0

I have two servers in the same datacentre, running Ubuntu 16

Server A: 10.12.96.5 Server B: 10.12.96.4

Server A, is running OPENVPN Server.

When I connect to server A using SSH, I can PING server B.

When I connect from my client PC to server A using OpenVPN, I can ping server A using both it's OpenVPN IP (10.8.0.1), and it's private IP (10.12.96.5).

The problem is: I can't ping server B (10.12.96.4) from my client PC

Client-to-client communication is enabled, on OpenVPN.

Ian Arman
  • 123
  • 3
  • 8
  • 15
  • It sounds like you don't have a 10.12.96.0/24 route over the client's tun device. You can manually add it on the client side: "user@client:~$sudo ip route add 10.12.96.0/24 via (presumably 10.8.0.5 if you have the defaults) dev tun0". Or you can push a route from the server's config: push "route 10.12.96.0 255.255.255.0" – cburn11 Jul 27 '18 at 23:36
  • The other possibility is the ping request is reaching server B, but server B doesn't know how to route the response back to the client. If that's the case, you can add a route on Server B to route whatever client's local subnet is back over Server A's tun device. Or you could SNAT client's vpn traffic to Server A when it leave's server A. – cburn11 Jul 27 '18 at 23:44
  • Here's the routing: Server A: https://prnt.sc/kbyilr Server B: https://prnt.sc/kbyi9b – Ian Arman Jul 27 '18 at 23:55
  • So does server B have a route back to client? Edit: If you are just pinging Server B from the client with ping -c 2 10.12.96.4 then the source address is probably not the client's tun address. – cburn11 Jul 28 '18 at 00:01
  • You could force the client to use its tun address "ping -c 2 -I 10.8.0.6 10.12.96.4" and replace 10.8.0.6 with whatever the address of client's tun device happens to be. – cburn11 Jul 28 '18 at 00:04
  • server b, has a route back to server a. from server B, i can't ping the client. from server A, i can ping the client from server B, i can ping server A using the Openvpn IP (10.8.0.1) – Ian Arman Jul 28 '18 at 00:05
  • What happens when you "ping -c 2 -I (address of client's tun device) 10.12.96.4" from the client machine? – cburn11 Jul 28 '18 at 00:10
  • ping -c 2 10.12.96.4 works on Server B, and Server A. The client pc is running Windows – Ian Arman Jul 28 '18 at 00:22
  • You ran "ping -c 2 10.12.96.4" on Server B? That's server B's own address, of course that works. What happens when you run: "ping -c 2 -I (address of client's tun device) 10.12.96.4" from the client machine? – cburn11 Jul 28 '18 at 00:25
  • I ran "ping -S 10.8.0.2 10.12.96.5" from the client machine (windows, pinging server a), and I received a response. when I ran "ping -S 10.8.0.2 10.12.96.4" from the client machine (windows, pinging server b); the request timed out. – Ian Arman Jul 28 '18 at 00:46
  • Do you have "ip forwarding" enabled on Server A? In /etc/sysctl.conf, is "net.ipv4.ip_forward=1" commented? – cburn11 Jul 28 '18 at 00:56
  • IP forwarding is enabled on both server A, and Server B net.ipv4.ip_forward=1 – Ian Arman Jul 28 '18 at 02:05
  • Can you ping Server B from your client machine while running tcpdump on Server B to see if the request is even reaching Server B? – cburn11 Jul 28 '18 at 02:32
  • @cburn11 that was great advice! I learned a lot! I had to tcpdump 'tun0' i ran the following command on `tcpdump -i 'tun0' | grep 'ICMP`. the error is : UDP port SNMP unreachable https://imgur.com/a/8eX7qJv – Ian Arman Jul 28 '18 at 02:54
  • Server B also has a tun device? You mean server B is also connected to Server A's openvpn's instance? – cburn11 Jul 28 '18 at 03:38
  • server B has no tun device. Server A has a tun device. Server B has tun route to Server A because it responds to pings through the tun. When pinging, from the client Server A (openvpn server), dropped the frame 'udp port snmp unreachable' – Ian Arman Jul 28 '18 at 03:44

1 Answers1

0

If you want to be able to ping another device (or have any sort of communication between them) you need a route from your PC to Server B and a route from Server B to your PC.

In the case that means

  • PC to Server B:
    • route on your PC to Server B points to Server A
    • route on Server A to Server B points to Server B
  • Server B to PC
    • route on Server B to your PC points to Server A
    • route on Server A to your PC points to your PC

Each of these steps must be correct, otherwise your packets will be lost somewhere.

The program tcpdump can show you at each step whether your packets arrive or not.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17