Site-to-Multisite traffic issues
-
I have a site to multisite setup running. I can ping inside the server LAN from any client, but the server cannot ping any LAN address on the clients. The server can ping the OpenVPN IP address however. The firewalls on all points have any:any on LAN and OpenVPN. Below are the routing tables and config files. Note: I know Client 1 doesn't have a public IP; it is routing traffic correctly, it's an issue with the Comcast gateway, it will be dealt with later.
Server:
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local *.*.*.193 tls-server server 172.16.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 172.16.0.2 172.16.0.1 tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix push "route 10.0.0.0 255.255.255.0" route 10.2.10.0 255.255.255.0 route 10.10.10.0 255.255.255.0 route 10.10.11.0 255.255.255.0 ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 comp-lzo passtos
Client 1:
dev ovpnc1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.1.10.10 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote *.*.*.193 1194 ifconfig 172.16.0.2 172.16.0.1 route 10.0.0.0 255.255.255.0 route 10.10.10.0 255.255.255.0 route 10.10.11.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key comp-lzo
Client 2:
dev ovpnc1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 50.197.113.217 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote *.*.*.193 1194 ifconfig 172.16.0.2 172.16.0.1 route 10.0.0.0 255.255.255.0 route 10.2.10.1 255.255.255.0 route 10.10.11.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key comp-lzo
Client 3:
dev ovpnc1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 50.241.213.25 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote *.*.*.193 1194 ifconfig 172.16.0.2 172.16.0.1 route 10.0.0.0 255.255.255.0 route 10.2.10.0 255.255.255.0 route 10.10.10.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key comp-lzo
-
What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:
iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.
-
What do you have in Client Specific Overrides at the server site? The OpenVPN server needs to know which client (matched on certificate common name) has which LAN reachable across its link. In the advanced box, an "iroute" statement(s) are needed separated by ";" - this kind of thing, as appropriate:
iroute 10.1.10.0 255.255.255.0;iroute 10.2.10.0 255.255.255.0
and client1 has mention of 10.1.10.0/24 as well as 10.2.10.0/24 but the server only knows about 10.2.10.0/24 - but you might intend that 10.1.10.0/24 is not to be reachable across the VPN, that is not a show-stopper.
I added the Client Specific Overrides, and now I can't ping anything outside the private tunnel subnet. I removed the overrides and still can't get outside the private tunnel.
As an aside, I noticed that the clients are using a lower IP for the ovpnc1 connection and the next one up for lo0, the server is going the opposite direction. Is this a problem?
I also changed the private tunnel subnet, since I got a rejected packet on a ping from Comcast using the 172.16.0.0/24 tunnel network.
-
I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.