OpenVPN Support Forum

I've been using OpenVPN AS 2.1.2 for many years without issue running on a CentOS7 host. I'm trying to deploy a new system using Rocky Linux (tried both 8 and 9) and OpenVPN AS 2.11.1, and even though I am using much of the same configuration as my previous setup, I cannot get it to work.

Dynamic IP Address Network - 172.27.224.0/20
Internal Network on the VPN: 10.0.0.0/22
Internal Host used for testing: 10.2.2.1

When connected using the OpenVPN client, if I try to run a 'tracert -d 10.2.2.1', it hits the address of the tunnel interface on the AS (172.27.232.1), and then just stops. If I fire up the old 2.1.2 AS and connect, the second hop will be the gateway I've configured in the routing table on the server for that network (10.0.0.250). I know the host has the routes setup correctly since I can ping that IP (10.2.2.1) when logged into the server running the OpenVPN AS.

I do have SELinux set to 'permissive' and 'net.ipv4.ip_forward' is set to 1. I tried adding the tunnel interfaces to the 'public' zone with 'firewall-cmd', but this did not help. Does anyone have any suggestions as why traffic out of the tunnels is not getting routed?

Hello theVelement,

Try killing the built-in firewall of CentOS entirely to rule that out as a source of problems. Access Server manages its own firewall rules.

Also another thing to check is, is the traffic being routed or NATted? Try NAT and see if that works. If it's routed it may be that the traffic actually arrives at the destination (you can verify this with tcpdump/wireshark) but it doesn't know how to respond back to it (the VPN subnet doesn't get routed back properly to the VPN server).

Kind regards,
Johan

Thanks for the suggestions. Ultimately, changing to using NAT vs. Routing allowed me to connect to my internal networks as expected, so I'll run with that.

I appreciate the help!

Hello theVelement,

That seems to be expected behavior then. With NAT your network doesn't have to do anything special. With routing it MUST be made aware how to return traffic to the VPN server using routing rules. The difference between the two is that with NAT all VPN clients appear on your network as if their traffic is coming from the Access Server's IP in your network. With routing all VPN clients appear on your network with their own individual IP addresses within the VPN subnet. As such to return traffic the machines on your local network need to send it back through the VPN server. Apparently your network isn't doing that or it's blocked somewhere.

If NAT is good enough for you, then great.

Kind regards,
Johan