LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page [SOLVED] Client connected to the OpenVPN server, but can't see the internal network
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-30-2023, 07:12 AM   #1
Jason.nix
Member
 
Registered: Feb 2023
Posts: 567

Rep: Reputation: 10
Post Client connected to the OpenVPN server, but can't see the internal network

Hello,
My OpenVPN server NICs are:
Code:
enp0s3 (NAT)
enp0s8 (LAN)
And their IP addresses are:
Code:
# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feed:b47c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)
        RX packets 21328  bytes 5784129 (5.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14787  bytes 2805600 (2.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe74:6397  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:74:63:97  txqueuelen 1000  (Ethernet)
        RX packets 9853  bytes 1811888 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3657  bytes 1472226 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
My OpenVPN server can ping my internal network:
Code:
# ping 172.20.1.18
PING 172.20.1.18 (172.20.1.18) 56(84) bytes of data.
64 bytes from 172.20.1.18: icmp_seq=1 ttl=63 time=1.10 ms
64 bytes from 172.20.1.18: icmp_seq=2 ttl=63 time=0.954 ms
64 bytes from 172.20.1.18: icmp_seq=3 ttl=63 time=1.21 ms
^C
--- 172.20.1.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2054ms
rtt min/avg/max/mdev = 0.954/1.089/1.214/0.106 ms
I want to connect a windows client to this server so that it can see my internal network. My OpenVPN server configuration file is:
Code:
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key                              
dh dh.pem
server 10.8.0.0 255.255.255.0               
push "route 172.20.1.0  255.255.0.0"
push "dhcp-option DNS 172.20.1.2"          # My internal network DNS server IP
push "redirect-gateway autolocal"
keepalive 10 120
tls-auth ta.key 0                          
data-ciphers AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
On OpenVPN server I did the following iptables rules:
Code:
# IF_MAIN=enp0s3
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.8.0.0/16
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE
Then, I disable the IP forwarding:
Code:
# sysctl -p
net.ipv4.ip_forward = 0
And the client.ovpn file is:
Code:
dev tun
proto udp
remote 192.168.1.20 1194
route add 172.20.1.0 255.255.0.0               
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-256-CBC
verb 3
When I connected to the OpenVPN server, then I got the following message:
Code:
Sun Jul 30 16:25:01 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sun Jul 30 16:25:01 2023 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
Sun Jul 30 16:25:01 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Sun Jul 30 16:25:01 2023 Windows version 6.1 (Windows 7), amd64 executable
Sun Jul 30 16:25:01 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Sun Jul 30 16:25:01 2023 DCO version: v0
Sun Jul 30 16:25:01 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Jul 30 16:25:01 2023 Need hold release from management interface, waiting...
Sun Jul 30 16:25:01 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1095
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state on'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'log on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'echo on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold off'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold release'
Sun Jul 30 16:25:02 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jul 30 16:25:02 2023 UDPv4 link local: (not bound)
Sun Jul 30 16:25:02 2023 UDPv4 link remote: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,WAIT,,,,,,
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,AUTH,,,,,,
Sun Jul 30 16:25:02 2023 TLS: Initial packet from [AF_INET]192.168.1.20:1194, sid=859b58ea 7fe7a961
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=1, CN=Server
Sun Jul 30 16:25:02 2023 VERIFY KU OK
Sun Jul 30 16:25:02 2023 Validating certificate extended key usage
Sun Jul 30 16:25:02 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 30 16:25:02 2023 VERIFY EKU OK
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=0, CN=server
Sun Jul 30 16:25:02 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jul 30 16:25:02 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Jul 30 16:25:02 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Jul 30 16:25:02 2023 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 172.20.1.0  255.255.0.0,dhcp-option DNS 172.20.1.2,dhcp-option DNS 172.20.1.7,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: route options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: tun-mtu set to 1500
Sun Jul 30 16:25:02 2023 interactive service msg_channel=312
Sun Jul 30 16:25:02 2023 open_tun
Sun Jul 30 16:25:02 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened
Sun Jul 30 16:25:02 2023 TAP-Windows Driver Version 9.24 
Sun Jul 30 16:25:02 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {6A2BF0FA-B68E-4062-9447-B078773E36FD} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Jul 30 16:25:02 2023 Successful ARP Flush on interface [15] {6A2BF0FA-B68E-4062-9447-B078773E36FD}
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,ASSIGN_IP,,10.8.0.6,,,,
Sun Jul 30 16:25:02 2023 IPv4 MTU set to 1500 on interface 15 using service
Sun Jul 30 16:25:02 2023 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1
Sun Jul 30 16:25:02 2023 Timers: ping 10, ping-restart 120
Sun Jul 30 16:25:02 2023 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sun Jul 30 16:25:07 2023 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 192.168.1.20 MASK 255.255.255.255 192.168.1.20 IF 11
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,ADD_ROUTES,,,,,,
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect.   [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect.   [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 Initialization Sequence Completed
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,CONNECTED,ROUTE_ERROR,10.8.0.6,192.168.1.20,1194,,
Sun Jul 30 16:25:07 2023 ERROR: Some routes were not successfully added. The connection may not function correctly
Client connected to the server:
Code:
Unknown adapter OpenVPN TAP-Windows6:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-6A-2B-F0-FA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b404:5a8b:df0e:52c3%15(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Sunday, July 30, 2023 4:25:02 PM
   Lease Expires . . . . . . . . . . : Monday, July 29, 2024 4:25:02 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.5
   DHCPv6 IAID . . . . . . . . . . . : 335609706
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-E4-62-78-08-00-27-43-77-E3

