[SOLVED] Troubles with Site-to-Site
Posted: Mon Aug 01, 2022 6:31 pm
Been bashing my head against the wall for a few days now trying to get this figured out, sure it's something simple I'm overlooking, any outside input would be greatly appreciated.
End goal is to be able to easily access the LAN on either side of a Server-Client/Gateway setup.
Network Notepad Free Ed.
Currently, I'm having what I think are routing or iptable/UFW issues.
From Desktop:
Can ping the Cisco and SSH the R-Pi, nothing else
From OVPN Server:
Can freely ping and access anything on both LAN
From Work LAN:
Can ping & access either LAN freely (it wouldn't earlier, not sure what I changed to get it working)
From phone on 4G+VPN:
Can ping and access either LAN freely
I've mostly been messing about with iptables/UFW, thinking that's where the issue seems to lay, but no clue. Seeing as the OVPN server has free access & responds to Work LAN, I'm assuming at least the routing on the Cisco is good? I have no custom routing on the Desktop/S9 either so the ER-X routes seem to work as well, given they can ping the R-Pi & Cisco.
CCD for R-Pi:
Server iptables-save dump:
R-Pi iptables-save dump:
End goal is to be able to easily access the LAN on either side of a Server-Client/Gateway setup.
Network Notepad Free Ed.
Currently, I'm having what I think are routing or iptable/UFW issues.
From Desktop:
Can ping the Cisco and SSH the R-Pi, nothing else
From OVPN Server:
Can freely ping and access anything on both LAN
From Work LAN:
Can ping & access either LAN freely (it wouldn't earlier, not sure what I changed to get it working)
From phone on 4G+VPN:
Can ping and access either LAN freely
I've mostly been messing about with iptables/UFW, thinking that's where the issue seems to lay, but no clue. Seeing as the OVPN server has free access & responds to Work LAN, I'm assuming at least the routing on the Cisco is good? I have no custom routing on the Desktop/S9 either so the ER-X routes seem to work as well, given they can ping the R-Pi & Cisco.
server.conf
server 192.168.191.0 255.255.255.0
port 110
proto udp
dev tun
topology subnet
route 192.168.0.0 255.255.255.0 192.168.191.1
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 60
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
push "dhcp-option DNS 192.168.192.99"
push "dhcp-option WINS 192.168.192.99"
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
status openvpn-status.log
verb 4
port 110
proto udp
dev tun
topology subnet
route 192.168.0.0 255.255.255.0 192.168.191.1
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 60
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
push "dhcp-option DNS 192.168.192.99"
push "dhcp-option WINS 192.168.192.99"
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
status openvpn-status.log
verb 4
CCD for R-Pi:
Code: Select all
iroute 192.168.0.0 255.255.255.0
ifconfig-push 192.168.191.6 255.255.255.0
push "route 192.168.192.0 255.255.255.0"
Code: Select all
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -p tcp -m tcp --dport 110 -j ACCEPT
client
client
dev tun
proto udp
remote DDNS_HERE 110 udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert workpi.crt
key workpi.key
remote-cert-tls server
cipher AES-128-CBC
verb 4
auth-nocache
dev tun
proto udp
remote DDNS_HERE 110 udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert workpi.crt
key workpi.key
remote-cert-tls server
cipher AES-128-CBC
verb 4
auth-nocache
R-Pi iptables-save dump:
Code: Select all
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable UDP traffic
-A UDP -p udp --dport 110 -j ACCEPT
#-A UDP -p udp --dport 53 -j ACCEPT
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
#-A TCP -p tcp --dport 53 -j ACCEPT
# Acceptable ICMP traffic
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
# User added whatever
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A INPUT -s 192.168.192.0/24 -j ACCEPT
-A INPUT -s 192.168.191.0/24 -j ACCEPT
#-A INPUT -s 192.168.0.0/24 -j ACCEPT
# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Commit the changes
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT