grabie2 |
08-29-2013 05:35 PM |
[Debian][OpenVPN] Ping only client-to-server(tun interface only)
Hello!
I have a(probably simple) problem with setting up OpenVPN server and clients.
What I'm trying to achieve ?
I'm trying to setup multi-client OpenVPN server with tun interface, certificate-based authentication, no ping between clients, access to few networks behind OpenVPN server.
What is my problem ?
From my client I can ping server's tun interface, I can't ping lan0(10.66.6.12) and wan0(10.10.10.1) and I can't ping any device on network behind lan0(I have a static route setup on my router).
From my server I can ping my local tun0 address(10.0.0.1), but I can't ping client address(10.0.0.2).
What is my setup ?
My testing setup is:
- Server:
Quote:
//
Please take a note that my server is a virtual machine(On debian host with VirtualBox), with lan0 interface directly bridged to physical NIC, currently shared only with host machine.
Interface wan0 is configured as internal network, currently not connected to anything(it's from one of my previous test, I just didn't feel like removing it)
//
ifconfig
Code:
lan0 Link encap:Ethernet HWaddr 08:00:27:77:40:fa
inet addr:10.66.6.12 Bcast:10.66.6.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe77:40fa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:718219 errors:0 dropped:0 overruns:0 frame:0
TX packets:24819 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67844046 (64.7 MiB) TX bytes:5258206 (5.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12533 errors:0 dropped:0 overruns:0 frame:0
TX packets:12533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3410440 (3.2 MiB) TX bytes:3410440 (3.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:3132 (3.0 KiB)
wan0 Link encap:Ethernet HWaddr 08:00:27:13:13:9c
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe13:139c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
//Additional info:
lan0 is connected to internal network
wan0 is currently not used
route
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default fritz.box 0.0.0.0 UG 0 0 0 lan0
10.0.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.10.10.0 * 255.255.255.0 U 0 0 0 wan0
10.66.6.0 * 255.255.255.0 U 0 0 0 lan0
iptables(It's temporary config, of course in production setup I'll have firewall active):
Code:
*filter
:INPUT ACCEPT [31:3655]
:FORWARD ACCEPT [13:1092]
:OUTPUT ACCEPT [5466:1475173]
COMMIT
//I don't have any other routing, NATing, brigding, etc. software on this machine.
//EDIT: kernel ip_forward is ON(cat /proc/sys/net/ipv4/ip_forward is 1)
OpenVPN conf(/etc/openvpn/bartexvpn.conf)
Code:
local 10.66.6.12
port 23445
proto udp
dev tun
mssfix 1000
fragment 1000
keepalive 10 120
ca /etc/vpnCA/keys/ca.crt
cert /etc/vpnCA/keys/aisak.crt
key /etc/vpnCA/keys/aisak.key
dh /etc/vpnCA/keys/dh2048.pem
tls-auth /etc/vpnCA/ta.key 0
cipher AES-256-CBC
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.66.6.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
client-config-dir bartexvpn
ccd-exclusive
Example client config:
(BTW, I have 2 client config files, but I connected only using one client and now whenever I start openvpn tun0 interface appears with ip addresses of first client, why?)
Code:
ifconfig-push 10.0.0.1 10.0.0.2
In some other thread I've seen someone wanted those outputs:
ip route show all
Code:
default via 10.66.6.1 dev lan0
10.0.0.0/24 via 10.0.0.2 dev tun0
10.0.0.2 dev tun0 proto kernel scope link src 10.0.0.1
10.10.10.0/24 dev wan0 proto kernel scope link src 10.10.10.1
10.66.6.0/24 dev lan0 proto kernel scope link src 10.66.6.12
ip rule show
Code:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
uname -a
Code:
Linux aisak.robotronika.pl 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
openvpn --version
Code:
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
|
- Client:
Quote:
I'm using Android client, cause that's only handy machine that can connect through different network than mine
OpenVPN config:
Code:
cert client.crt
key client.key
remote 94.141.130.176 23445
client
fragment 1000
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
|
Also I can ping 10.0.0.1(server's tun0 interface) from any device in 10.66.6.0/24 network, but I can't ping 10.0.0.2.
I hope I didn't miss anything, so for your convenience I'll repeat my problem there:
Quote:
What I'm trying to achieve ?
I'm trying to setup multi-client OpenVPN server with tun interface, certificate-based authentication, no ping between clients, access to few networks behind OpenVPN server.
What is my problem ?
From my client I can ping server's tun interface, I can't ping lan0(10.66.6.12) and wan0(10.10.10.1) and I can't ping any device on network behind lan0(I have a static route setup on my router).
From my server I can ping my local tun0 address(10.0.0.1), but I can't ping client address(10.0.0.2).
|
Also I hope to get a reply soon,
Best regards and thanks for your help,
Bartek
|