No LAN, Quirky Firewall Access, IPv6
-
This has left me rather stumped so here's my end goal:
- Have OpenVPN set up so I and someone else can get on the home network remotely
- Be able to access it either IPv4 through the native IPv4 connection or IPv6 through the GIF connection by HE's tunnel broker.
- Access LAN devices either by it's IPv4 or IPv6 address routed through the OpenVPN tunnel
What I've set up initially:
- UDP Multihome which is letting me connect either by IPv4 or IPv6 since the tunnel broker gives us a separate WANV6
- 192.168.7.0/24 as the VPN IPv4 subnet
- AAAA:BBBB:CCCC:DDDD:7::/80 as the VPN IPv6 subnet (omitting our assigned prefix)
- 192.168.1.0/24 as the LAN IPv4 subnet
- AAAA:BBBB:CCCC:DDDD::/80 as the LAN IPv6 subnet (again, omitting our assigned prefix)
- Double-checked that we have IPv4 and v6 allow rules in the firewall for OpenVPN
What's happening:
- VPN Client can not complete a connection to any LAN device but can ping the firewall and SSH into it, but not visit the GUI
What I've tried:
- Add floating rules to allow any connection from the OpenVPN interface to the LAN net
- Thanks to a suggestion from friends from strange places, tcpdump the tunnel firewall side and tcpdump the LAN device side
- The host sees a packet addressed from the VPN client but doesn't make a response, either with ICMP or SSH. This host doesn't have any special firewall configurations and uses ufw so this is unusual.
What's perplexing is that I have a working IPv4 solution elsewhere with near similar settings that achieves the same end goal and works perfectly fine. And before the IPv6 transition this setup used to work. Returning back to IPv4 doesn't fix the issue either.
-
Edit: Fixed some wording
-
I guess I did forget one other thing. I tried to ping from the LAN host to the VPN client and got a
Destination Host Unreachable
. So that might explain why I wasn't seeing a response so now it's now a matter of why.root@my_host:/XXX/ZZZ# ip r g 192.168.7.2 192.168.7.2 via 192.168.1.1 dev enp3s0 src 192.168.1.20 uid 0 cache
And this looks fine which adds to the confusion.
-
Oh and routes look okay on the firewall side too.
IPv4 +----------------+-------------+-------+-----+------+--------+ | Destination | Gateway | Flags | Use | Mtu | Netif | +----------------+-------------+-------+-----+------+--------+ | 192.168.7.0/24 | 192.168.7.2 | UGS | 101 | 1500 | ovpns1 | | 192.168.7.2 | link#14 | UH | 111 | 1500 | ovpns1 | +----------------+-------------+-------+-----+------+--------+ IPv6 +----------------------------+---------+-------+-----+------+--------+ | Destination | Gateway | Flags | Use | Mtu | Netif | +----------------------------+---------+-------+-----+------+--------+ | AAAA:BBBB:CCCC:DDDD:7::/80 | link#14 | U | 0 | 1500 | ovpns1 | +----------------------------+---------+-------+-----+------+--------+
-
I did more testing and found that the host I was working with had a bad route. After a reboot it was able to start responding to ICMP and handle a SSH connection, but for some reason a simple HTTP connection cannot be established yet picking a arbitary port like
5001
fornetcat
was able to establish. I can see the host trying to send a reply both on the host's interface and in the OpenVPN interface, but the client doesn't receive it.Still need to do more testing.
-
Solution Found
It was a MTU issue and most frustratingly it came to me at random. There was no particular reason to it other than me going, "Huh. I've never thought of MTU." and did some Googling to find the right MTU for OpenVPN and found that the default 1500 was too much for my network and had to step it down to around 1160 which fixed all the issues I've had before. I'm sure the routing quirk on the host was a one-off, but finally the VPN works just like how I want it.TL;DR: Check if the MTU is too high.