Clients connect to my server on the 10.1.0.0/24 subnet, with IP addresses such as 10.1.0.5 or 10.1.0.11.
Recently however, devices on the server LAN no longer have access to these clients. While the server can ssh and load the webpage at the client IP address, server LAN devices can only ping.
What could be going on here? Was there a new openVPN update recently?
The server is running Ubuntu and I confirmed that IP forwarding is enabled (net.ipv4.ip_forward = 1). And of course the forwarding is available if server LAN devices can ping.
Server LAN can ping ovpn client but not connect
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue May 09, 2023 3:18 pm
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue May 09, 2023 3:18 pm
Re: Server LAN can ping ovpn client but not connect
So update, the firewalls (iptables) on my client devices are rejecting these accesses, ssh on port 22 and http on port 80. For example,
However, these firewalls haven't been changed in years, the only thing that changed is I upgraded my openvpn server to a new version.
That is a typical firewall on these old openvpn clients. The openVPN interface is running on tun0.
I assume what happened is previously, the openVPN server would transfer requests from the local network granting them an address on the 10.1.0.0/16 network, thus making it past these firewall rules (i.e. this rule: -A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT would allow it through).
Is there anything I can do to the server to make it route LAN requests to remote clients through the 10.1.0.0/16 subnet?
the openvpn commands in the server's ccd directory for clients:
ifconfig-push 10.1.0.5 10.1.8.5
iroute 192.168.5.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0
Code: Select all
iptables input denied: IN=tun0 OUT= MAC= SRC=192.168.1.128 DST=10.1.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=11829 DF PROTO=TCP SPT=55955 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Code: Select all
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -i eth1 -p udp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth+ -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -s 0.0.0.0/32 -i eth+ -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan+ -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -s 0.0.0.0/32 -i wlan+ -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --sport 896 -j ACCEPT
-A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --sport 782 -j ACCEPT
-A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --sport 915 -j ACCEPT
-A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --sport 1020 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 137 -j DROP
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 138 -j DROP
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -d 255.255.255.255/32 -p udp -j DROP
-A INPUT -d 192.168.0.255/255.255.0.255 -p udp -j DROP
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 2054 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.0.0.0/16 -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i wlan+ -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 1194 -j ACCEPT
-A INPUT -i wlan+ -p udp -m udp --sport 1194 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i wlan+ -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth+ -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i wlan+ -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth0 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth0 -p udp -m udp --dport 137 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -p udp -m udp --dport 138 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -p udp -j DROP
-A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 10.1.0.1/32 -i tun0 -p udp -m udp --dport 8090 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i wlan+ -p udp -j DROP
-A INPUT -j LOG --log-prefix "iptables input denied: " --log-level 3
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "iptables forward denied: " --log-level 3
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A OUTPUT -o eth1 -p udp -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o wlan+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -d 192.168.1.31/32 -o eth0 -p tcp -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -d 192.168.1.31/32 -o eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A OUTPUT -d 192.168.1.31/32 -o eth0 -p udp -m udp --dport 111 -j ACCEPT
-A OUTPUT -d 10.1.0.1/32 -o tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eth+ -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -o wlan+ -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eth0 -p udp -m udp --sport 5000 -j ACCEPT
-A OUTPUT -d 10.1.0.0/16 -o tun0 -p udp -m udp --sport 5000 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eth0 -p udp -m udp --dport 4997:4999 -j ACCEPT
-A OUTPUT -d 10.1.0.0/16 -o tun0 -p udp -m udp --dport 4997:4999 -j ACCEPT
-A OUTPUT -d 10.0.0.0/16 -o eth0 -j DROP
-A OUTPUT -j LOG --log-prefix "iptables output denied: " --log-level 3
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
I assume what happened is previously, the openVPN server would transfer requests from the local network granting them an address on the 10.1.0.0/16 network, thus making it past these firewall rules (i.e. this rule: -A INPUT -s 10.1.0.0/16 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT would allow it through).
Is there anything I can do to the server to make it route LAN requests to remote clients through the 10.1.0.0/16 subnet?
the openvpn commands in the server's ccd directory for clients:
client-in-ccd
ifconfig-push 10.1.0.5 10.1.8.5
iroute 192.168.5.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0