OpenVPN Support Forum

I'v set up a site to site config with 2 FreeBSD 13.0 systems and Openvpn 2.5.6; one is the server and the other the client. Server site: 10.8.0.1 to the client at 10.8.0.2. Lan site of the server is 172.19.3.0/24. Lan site of the client is 192.168.1.0/24. Now i can ping from the client to a LAN adres like 172.19.3.5. But when i ping from the server site to a host on the client site there is no response. I discoverd that the ping from the server site stopped in the tunnel when i ping to 192.168.1.120. But a ping to 10.8.0.2 from the server site is working correct.
Question: what is going wrong with the routing on the client site? Or is it impossible what i want to achieve?
Help would be very welcom!!

netstat -4rn (server site)
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default myip_address UGS em0
10.8.0.0/24 10.8.0.2 UGS tun0
10.8.0.1 link#5 UHS lo0
10.8.0.2 link#5 UH tun0
my_ipaddress/30 link#1 U em0
my_ipaddress.10 link#1 UHS lo0
127.0.0.1 link#3 UH lo0
172.19.3.0/24 link#2 U em1
172.19.3.4 link#2 UHS lo0
192.168.1.0/24 10.8.0.2 UGS tun0

netstat -4rn (client site)
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default my_ipaddress UGS em0
10.8.0.0/24 10.8.0.1 UGS tun0
10.8.0.1 link#5 UH tun0
10.8.0.2 link#5 UHS lo0
127.0.0.1 link#3 UH lo0
172.19.3.0/24 10.8.0.1 UGS tun0
192.168.1.0/24 link#2 U em1
192.168.1.120 link#2 UHS lo0
192.168.178.0/24link#1 U em0
192.168.178.199 link#1 UHS lo0

ping from server to client site: ping 192.168.1.120
on the server site: tcpdump icmp -i tun0: 10:19:20.383638 IP 10.8.0.1 > 192.168.1.120: ICMP echo request, id 62477, seq 3, length 64
on the client site: tcpdump icmp -i tun0: nothing..
So there is no packet to receive?

ping from client to server site: ping 172.19.3.5(= host in the LAN on the server site)
on the server site: tcpdump icmp -i tun0:10:21:30.348076 IP 10.8.0.2 > 172.19.3.5: ICMP echo request, id 42508, seq 1, length 64
10:21:30.348504 IP 172.19.3.5 > 10.8.0.2: ICMP echo reply, id 42508, seq 1, length 64
on the client site: tcpdump icmp -i tun0:10:21:20.462101 IP 10.8.0.2 > 172.19.3.5: ICMP echo request, id 42508, seq 1, length 64
10:21:20.481554 IP 172.19.3.5 > 10.8.0.2: ICMP echo reply, id 42508, seq 1, length 64
so this is ok.

more server.conf
local my_ipaddres
port 1194
proto udp
dev tun
log-append openvpn.log
verb 3
;mute 20
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/server.crt
key /usr/local/etc/openvpn/server/server.key
dh /usr/local/etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
#push "route 172.19.3.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
#push "redirect-gateway def1"
push "route-gateway 10.8.0.2"
push "route 10.8.0.0 255.255.255.0"
duplicate-cn
keepalive 10 120
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo no
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
ifconfig-pool-persist ipp.txt
explicit-exit-notify 1
topology subnet
client-config-dir /usr/local/etc/openvpn/ccd

/usr/local/etc/openvpn/ccd # more client.cfg
client
dev tun
proto udp
remote my_ipaddress 1194
resolv-retry infinite
#redirect-gateway def1
persist-key
persist-tun
ca /usr/local/etc/openvpn/client/ca.crt
cert /usr/local/etc/openvpn/client/client.crt
key /usr/local/etc/openvpn/client/client.key
remote-cert-tls server
tls-auth /usr/local/etc/openvpn/client/ta.key 1
cipher AES-256-CBC
comp-lzo yes
verb 3
#push "route 172.19.3.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
client-to-client
#push "route 192.168.1.0 255.255.255.0"

on the client:
more /usr/local/etc/openvpn/client/client.conf
client
dev tun
proto udp
remote my_ipaddress 1194
resolv-retry infinite
#redirect-gateway def1
persist-key
persist-tun
ca /usr/local/etc/openvpn/client/ca.crt
cert /usr/local/etc/openvpn/client/client.crt
key /usr/local/etc/openvpn/client/client.key
remote-cert-tls server
tls-auth /usr/local/etc/openvpn/client/ta.key 1
cipher AES-256-CBC
comp-lzo yes
verb 3
#push "route 172.19.3.0 255.255.255.0"

