Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-Multisite traffic issues

    OpenVPN
    2
    4
    1218
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      techresources last edited by

      I have a site to multisite setup running. I can ping inside the server LAN from any client, but the server cannot ping any LAN address on the clients. The server can ping the OpenVPN IP address however. The firewalls on all points have any:any on LAN and OpenVPN. Below are the routing tables and config files. Note: I know Client 1 doesn't have a public IP; it is routing traffic correctly, it's an issue with the Comcast gateway, it will be dealt with later.

      Server:

      dev ovpns2
      dev-type tun
      tun-ipv6
      dev-node /dev/tun2
      writepid /var/run/openvpn_server2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local *.*.*.193
      tls-server
      server 172.16.0.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      ifconfig 172.16.0.2 172.16.0.1
      tls-verify /var/etc/openvpn/server2.tls-verify.php
      lport 1194
      management /var/etc/openvpn/server2.sock unix
      push "route 10.0.0.0 255.255.255.0"
      route 10.2.10.0 255.255.255.0
      route 10.10.10.0 255.255.255.0
      route 10.10.11.0 255.255.255.0
      ca /var/etc/openvpn/server2.ca 
      cert /var/etc/openvpn/server2.cert 
      key /var/etc/openvpn/server2.key 
      dh /etc/dh-parameters.1024
      comp-lzo
      passtos
      
      

      Client 1:

      dev ovpnc1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 10.1.10.10
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client1.sock unix
      remote *.*.*.193 1194
      ifconfig 172.16.0.2 172.16.0.1
      route 10.0.0.0 255.255.255.0
      route 10.10.10.0 255.255.255.0
      route 10.10.11.0 255.255.255.0
      ca /var/etc/openvpn/client1.ca 
      cert /var/etc/openvpn/client1.cert 
      key /var/etc/openvpn/client1.key 
      comp-lzo
      
      

      Client 2:

      dev ovpnc1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 50.197.113.217
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client1.sock unix
      remote *.*.*.193 1194
      ifconfig 172.16.0.2 172.16.0.1
      route 10.0.0.0 255.255.255.0
      route 10.2.10.1 255.255.255.0
      route 10.10.11.0 255.255.255.0
      ca /var/etc/openvpn/client1.ca 
      cert /var/etc/openvpn/client1.cert 
      key /var/etc/openvpn/client1.key 
      comp-lzo
      
      

      Client 3:

      dev ovpnc1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 50.241.213.25
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client1.sock unix
      remote *.*.*.193 1194
      ifconfig 172.16.0.2 172.16.0.1
      route 10.0.0.0 255.255.255.0
      route 10.2.10.0 255.255.255.0
      route 10.10.10.0 255.255.255.0
      ca /var/etc/openvpn/client1.ca 
      cert /var/etc/openvpn/client1.cert 
      key /var/etc/openvpn/client1.key 
      comp-lzo
      
      

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

        iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
        

        and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • T
          techresources last edited by

          @phil.davis:

          What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

          iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
          

          and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

          I added the Client Specific Overrides, and now I can't ping anything outside the private tunnel subnet. I removed the overrides and still can't get outside the private tunnel.

          As an aside, I noticed that the clients are using a lower IP for the ovpnc1 connection and the next one up for lo0, the server is going the opposite direction. Is this a problem?

          I also changed the private tunnel subnet, since I got a rejected packet on a ping from Comcast using the 172.16.0.0/24 tunnel network.

          1 Reply Last reply Reply Quote 0
          • T
            techresources last edited by

            I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post