1 (vpn ip of 10.8.0.245), can't ping the 100.x machines. But ping to the vpn ip (10.8.0.1) works.
default gateway on the 100.x network is 100.2, and it has the proper route statements setup. i asked the remote LAN to do some pings on my 254.x network.. and it came out okay. This tells me that routing setup on 100.x towards the client VPN network (254.x) is setup okay.
openvpn config at VPNSERVER (UBUNTUVPN)
ifconfig on UBUNTUVPN (Note: tun0 is another VPN setup, seldom used. Not the issue here)
routing table on UBUNTUVPN
from UBUNTUVPN box, ping to 254.x network..
on the client side (U1010ROUTER 192.168.254.1), ifconfig (Note: tun0 and tun1 are for different VPN purpose no relation to this issue)
route table
ping to 100.x from 254.x
I suspected it has something to do with the route table setting 10.8.0.2 as the vpn ip to go to for 10.8.0.x network, where in fact there is no 10.8.0.2 machine (the VPN box has 10.8.0.1).. but even if I manually change these entries to 10.8.0.1, it still won't work.. And besides, as it is, ping from 100.x network to 254.x network works.... only pinging from 254.x network to 100.x doesn't...
Not sure how to proceed. Help appreciated =)
the actual link is working... when I'm at the server running the vpn link on the server side (192.168.100.0/24) with ip 192.168.100.253 (vpn ip of 10.8.0.1), my ping to other machines on the 100.x network comes out okay. From this machine, I also ping to the remote VPN box and it returns fine. But when I'm on the server running the vpn link on the client side (192.168.254.0/24) with ip of 192.168.254.1 (vpn ip of 10.8.0.245), can't ping the 100.x machines. But ping to the vpn ip (10.8.0.1) works.
default gateway on the 100.x network is 100.2, and it has the proper route statements setup. i asked the remote LAN to do some pings on my 254.x network.. and it came out okay. This tells me that routing setup on 100.x towards the client VPN network (254.x) is setup okay.
openvpn config at VPNSERVER (UBUNTUVPN)
Code: Select all
management localhost 7505
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/BULVPNSERVER.crt
key /etc/openvpn/BULVPNSERVER.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
client-config-dir ccd
route 192.168.254.0 255.255.255.0
route 192.168.111.0 255.255.255.0
client-config-dir ccd
route 10.8.0.245 255.255.255.0
route 10.8.0.249 255.255.255.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.BULVPN.log
verb 3
ifconfig on UBUNTUVPN (Note: tun0 is another VPN setup, seldom used. Not the issue here)
Code: Select all
kss1x@UBUNTUVPN:~$ ifconfig
eno1 Link encap:Ethernet HWaddr 94:c6:91:13:63:d8
inet addr:192.168.100.253 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::96c6:91ff:fe13:63d8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:334 errors:0 dropped:93 overruns:0 frame:0
TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40900 (40.9 KB) TX bytes:19186 (19.1 KB)
Interrupt:16 Memory:dc100000-dc120000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:168 errors:0 dropped:0 overruns:0 frame:0
TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12152 (12.1 KB) TX bytes:12152 (12.1 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.1.1 P-t-P:10.8.1.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
[b][color=#FF0000] inet addr:10.8.0.1[/color][/b] P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)routing table on UBUNTUVPN
Code: Select all
kss1x@UBUNTUVPN:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.100.2 0.0.0.0 UG 0 0 0 eno1
10.8.0.0 * 255.255.255.0 U 0 0 0 tun1
10.8.1.0 * 255.255.255.0 U 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 eno1
192.168.100.0 * 255.255.255.0 U 0 0 0 eno1
192.168.111.0 [color=#FF0000]10.8.0.2[/color] 255.255.255.0 UG 0 0 0 tun1
192.168.254.0 [color=#FF0000]10.8.0.2[/color] 255.255.255.0 UG 0 0 0 tun1
kss1x@UBUNTUVPN:~$ ip route show
default via 192.168.100.2 dev eno1 onlink
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.1
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.1
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.100.0/24 dev eno1 proto kernel scope link src 192.168.100.253
192.168.111.0/24 via [color=#FF0000]10.8.0.2 [/color]dev tun1
192.168.254.0/24 via [color=#FF0000]10.8.0.2 [/color]dev tun1 from UBUNTUVPN box, ping to 254.x network..
Code: Select all
kss1x@UBUNTUVPN:~$ ping -c 5 192.168.254.198
PING 192.168.254.198 (192.168.254.198) 56(84) bytes of data.
64 bytes from 192.168.254.198: icmp_seq=1 ttl=63 time=117 ms
64 bytes from 192.168.254.198: icmp_seq=2 ttl=63 time=133 ms
64 bytes from 192.168.254.198: icmp_seq=3 ttl=63 time=62.4 ms
64 bytes from 192.168.254.198: icmp_seq=4 ttl=63 time=78.9 ms
64 bytes from 192.168.254.198: icmp_seq=5 ttl=63 time=105 ms
--- 192.168.254.198 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 62.401/99.628/133.305/25.711 mson the client side (U1010ROUTER 192.168.254.1), ifconfig (Note: tun0 and tun1 are for different VPN purpose no relation to this issue)
Code: Select all
kss1x@U1010ROUTER:~$ ifconfig
enp1s0 Link encap:Ethernet HWaddr 18:d6:c7:03:23:5e
inet addr:192.168.254.1 Bcast:192.168.254.255 Mask:255.255.255.0
inet6 addr: fe80::1ad6:c7ff:fe03:235e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:199030458 errors:0 dropped:1707 overruns:0 frame:0
TX packets:367982786 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:49937625629 (49.9 GB) TX bytes:366924536429 (366.9 GB)
enp2s0 Link encap:Ethernet HWaddr 88:d7:f6:3d:78:a2
inet addr:192.168.1.103 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::8ad7:f6ff:fe3d:78a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:372444775 errors:0 dropped:0 overruns:0 frame:0
TX packets:212034950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:363766771328 (363.7 GB) TX bytes:70171730923 (70.1 GB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:198468 errors:0 dropped:0 overruns:0 frame:0
TX packets:198468 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:14220585 (14.2 MB) TX bytes:14220585 (14.2 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.6.1.1 P-t-P:10.6.1.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:1610 (1.6 KB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.6.0.1 P-t-P:10.6.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:82864 (82.8 KB)
tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.245 P-t-P:10.8.0.245 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:118534 errors:0 dropped:0 overruns:0 frame:0
TX packets:72470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11230028 (11.2 MB) TX bytes:7311324 (7.3 MB)route table
Code: Select all
kss1x@U1010ROUTER:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 enp2s0
10.6.0.0 * 255.255.255.0 U 0 0 0 tun1
10.6.1.0 * 255.255.255.0 U 0 0 0 tun0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun2
link-local * 255.255.0.0 U 1000 0 0 tun1
192.168.1.0 * 255.255.255.0 U 0 0 0 enp2s0
192.168.100.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun2
192.168.254.0 * 255.255.255.0 U 0 0 0 enp1s0ping to 100.x from 254.x
Code: Select all
kss1x@U1010ROUTER:~$ ping -c 5 192.168.100.245
PING 192.168.100.245 (192.168.100.245) 56(84) bytes of data.
--- 192.168.100.245 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999msI suspected it has something to do with the route table setting 10.8.0.2 as the vpn ip to go to for 10.8.0.x network, where in fact there is no 10.8.0.2 machine (the VPN box has 10.8.0.1).. but even if I manually change these entries to 10.8.0.1, it still won't work.. And besides, as it is, ping from 100.x network to 254.x network works.... only pinging from 254.x network to 100.x doesn't...
Not sure how to proceed. Help appreciated =)