OpenVPN routing only working from one subnet

Question

Hy guy, I am having a problem with my OpenVPN connection. I hope the following information is all you need. I think the VPNConfig should be irrelevant because it works in one direction.

My Setup:

Network A (192.168.10.0/24) 
   * 192.168.10.110 Zentyal Server (OpenVPN Server is running here)

Network B (192.168.1.0/24)
   * 192.168.1.10 RaspberryPI (OpenVPN Client is running here)
   * 192.168.1.1  Router (routes correctly to 192.168.1.1 for 192.168.10.0/24)
   * 192.168.1.x  let's call this IP ClientB

These two networks are conneted side-to-side via a tunnel on 192.168.2.2

ifconfig

192.168.10.110 ZentyalServer

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.1  P-t-P:192.168.2.2  Mask:255.255.255.255

192.168.1.10 (RaspberryPI)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.10  P-t-P:192.168.2.9  Mask:255.255.255.255

Routing Table

192.168.10.110 ZentyalServer

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     192.168.2.2     255.255.255.0   UG    0      0        0 tun0
192.168.2.0     192.168.2.2     255.255.255.0   UG    0      0        0 tun0
192.168.2.2     *               255.255.255.255 UH    0      0        0 tun0

192.168.1.10 (RaspberryPI)

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.10.0    192.168.2.9     255.255.255.0   UG    0      0        0 tun0
192.168.2.0     192.168.2.9     255.255.255.0   UG    0      0        0 tun0
192.168.2.9     *               255.255.255.255 UH    0      0        0 tun0

iptables On both computers (192.168.10.110 and 192.168.1.1) I have set iptables with

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

What works 192.168.1.x can ping 192.168.10.110 without any problems

What doesn't work 192.168.10.110 cannot ping any computer of Network B using a 192.168.1.0/24 address

ping 192.168.1.10

tcpdump at 192.168.10.110 on tun0: 
08:42:37.588653 IP (tos 0x0, ttl 64, id 13218, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.1.10: ICMP echo request, id 392, seq 8, length 64

In my opinion this looks correct, doesn't it? But the tcp dump at 192.168.1.10 doesn't show any incoming packages.

Do you guys have an idea?

Thank you very much!!

First, I don't think you need masquerade. And second, is forwarding between the 2 networks allowed in firewalls on both 1.10 and 10.110? — Laurentiu Roescu, May 04 '17 at 08:52
You are right - i droped masqerade and it's still working. i did: iptables -A FORWARD -i tun0 -j ACCEPT iptables -A FORWARD -o tun0 -j ACCEPT on both computers — MisterPresident, May 04 '17 at 12:49
Is forwarding enabled on raspberry? sysctl net.ipv4.ip_forward should be 1 — Laurentiu Roescu, May 04 '17 at 13:11
yes it is enabled. I think the most interesting thing is, when 192.168.10.110 pings someone from 192.168.1.0/24 the tcpdump from the raspberry on tun0 is empty — MisterPresident, May 04 '17 at 13:22
It might be something in openvpn config. client-to-client option is active? Also check topology option, I think it should be subnet, but it is not set by default like this. — Laurentiu Roescu, May 04 '17 at 15:24
server has set the client-to-client option; user config is with subnet — MisterPresident, May 05 '17 at 05:46

score 0 · Answer 1 · answered May 09 '17 at 12:05

0

You have mentioned that on both computers, you have added iptables as below:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

I think on Server side it should be:(if your interface on OpenVPN Server: 192.168.10.110 is eth0)

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Make sure to make this rule persistent

answered May 09 '17 at 12:05

Samudrala Prasad

74
2

Thank you but this didn't help. I think I found the problem but I don't know how to solve it. If i send a package to 192.168.2.10 (Raspberry tun0-IP) I can see it on tcpdump. If i send a package to any other IP it doesn't get transmitted over the vpn tunnel. (i can see it on tun0 on the openvpn server pc but not on the client tun0 interface). Do you have an idea? – MisterPresident May 11 '17 at 13:20
OK, did you enable ipv4 forwarding(in sysctl.conf) and masquerading on 192.168.1.10. Because, when OpenVPN Server tries to ping Client side LAN(192.168.1.x), OpenVPN client should forward packets from tun0(192.168.2.x) interface to eth0(192.168.1.x) – Samudrala Prasad May 11 '17 at 13:54
I enabled ipv4 forwarding on both computers. Regarding forwarding the packages from tun0 to eth0 - when the Server is pinging the client with the 192.168.1. address (eth0) - the packages never appear at the tun0 interface (client side) but they leave the tun0 interface (server side) – MisterPresident May 12 '17 at 06:14
Please add `topology subnet` to both _server.conf_ and _client.conf_ if it is missing in your conf files. This should allow OpenServer to talk to its client. – Samudrala Prasad May 12 '17 at 07:17

OpenVPN routing only working from one subnet

1 Answers1