Page 1 of 1
connection seems made but ping (and traffic) not working
Posted: Sat Mar 19, 2011 7:47 pm
by sirex99
Having trouble setting up a site-to-site vpn. New to this so it may well be something dumb. The connecting is apparently made, but i cant ping across it. The interfaces at each end get the ips and the routing tables look ok, perhaps i've missed something in the config files ?
mode server
proto tcp-server
port 2000
dev tap0
keepalive 15 60
daemon
verb 3
comp-lzo
tls-server
ca /etc/openvpn/keys/ca.crt
dh /etc/openvpn/keys/dh1024.pem
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
server 192.168.101.0 255.255.255.0
ifconfig 192.168.101.1 255.255.255.0
up up.sh
----------------------------------------------------------------
client
proto tcp-client
dev tap0
ifconfig 192.168.101.2 255.255.255.0
remote <srv ip> 2000
resolv-retry infinite
persist-key
persist-tun
ns-cert-type server
comp-lzo
daemon
writepid /var/run/openvpn.pid
verb 3
mute 20
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
up up.sh
Re: connection seems made but ping (and traffic) not working
Posted: Sat Mar 19, 2011 10:07 pm
by janjust
without knowing what is in the 'up.sh' file it is hard to tell. However, by looking at your client and server config files I'd recommend to remove the lines
Code: Select all
ifconfig 192.168.101.1 255.255.255.0
and
Code: Select all
ifconfig 192.168.101.2 255.255.255.0
they are screwing up your otherwise clean looking client/server config.
Re: connection seems made but ping (and traffic) not working
Posted: Sun Mar 20, 2011 2:03 am
by sirex99
I removed the ifconfig lines. Same behavior, cant ping after connection is made.
Here's the (adjusted) log files off the server, and the contents of up.sh
edit: no firewalls at play
edit2: after some testing, if you ping immediately after running openvpn on the client it works right up until around the "PUSH: Received control message: 'PUSH_REQUEST'" line, then the pings goes dead.
Mar 20 01:53:47 server openvpn[5140]: MULTI: multi_create_instance called
Mar 20 01:53:47 server openvpn[5140]: Re-using SSL/TLS context
Mar 20 01:53:47 server openvpn[5140]: LZO compression initialized
Mar 20 01:53:47 server openvpn[5140]: Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mar 20 01:53:47 server openvpn[5140]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Mar 20 01:53:47 server openvpn[5140]: Local Options hash (VER=V4): '<hash>'
Mar 20 01:53:47 server openvpn[5140]: Expected Remote Options hash (VER=V4): '<hash>'
Mar 20 01:53:47 server openvpn[5140]: TCP connection established with <client ip>:49090
Mar 20 01:53:47 server openvpn[5140]: Socket Buffers: R=[131072->131072] S=[131072->131072]
Mar 20 01:53:47 server openvpn[5140]: TCPv4_SERVER link local: [undef]
Mar 20 01:53:47 server openvpn[5140]: TCPv4_SERVER link remote: <client ip>:49090
Mar 20 01:53:48 server openvpn[5140]: <client ip>:49090 TLS: Initial packet from <client ip>:49090, sid=cd25afaf b54cb106
Mar 20 01:53:51 server openvpn[5140]: <client ip>:49090 VERIFY OK: depth=1, <snipped>
Mar 20 01:53:51 server openvpn[5140]: <client ip>:49090 VERIFY OK: depth=0, <snipped>
Mar 20 01:53:52 server kernel: [30772.064013] br0: topclient change detected, propagating
Mar 20 01:53:52 server kernel: [30772.079431] br0: port 2(tap0) entering forwarding state
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mar 20 01:53:52 server openvpn[5140]: <client ip>:49090 [client] Peer Connection Initiated with <client ip>:49090
Mar 20 01:53:54 server openvpn[5140]: client/<client ip>:49090 PUSH: Received control message: 'PUSH_REQUEST'
Mar 20 01:53:54 server openvpn[5140]: client/<client ip>:49090 SENT CONTROL [client]: 'PUSH_REPLY,route-gateway 192.168.101.1,ping 15,ping-restart 60,ifconfig 192.168.101.2 255.255.255.0' (status=1)
Mar 20 01:53:55 server openvpn[5140]: client/<client ip>:49090 MULTI: Learn: f2:10:3e:cc:57:01 -> client/<client ip>:49090
Mar 20 01:54:11 server openvpn[5140]: client/<client ip>:49090 MULTI: Learn: fe:fd:6d:4a:cc:f0 -> client/<client ip>:49090
---------------------------------------------------------------------------------------
$ cat up.sh
#!/bin/bash
bridge=br0
/usr/sbin/brctl addif "$bridge" "$1"
---------------------------------------------------------------------------------------
Re: connection seems made but ping (and traffic) not working
Posted: Mon Mar 21, 2011 7:20 am
by janjust
it seems you're adding interface to a bridge interface on both the client and the server side - that is advanced black magic that you're attempting here. Have you tried it without using the 'up' scripts?
Why do you need bridging on both ends in the first place?
Re: connection seems made but ping (and traffic) not working
Posted: Mon Mar 21, 2011 8:14 am
by sirex99
the server has one interface, eth0 on a 192.168.11.0 address
the client has one interface, eth0 which has a public address
I was going to make a subnet between the nodes on 192.168.101.0 between the tap interfaces
I've done this before and it worked fine. I didn't think it was that much black-magic, and it seems to work right up until that push line appears in the logs a few seconds after connection is made.
How would a site-to-site vpn link be done normally ?