I use pf firewall on both sites:
Server pf.conf:
more /etc/pf.conf
# Interfaces
pptp="tun0"
ext_if_1 = "em2"
ext_if = "em0"
int_if = "em1"
#ext_if1 = "em2"

# --- IP given by the ISP ---
ip_addr = "my_ipaddress"

# --- squid server ip address (usually the localhost) ---
SQUID_SERVER = "127.0.0.1"

# --- squid port ---
SQUID_PORT = "3128"

# --- hosts with internet access from the private network ---
table <allowed> { 10.0.0.0/24, 172.19.3.0/24, 192.168.1.0/24 }

# --- openvpn clients subnet ---
table <openvpn_clients> { 10.8.0.0/24 }
# Ports we want to allow access to from the outside world on our local system (ext_if)
tcp_services = "{ 22, 53, 80, 25, 110, 143, 389, 443, 993, 1194 }"

udp_services = "{ 1194 }"

# ping requests
icmp_types = "echoreq"

# --- OPTIONS section ---
set skip on lo0
set block-policy drop

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr
nat on $ext_if from <openvpn_clients> to any -> $ip_addr

# --- redirect HTTP traffic to the Squid server on the firewall ---

# --- redirect RDP traffic to the inside

# --- redirect HTTPS traffic to the inside

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

pass in quick on $int_if inet from <allowed> to any keep state
pass in quick on $int_if inet from <openvpn_clients> to any keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out quick on $int_if inet from any to any keep state

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state

# --- EXTERNAL interface ---

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services
pass out quick on $ext_if inet from any to any keep state
pass out on $ext_if proto udp to any port 53

Client pf.conf:
more /etc/pf.conf
# Interfaces
pptp="tun0"
ext_if = "em0"
int_if = "em1"

# --- IP given by the ISP ---
ip_addr = "my_ipaddress"

# --- squid server ip address (usually the localhost) ---
SQUID_SERVER = "127.0.0.1"

# --- squid port ---
SQUID_PORT = "3128"

# --- hosts with internet access from the private network ---
table <allowed> { 10.0.0.0/24, 172.19.3.0/24, 192.168.1.0/24 }

# --- openvpn clients subnet ---
table <openvpn_clients> { 10.8.0.0/24 }
# Ports we want to allow access to from the outside world on our local system (ext_if)
tcp_services = "{ 22, 53, 80, 25, 110, 143, 389, 443, 993, 1194 }"

udp_services = "{ 1194 }"

# ping requests
icmp_types = "echoreq"

# --- OPTIONS section ---
set skip on lo0
set block-policy drop

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr
nat on $ext_if from <openvpn_clients> to any -> $ip_addr

# --- redirect HTTP traffic to the Squid server on the firewall ---

# --- redirect RDP traffic to the inside

# --- redirect HTTPS traffic to the inside

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

pass in quick on $int_if inet from <allowed> to any keep state
pass in quick on $int_if inet from <openvpn_clients> to any keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out quick on $int_if inet from any to any keep state

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state

# --- EXTERNAL interface ---

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services
pass out quick on $ext_if inet from any to any keep state
pass out on $ext_if proto udp to any port 53

Is there anybody out there who could help with this problem?

The element which you have not documented is your client CCD file and --iroute.

Yes, my client.cfg in the ccd map is there..
But here it:
/usr/local/etc/openvpn/ccd # more client.cfg
client
dev tun
proto udp
remote my_ipaddress 1194
resolv-retry infinite
#redirect-gateway def1
persist-key
persist-tun
ca /usr/local/etc/openvpn/client/ca.crt
cert /usr/local/etc/openvpn/client/client.crt
key /usr/local/etc/openvpn/client/client.key
remote-cert-tls server
tls-auth /usr/local/etc/openvpn/client/ta.key 1
cipher AES-256-CBC
comp-lzo yes
verb 3
#push "route 172.19.3.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
client-to-client
#push "route 192.168.1.0 255.255.255.0"

What do you mean by --iroute? I understand that this is an option to route vpn traffic.. But how do I use this?

