[Resolved]Site-to-Site VPN is not working

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
tkmr.akhs
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 05, 2022 7:07 am

[Resolved]Site-to-Site VPN is not working

Post by tkmr.akhs » Mon Sep 05, 2022 8:07 am

Hi,

I am now trying to configure a site-to-site vpn.

When I ping from openvpn-client to desktop, I get a response, but from laptop to desktop, no response.

My network environment is as follows:
Image

My configuration files are as follows:
server

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0"
client-config-dir ccd
route 192.168.255.0 255.255.255.0
client-to-client
keepalive 10 120
tls-auth ta.key 0
auth SHA512
cipher AES-256-GCM
tls-version-min 1.2
tls-cipher ECDHE+AESGCM:DHE+aRSA+AESGCM:ECDHE+AESCCM:DHE+aRSA+AESCCM:+AES256
tls-cipher ECDHE+CHACHA20:DHE+aRSA+CHACHA20:+DHE:ECDHE+AES128:ECDHE+CAMELLIA128
tls-cipher ECDHE+AES:ECDHE+CAMELLIA:+ECDHE+SHA:DHE+aRSA+AES128
tls-cipher DHE+aRSA+CAMELLIA128:DHE+aRSA+AES:DHE+aRSA+CAMELLIA:+DHE+aRSA+SHA
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

client

client
dev tun
proto udp
remote myvpn.example.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
auth SHA512
cipher AES-256-GCM
verb 3
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log


ping from openvpn-client to desktop
result: My laptop can connect to my desktop.
  • tun0 on openvpn-client captures plain packets. (10.8.0.6 -> 192.168.11.11)
  • enp3s0 on openvpn-server captures encrypted packets.
  • tun0 on openvpn-server captures palin packets. (10.8.0.6 -> 192.168.11.11)
  • enp3s0 on openvpn-server captures palin packets. (192.168.11.254 -> 192.168.11.11)
ping from laptop to desktop
result: My laptop can not connect to my desktop.
  • tun0 on openvpn-client captures plain packets. (192.168.255.159 -> 192.168.11.11)
  • enp3s0 on openvpn-server captures encrypted packets.
  • tun0 on openvpn-server dose not capture any packets.
Pinging 8.8.8.8 from laptop gets a response, so openvpn-client has forwarding enabled.

And, the routing table for each node is correct.

Code: Select all

root@openvpn-server:~# ip route
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.11.0/24 dev enp3s0 proto kernel scope link src 192.168.11.254 metric 100 
192.168.255.0/24 via 10.8.0.2 dev tun0 

Code: Select all

root@openvpn-client:~# ip route
default via 172.20.10.1 dev wlan0 proto dhcp metric 600 
10.8.0.0/24 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 
169.254.0.0/16 dev eth0 scope link metric 1000 
172.20.10.0/28 dev wlan0 proto kernel scope link src 172.20.10.2 metric 600 
192.168.11.0/24 via 10.8.0.5 dev tun0 
192.168.255.0/24 dev eth0 proto kernel scope link src 192.168.255.254 metric 100
I assume that the packets are being discarded by OpenVPN. How do I keep it from being discarded?
Last edited by tkmr.akhs on Tue Sep 06, 2022 5:21 am, edited 1 time in total.

tkmr.akhs
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 05, 2022 7:07 am

Re: Site-to-Site VPN is not working

Post by tkmr.akhs » Tue Sep 06, 2022 5:21 am

Sorry, I was able to solve the issue myself.

The /etc/openvpn/ccd directory and files in it was owned by openvpn group. I changed "group nobody" to "group openvpn" in the config file accordingly and it works as intended.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Resolved]Site-to-Site VPN is not working

Post by TinCanTech » Tue Sep 06, 2022 12:15 pm

This is another example of how to use CCD files correctly.

This problem could have been more easily diagnosed by the use of --ccd-exclusive,
which can be found in the manual.

Moved to Examples.

* Locked *

For me2 posters, please start here.

Locked