Site-to-Multisite traffic issues

techresources

I have a site to multisite setup running. I can ping inside the server LAN from any client, but the server cannot ping any LAN address on the clients. The server can ping the OpenVPN IP address however. The firewalls on all points have any:any on LAN and OpenVPN. Below are the routing tables and config files. Note: I know Client 1 doesn't have a public IP; it is routing traffic correctly, it's an issue with the Comcast gateway, it will be dealt with later.

Server:

dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local *.*.*.193
tls-server
server 172.16.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 172.16.0.2 172.16.0.1
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 10.0.0.0 255.255.255.0"
route 10.2.10.0 255.255.255.0
route 10.10.10.0 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
comp-lzo
passtos

Client 1:

dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.10.10
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.10.10.0 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

Client 2:

dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 50.197.113.217
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.2.10.1 255.255.255.0
route 10.10.11.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

Client 3:

dev ovpnc1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 50.241.213.25
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote *.*.*.193 1194
ifconfig 172.16.0.2 172.16.0.1
route 10.0.0.0 255.255.255.0
route 10.2.10.0 255.255.255.0
route 10.10.10.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
comp-lzo

phil.davis

What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0

and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

techresources

@phil.davis:

What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:

iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0

and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.

I added the Client Specific Overrides, and now I can't ping anything outside the private tunnel subnet. I removed the overrides and still can't get outside the private tunnel.

As an aside, I noticed that the clients are using a lower IP for the ovpnc1 connection and the next one up for lo0, the server is going the opposite direction. Is this a problem?

I also changed the private tunnel subnet, since I got a rejected packet on a ping from Comcast using the 172.16.0.0/24 tunnel network.

techresources

I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.