This is explained in the OpenVPN Howto.

Ok thank you! I found this: https://community.openvpn.net/openvpn/w ... edLans#no1




unfortunately my routing problem is still the same: I can ping from the client to the server LAN but it is impossible to ping from server side to the client ip 192.168.1.118
Can you please help me a little?

You need to NAT and ipforward at client as you do at server so in server side can ping client side .when site to site connection each openvpn instance become a node .

@300000 Did you read the code which was posted as a CCD file, with --iroute ?

@300000: in my firewall script is this covered with this part.
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr
nat on $ext_if from <openvpn_clients> to any -> $ip_addr

you can use tracert fron one client on server side and tracert one client on client side , if tracert stop at ip client openvpn so it mean at you client openvpn stil not NAT and ipforward.


this is wrong as you dont understand route and push route. only need route as it is subnet of client side . you dont need push that subnet to that client.
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

@ 300000: you are so right! I don't understand the routing of openvpn. So i found some documents that makes it more clear. Now I configured this config files:






unfortunately the result is still the same.
I can ping from the client to the server LAN side to a client
ping 172.19.3.5 this on the server LAN:
tcpdump icmp -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes
14:33:26.770142 IP 10.8.0.3 > 172.19.3.5: ICMP echo request, id 48905, seq 0, length 64
14:33:26.790106 IP 172.19.3.5 > 10.8.0.3: ICMP echo reply, id 48905, seq 0, length 64
this correct!

ping 192.168.1.120 on openvpn server (to the LAN side of the client, its own interface)
tcpdump icmp -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes
14:28:57.064598 IP 10.8.0.1 > 192.168.1.120: ICMP echo request, id 11529, seq 10, length 64
14:28:58.094596 IP 10.8.0.1 > 192.168.1.120: ICMP echo request, id 11529, seq 11, length 64
14:28:59.156856 IP 10.8.0.1 > 192.168.1.120: ICMP echo request, id 11529, seq 12, length 64
nothing comes back..
[oconf=netstat -4rn (server)]
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default my_ip_address UGS em0
10.8.0.0/24 10.8.0.2 UGS tun0
10.8.0.1 link#5 UHS lo0
10.8.0.2 link#5 UH tun0
my_ip_address/30 link#1 U em0
My-ipaddress link#1 UHS lo0
127.0.0.1 link#3 UH lo0
172.19.3.0/24 link#2 U em1
172.19.3.4 link#2 UHS lo0
192.168.1.0/24 10.8.0.2 UGS tun0
[/oconf]
[oconf=netstat -4rn (client)}
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 192.168.178.1 UGS em0
10.0.0.5 link#2 UH em1
10.8.0.0/24 10.8.0.1 UGS tun0
10.8.0.1 link#5 UH tun0
10.8.0.3 link#5 UHS lo0
127.0.0.1 link#3 UH lo0
172.19.3.0/24 10.8.0.1 UGS tun0
192.168.1.0/24 link#2 U em1
192.168.1.120 link#2 UHS lo0
192.168.178.0/24 link#1 U em0
192.168.178.199 link#1 UHS lo0
[/oconf]

It is possible to ping to the other end of the tunnel: 10.8.0.3 of the client side.

What is wrong with this config?
Any help would appreciated!

192.168.1.0/24 10.8.0.2 UGS tun0 it show that your clien openvpn subnet is correct into openvpn server routing table. the stop here is at client openvpn as you dont have NAT and IPforward at all . let try this one to find out.

using tracert command from server and try to trace to one client behind openvpn client so if tracert stop at 10.8.0.3 it mean at openvpn client you need to make NAT and IPforward.

@300000:
On the server side I use this pf.conf:


in the file /etc/rc.conf I'v this added:
gateway_enable="YES"

So this means that ipforwarding is active.

This is exactly the same for the Openvpn server and the client.
For the Openvpn server this working just fine; for the client it is not..

Is there anybody for help available?

Problem is solved:

filename in the ccd map is not correct:

client.cfg must be renamed to client

Otherwise it is not parsed.

In future, to diagnose this problem, use the Openvpn directive --ccd-exclusive, which can be found in the manual.

To me2 posters, please see: viewtopic.php?t=22603

* Locked *