OpenVPN tunnel problem on BSD 4.9

zealer · 09-25-2011, 07:56 AM

Hello dear experts,

I have OpenVPN-2.2.1 configured on two OpenBSD 4.9
I am able to ping: client -> server and all networks behind
I am not able to ping: server -> client at all

I already checked my FW, you can see the configuration below.
Ping works with pf and OpenVPN stopped. (OK)
Ping does not work with pf enabled and openVPN stopped. (OK)
Ping works in only one direction with pf and OpenVPN enabled (NOT OK)

And a small question: why is there one tunnel from the client's point of view (10.0.1.6 -> 10.0.1.5), but from the server's point of view - there is a different tunnel (10.0.1.1 -> 10.0.1.2)? What am I missing here? In my understanding, there should be only one tunnel (for example 10.0.1.0/30, with .0 being the net, .1 server, .2 the client and .3 the broadcast).

Please help me figure that out... i have a feeling it is something really simple, but I dont know where to go from here...
Uploaded are screenshots with my setup:

The Topology

Firewall setup
OpenVPN configurations
Interface IPs + routing tables

Ping from client to server succeeds
Ping from server to client fails

Thank you VERY much in advance for your help, it is greatly appreciated!
Kind regards,
Simeon

Lexus45 · 09-26-2011, 04:14 AM

If you have to connect only 2 computers, try to use this simple "quick'n dirty" HOWTO. I think it's very good for point-to-point connection and will serve well in most cases.
It's designed to 2 computers only. Maybe this can be a good start point for solving your problem?

You've already mentioned that:

Quote:

Ping works with pf and OpenVPN stopped. (OK)
Ping does not work with pf enabled and openVPN stopped. (OK)
Ping works in only one direction with pf and OpenVPN enabled (NOT OK)

What about the 4th situation: pf is disabled (or it passes from any to any , on any interface) and the tunnel is activated? At this step you will see if the problem is in OpenVPN configuration or not.

As I see, you use NAT in your PF config files. So, after disabling PF (in fact, removing all rules from the memory) it's obvious that NAT will not work. So, try to ping between the server and the client only, not the subnet behind. Or add extra routes, to use routing instead of NAT. But I hope you know all this without my advice. :-)

zealer · 09-26-2011, 02:28 PM

Hi, thanks for your reply.

Already tried it:
pf disabled/enabled: a ping sweep (10.0.1.1 to 10.0.1.10) from the client succeeds only on 10.0.1.1, and from the server - only on 10.0.1.6
Strange

zealer · 09-27-2011, 04:23 PM

Okay, I resolved my problem, here is what it:

On the VPN server, there should be a file "[ccd directory]/[client_OU]". Both are specified in the "vars" file. In my case i had to create a file "/etc/openvpn/ccd/192.168.2.200". This file should contain the "iroute" command to the remote network. In my case it was "iroute 192.168.0.0 255.255.255.0"