OpenVPN connects, but does not allow clients to access each other.

scilek

I have been trying to get hosts on both sides of an OpenVPN connection to access each other, with no success. Trust me, I've tried everything, Googled it hard, but failed.

This is my server configuration:

dev ovpns3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local **[REDACTED]**
engine rdrand
tls-server
server 10.0.82.0 255.255.255.0
client-config-dir /var/etc/openvpn/server3/csc
ifconfig 10.0.82.1 10.0.82.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpns' 1"
lport 1196
management /var/etc/openvpn/server3/sock unix
push "route 192.168.1.0 255.255.255.0"
remote-cert-tls client
route 192.168.200.0 255.255.255.0
capath /var/etc/openvpn/server3/ca
cert /var/etc/openvpn/server3/cert 
key /var/etc/openvpn/server3/key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server3/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
topology subnet
explicit-exit-notify 1
inactive 600

And this is my client configuration:

dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local **[REDACTED]**
engine rdrand
tls-client
lport 0
management /var/etc/openvpn/client1/sock unix
remote **[REDACTED]** 1196 udp4
pull
remote-cert-tls server
route 192.168.1.0 255.255.255.0
capath /var/etc/openvpn/client1/ca
cert /var/etc/openvpn/client1/cert 
key /var/etc/openvpn/client1/key 
tls-auth /var/etc/openvpn/client1/tls-auth 1
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
resolv-retry infinite
explicit-exit-notify 1

As you can see, the subnet is 192.168.1.0/24 on the server side and 192.168.200.0/24 on the client.

When I ping a host on the server side from the client router's shell, it works:

[2.7.2-RELEASE][root@router.clientside]/root: ping 192.168.1.229
PING 192.168.1.229 (192.168.1.229): 56 data bytes
64 bytes from 192.168.1.229: icmp_seq=0 ttl=127 time=4.217 ms

But this does not:

[2.7.2-RELEASE][root@router.clientside]/root: ping -S 192.168.200.1 192.168.1.229
PING 192.168.1.229 (192.168.1.229) from 192.168.200.1: 56 data bytes

NB: I cannot try pinging from an actual host on the clients as I do not have access to any on the site. My thinking is that if you can ping from the router's private LAN address, then it should work for the hosts on that end too.

What am I doing wrong?

scilek

Is this a bug or what?

fholzer

@scilek did you allow ICMP in the firewall rules?
you didnt show your rules ...

scilek

@fholzer
The OpenVPN IF is wide open; allows from any to any, any protocol.