OpenVPN: Clients can connect to each other but not the server

Issues related to configuring your network
Post Reply
albuquerque
Posts: 3
Joined: 2018/10/24 10:07:54

OpenVPN: Clients can connect to each other but not the server

Post by albuquerque » 2018/10/24 10:10:39

I am trying to build a VPN on a remote VM. I have to use the tap interface because one of the application that we need to use ignores broadcasting over tun0 tunnels but is happy to broadcast over tap0. All the clients can connect to the vpn and are able to see each other, but they can't see the server and hence can't use the application that is running on the server. Before using the plan B approach of having to run the application on one of the VPN clients I'ld like to check here first if there is anything I am doing wrong.

This server has 2 eth interfaces. We can only access eth1 from our end. I created a eth1:1 alias and gave it the local IP manually

Server Config

Code: Select all

local 192.168.122.1
port 1194
proto udp
dev tap0
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/icevpn.crt
dh /etc/openvpn/ssl/dh.pem
topology subnet
ifconfig-pool-persist ipp.txt
server-bridge 192.168.122.1 255.255.255.0 192.168.122.105 192.168.122.200
push "route 192.168.122.0 255.255.255.0"
push "dhcp-option DNS 192.168.122.1"
client-to-client
keepalive 10 120
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
comp-lzo adaptive
persist-key
persist-tun
status openvpn-status.log
verb 3
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
management localhost 7505
crl-verify /etc/openvpn/ssl/crl.pe
Client Config

Code: Select all

client
dev tap
proto udp 
port 1194
remote ServerAddress 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
#---Embedded certificates removed---
I had to NAT the UDP port from the eth1 interface to eth1:1 for the clients to be able to connect and authenticate with openvpn.

The up and down scripts are used to add the tap0 to the bridge and remove it from the bridge on startup and shutdown.

Can anyone point me to where I am going wrong please? Why are my clients not able to ping the server or vice versa?

jscarville
Posts: 113
Joined: 2014/06/17 21:50:37

Re: OpenVPN: Clients can connect to each other but not the server

Post by jscarville » 2018/10/26 21:06:25

Why are my clients not able to ping the server or vice versa?
That looks more like a routing issue than a vpn issue. Have you done a traceroute from a client to your server? Also try mtr since it is faster and uses icmp.

What is the address(es) on your outside interface?

$ ip addr

What interface does OpvnVPN listen on?

$ ss -nau | grep 1194

Did you open port 1194 on your firewall?

$ sudo iptables -L -n | grep 1194

User avatar
fdisk
Posts: 39
Joined: 2017/11/04 00:59:56

Re: OpenVPN: Clients can connect to each other but not the server

Post by fdisk » 2018/11/01 14:52:56

Have a look at iptables default policy and check if there are firewall rules preventing connections through tun-interface.

Code: Select all

iptables -L -v  |grep -i 'tun\|policy'

albuquerque
Posts: 3
Joined: 2018/10/24 10:07:54

Re: OpenVPN: Clients can connect to each other but not the server

Post by albuquerque » 2018/11/01 16:05:17

jscarville wrote:
2018/10/26 21:06:25
What is the address(es) on your outside interface?

$ ip addr
10.64.xxx.xx
jscarville wrote:
2018/10/26 21:06:25
What interface does OpvnVPN listen on?
After having experimented a lot. It is now listening on a virbr0 interface that is hardcoded to 192.168.122.1. This has been set for port forwarding via eth1

Code: Select all

-A INPUT -i eth1 -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -i eth1 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.122.1:1194
-A POSTROUTING -o eth1 -j MASQUERADE
jscarville wrote:
2018/10/26 21:06:25
$ ss -nau | grep 1194

Code: Select all

UNCONN     0      0      192.168.122.1:1194                     *:*
jscarville wrote:
2018/10/26 21:06:25
Did you open port 1194 on your firewall?
$ sudo iptables -L -n | grep 1194

Code: Select all

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194

albuquerque
Posts: 3
Joined: 2018/10/24 10:07:54

Re: OpenVPN: Clients can connect to each other but not the server

Post by albuquerque » 2018/11/01 16:10:19

fdisk wrote:
2018/11/01 14:52:56
Have a look at iptables default policy and check if there are firewall rules preventing connections through tun-interface.

Code: Select all

iptables -L -v  |grep -i 'tun\|policy'
I am using tap interface as icecc cannot broadcast over tun. However, I seem to have iptables set for tun which I might have set up during the original experimentation.. No tap policies though.

Code: Select all

Chain INPUT (policy ACCEPT 3973K packets, 714M bytes)
    0     0 ACCEPT     all  --  tun0   any     anywhere             anywhere            
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    0     0 ACCEPT     all  --  eth1   tun0    anywhere             anywhere            
    0     0 ACCEPT     all  --  tun0   eth1    anywhere             anywhere 

User avatar
fdisk
Posts: 39
Joined: 2017/11/04 00:59:56

Re: OpenVPN: Clients can connect to each other but not the server

Post by fdisk » 2018/11/01 23:23:10

As long as there is no firewall preventing connections it must be an routing issue.
What happens if you traceroute/tracepath to tunnel endpoint?
1) from client to server
2) from server to client

Post Reply