   DNS Servers . . . . . . . . . . . : 172.20.1.2
                                       172.20.1.7
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter OpenVPN Wintun:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Wintun Userspace Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 08-00-27-43-77-E3
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6ca6:a423:e55d:a449%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.20
   DHCPv6 IAID . . . . . . . . . . . : 235405351
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-E4-62-78-08-00-27-43-77-E3

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
...
But, I can't ping the internal network:
Code:
C:\>ping 172.20.1.18

Pinging 172.20.1.18 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.20.1.18:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>
What is the problem?


Thank you.
Last edited by Jason.nix; 07-31-2023 at 05:26 AM.
 
Old 07-31-2023, 04:20 AM   #2
Jason.nix
Member
 
Registered: Feb 2023
Posts: 567

Original Poster
Rep: Reputation: 10
Hello,
When I enabled the IP Forwarding, then it worked, but I have Internet too.
What is the problem?


Thank you.
 
Old 07-31-2023, 05:24 AM   #3
Jason.nix
Member
 
Registered: Feb 2023
Posts: 567

Original Poster
Rep: Reputation: 10
Hello,
I think it's because my OpenVPN server has two NICs. I can ping the targets with their IP addresses, but not their names. I added the following lines in the client file and I can ping the targets by their names too:
Code:
route 172.20.1.0 255.255.255.0
push "dhcp-option dns Your_DNS_Server_IP"
dhcp-option DOMAIN Your_Domain
 
Old 07-31-2023, 07:02 AM   #4
Rawcous
Member
 
Registered: Jan 2014
Location: Farnborough, Hampshire - UK
Distribution: SCO UNIX -> Fedora (Core) -> CentOS -> RedHat
Posts: 128

Rep: Reputation: 48
Hello Jason.nix again,

Based on your last update i'm assuming that all is well!?

I'm curious if you also browse each of the clients via Windows Explorer when connected to the VPN (Are you still seeing any errors at all?) - See the following - it's a cut-down version of the contents of my /etc/sysconfig/iptables file - with simply the bits applicable to you remaining :
Code:
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun  3 08:17:36 2023
*mangle
:PREROUTING ACCEPT [25625:604582999]
:INPUT ACCEPT [25625:604582999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22186:620942369]
:POSTROUTING ACCEPT [22186:620942369]
COMMIT
# Completed on Sat Jun  3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun  3 08:17:36 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jun  3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun  3 08:17:36 2023
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m tcp -s 192.168.1.0/28 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.60.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.50.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/28 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 10.60.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 10.50.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.1.0/28 --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.60.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.50.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/28 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 10.60.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 10.50.0.0/29 --dport 445 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i tun0 -j ACCEPT

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i enp3s0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i enp3s0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jun  3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun  3 08:17:36 2023
*nat
:PREROUTING ACCEPT [5:260]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [338:21675]
:POSTROUTING ACCEPT [338:21675]
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Completed on Sat Jun  3 08:17:36 2023
In relation to the above:

- I have added my routes to my router
- Port 1194 is the OpenVPN port
- I only have 1 NIC installed - enp3s0
- My VPN Network range is 10.60.0.0/29
- My Internal Network is 192.168.1.0
- The above allows me to ping all clients on the network when connected AND more importantly for me browse them all via Windows Explorer - By default I could only initially browse the Server itself (As you can see I enabled the smb ports and installed Samba on the Server as well)

Make of the above what you will.

Regards,

Rawcous
 
1 members found this post helpful.
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server? grigory Linux - Networking 13 09-17-2019 10:54 PM
openvpn client can ping server, server cannot ping client psycroptic Linux - Networking 0 10-12-2012 08:42 PM
Directing OpenVPN client's traffic through the OpenVPN server mohtasham1983 Linux - Networking 1 01-17-2012 06:44 PM
openvpn connected to Tap server.. but can't ping or access anything precioso777 Linux - Networking 7 03-26-2011 03:13 AM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:22 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration