Site-to-Multisite traffic issues



  • I have a site to multisite setup running. I can ping inside the server LAN from any client, but the server cannot ping any LAN address on the clients. The server can ping the OpenVPN IP address however. The firewalls on all points have any:any on LAN and OpenVPN. Below are the routing tables and config files. Note: I know Client 1 doesn't have a public IP; it is routing traffic correctly, it's an issue with the Comcast gateway, it will be dealt with later.

    Server:

    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local *.*.*.193
    tls-server
    server 172.16.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 172.16.0.2 172.16.0.1
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    push "route 10.0.0.0 255.255.255.0"
    route 10.2.10.0 255.255.255.0
    route 10.10.10.0 255.255.255.0
    route 10.10.11.0 255.255.255.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    comp-lzo
    passtos
    
    

    Client 1:

    dev ovpnc1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.1.10.10
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote *.*.*.193 1194
    ifconfig 172.16.0.2 172.16.0.1
    route 10.0.0.0 255.255.255.0
    route 10.10.10.0 255.255.255.0
    route 10.10.11.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    comp-lzo
    
    

    Client 2:

    dev ovpnc1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 50.197.113.217
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote *.*.*.193 1194
    ifconfig 172.16.0.2 172.16.0.1
    route 10.0.0.0 255.255.255.0
    route 10.2.10.1 255.255.255.0
    route 10.10.11.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    comp-lzo
    
    

    Client 3:

    dev ovpnc1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 50.241.213.25
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote *.*.*.193 1194
    ifconfig 172.16.0.2 172.16.0.1
    route 10.0.0.0 255.255.255.0
    route 10.2.10.0 255.255.255.0
    route 10.10.10.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    comp-lzo
    
    



  • What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

    iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
    

    and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.



  • @phil.davis:

    What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

    iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
    

    and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

    I added the Client Specific Overrides, and now I can't ping anything outside the private tunnel subnet. I removed the overrides and still can't get outside the private tunnel.

    As an aside, I noticed that the clients are using a lower IP for the ovpnc1 connection and the next one up for lo0, the server is going the opposite direction. Is this a problem?

    I also changed the private tunnel subnet, since I got a rejected packet on a ping from Comcast using the 172.16.0.0/24 tunnel network.



  • I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.


Log in to reply