Access Server not routing past the tunnel

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
theVelement
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 08, 2023 2:14 am

Access Server not routing past the tunnel

Post by theVelement » Sun Jan 08, 2023 3:32 am

I've been using OpenVPN AS 2.1.2 for many years without issue running on a CentOS7 host. I'm trying to deploy a new system using Rocky Linux (tried both 8 and 9) and OpenVPN AS 2.11.1, and even though I am using much of the same configuration as my previous setup, I cannot get it to work.

Dynamic IP Address Network - 172.27.224.0/20
Internal Network on the VPN: 10.0.0.0/22
Internal Host used for testing: 10.2.2.1

When connected using the OpenVPN client, if I try to run a 'tracert -d 10.2.2.1', it hits the address of the tunnel interface on the AS (172.27.232.1), and then just stops. If I fire up the old 2.1.2 AS and connect, the second hop will be the gateway I've configured in the routing table on the server for that network (10.0.0.250). I know the host has the routes setup correctly since I can ping that IP (10.2.2.1) when logged into the server running the OpenVPN AS.

I do have SELinux set to 'permissive' and 'net.ipv4.ip_forward' is set to 1. I tried adding the tunnel interfaces to the 'public' zone with 'firewall-cmd', but this did not help. Does anyone have any suggestions as why traffic out of the tunnels is not getting routed?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Access Server not routing past the tunnel

Post by openvpn_inc » Tue Jan 10, 2023 10:05 pm

Hello theVelement,

Try killing the built-in firewall of CentOS entirely to rule that out as a source of problems. Access Server manages its own firewall rules.

Also another thing to check is, is the traffic being routed or NATted? Try NAT and see if that works. If it's routed it may be that the traffic actually arrives at the destination (you can verify this with tcpdump/wireshark) but it doesn't know how to respond back to it (the VPN subnet doesn't get routed back properly to the VPN server).

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

theVelement
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 08, 2023 2:14 am

Re: Access Server not routing past the tunnel

Post by theVelement » Fri Jan 13, 2023 11:00 am

Thanks for the suggestions. Ultimately, changing to using NAT vs. Routing allowed me to connect to my internal networks as expected, so I'll run with that.

I appreciate the help!

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Access Server not routing past the tunnel

Post by openvpn_inc » Sun Jan 15, 2023 1:00 am

Hello theVelement,

That seems to be expected behavior then. With NAT your network doesn't have to do anything special. With routing it MUST be made aware how to return traffic to the VPN server using routing rules. The difference between the two is that with NAT all VPN clients appear on your network as if their traffic is coming from the Access Server's IP in your network. With routing all VPN clients appear on your network with their own individual IP addresses within the VPN subnet. As such to return traffic the machines on your local network need to send it back through the VPN server. Apparently your network isn't doing that or it's blocked somewhere.

If NAT is good enough for you, then great.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply