[SOLVED] [Debian][OpenVPN] Ping only client-to-server(tun interface only)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: I prefer Debian, but every distro is OK
Posts: 12
Rep:
[Debian][OpenVPN] Ping only client-to-server(tun interface only)
Hello!
I have a(probably simple) problem with setting up OpenVPN server and clients.
What I'm trying to achieve ?
I'm trying to setup multi-client OpenVPN server with tun interface, certificate-based authentication, no ping between clients, access to few networks behind OpenVPN server.
What is my problem ?
From my client I can ping server's tun interface, I can't ping lan0(10.66.6.12) and wan0(10.10.10.1) and I can't ping any device on network behind lan0(I have a static route setup on my router).
From my server I can ping my local tun0 address(10.0.0.1), but I can't ping client address(10.0.0.2).
What is my setup ?
My testing setup is:
- Server:
Quote:
//
Please take a note that my server is a virtual machine(On debian host with VirtualBox), with lan0 interface directly bridged to physical NIC, currently shared only with host machine.
Interface wan0 is configured as internal network, currently not connected to anything(it's from one of my previous test, I just didn't feel like removing it)
//
ifconfig
Code:
lan0 Link encap:Ethernet HWaddr 08:00:27:77:40:fa
inet addr:10.66.6.12 Bcast:10.66.6.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe77:40fa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:718219 errors:0 dropped:0 overruns:0 frame:0
TX packets:24819 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67844046 (64.7 MiB) TX bytes:5258206 (5.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12533 errors:0 dropped:0 overruns:0 frame:0
TX packets:12533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3410440 (3.2 MiB) TX bytes:3410440 (3.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:3132 (3.0 KiB)
wan0 Link encap:Ethernet HWaddr 08:00:27:13:13:9c
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe13:139c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
//Additional info:
lan0 is connected to internal network
wan0 is currently not used
route
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default fritz.box 0.0.0.0 UG 0 0 0 lan0
10.0.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.10.10.0 * 255.255.255.0 U 0 0 0 wan0
10.66.6.0 * 255.255.255.0 U 0 0 0 lan0
iptables(It's temporary config, of course in production setup I'll have firewall active):
//I don't have any other routing, NATing, brigding, etc. software on this machine.
//EDIT: kernel ip_forward is ON(cat /proc/sys/net/ipv4/ip_forward is 1)
OpenVPN conf(/etc/openvpn/bartexvpn.conf)
Code:
local 10.66.6.12
port 23445
proto udp
dev tun
mssfix 1000
fragment 1000
keepalive 10 120
ca /etc/vpnCA/keys/ca.crt
cert /etc/vpnCA/keys/aisak.crt
key /etc/vpnCA/keys/aisak.key
dh /etc/vpnCA/keys/dh2048.pem
tls-auth /etc/vpnCA/ta.key 0
cipher AES-256-CBC
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.66.6.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
client-config-dir bartexvpn
ccd-exclusive
Example client config:
(BTW, I have 2 client config files, but I connected only using one client and now whenever I start openvpn tun0 interface appears with ip addresses of first client, why?)
Code:
ifconfig-push 10.0.0.1 10.0.0.2
In some other thread I've seen someone wanted those outputs:
ip route show all
Code:
default via 10.66.6.1 dev lan0
10.0.0.0/24 via 10.0.0.2 dev tun0
10.0.0.2 dev tun0 proto kernel scope link src 10.0.0.1
10.10.10.0/24 dev wan0 proto kernel scope link src 10.10.10.1
10.66.6.0/24 dev lan0 proto kernel scope link src 10.66.6.12
ip rule show
Code:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
uname -a
Code:
Linux aisak.robotronika.pl 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
openvpn --version
Code:
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
- Client:
Quote:
I'm using Android client, cause that's only handy machine that can connect through different network than mine
OpenVPN config:
Code:
cert client.crt
key client.key
remote 94.141.130.176 23445
client
fragment 1000
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Also I can ping 10.0.0.1(server's tun0 interface) from any device in 10.66.6.0/24 network, but I can't ping 10.0.0.2.
I hope I didn't miss anything, so for your convenience I'll repeat my problem there:
Quote:
What I'm trying to achieve ?
I'm trying to setup multi-client OpenVPN server with tun interface, certificate-based authentication, no ping between clients, access to few networks behind OpenVPN server. What is my problem ?
From my client I can ping server's tun interface, I can't ping lan0(10.66.6.12) and wan0(10.10.10.1) and I can't ping any device on network behind lan0(I have a static route setup on my router).
From my server I can ping my local tun0 address(10.0.0.1), but I can't ping client address(10.0.0.2).
Also I hope to get a reply soon,
Best regards and thanks for your help,
Bartek
Last edited by grabie2; 08-29-2013 at 06:26 PM.
Reason: Added info about ip_forward
Distribution: I prefer Debian, but every distro is OK
Posts: 12
Original Poster
Rep:
Thanks for reply.
Tap interfaces are not supported on non-rooted android devices(mine is rooted, but some other user's might not be), so I have to use tun interface.
Also, tap interface is for bridging, right? I don't want bridge, I want route incoming packets from and to VPN to and from local subnets.
If i get it right, you're saying that with tun interface kernel doesn't change packets coming through and that's exactly what I currently want.
I don't want to bridge all clients, cause I don't want them to 'hear' other clients, that's why I'm putting each client in different subnet.
The tun interface doesn't generate L2 header. That means that they can't communicate with physical interface.
I never try the case. The tun interface mix with tap interface. Using tap interface communicate with physical interface.
Distribution: I prefer Debian, but every distro is OK
Posts: 12
Original Poster
Rep:
okay.... I don't get it ?
Thanks for reply, tho
I don't want it to directly communicate with physical interface, I want Linux kernel to route incoming packets to appropriate interface.
If everyone id like 'use the tap interface instead', then what's the purpose of tun interface? specially in case where every client is in different subnet ?
You can do routed VPNs with a tap interface too, but that complicates the setup (I will say I find tap more reliable though) and as you said you need to use tun, looking over your configuration for the server I don't seethe client-to-client option enabled. From a sample config:
Quote:
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
If this option is not enabled then your server is behaving as should be expected.
Distribution: I prefer Debian, but every distro is OK
Posts: 12
Original Poster
Rep:
Thank you for reply, but I don't want connection between clients:
Quote:
What I'm trying to achieve ?
I'm trying to setup multi-client OpenVPN server with tun interface, certificate-based authentication, no ping between clients, access to few networks behind OpenVPN server.
Still I don't have any clue why server doesn't route the packets as he should.
Again for convenience of those who read thought the whole thread, here is my problem.
Quote:
What is my problem ?
From my client I can ping server's tun interface, I can't ping lan0(10.66.6.12) and wan0(10.10.10.1) and I can't ping any device on network behind lan0(I have a static route setup on my router).
From my server I can ping my local tun0 address(10.0.0.1), but I can't ping client address(10.0.0.2).
`ifconfig` takes "local end IP address" "remote end IP address"
`ifconfig-push` "remote end IP address(it's send to client" "remote client mask"
So, as the final thought, for those who have similar or even totally different problems with anything while learning something - don't ever blindly go through a tutorial and believe that what was in the tutorial has to be perfect(like I've done).
With that, I'm marking the thread as solved, many thanks to everyone who tried to help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
