[SOLVED] Client connected to the OpenVPN server, but can't see the internal network
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
# ping 172.20.1.18
PING 172.20.1.18 (172.20.1.18) 56(84) bytes of data.
64 bytes from 172.20.1.18: icmp_seq=1 ttl=63 time=1.10 ms
64 bytes from 172.20.1.18: icmp_seq=2 ttl=63 time=0.954 ms
64 bytes from 172.20.1.18: icmp_seq=3 ttl=63 time=1.21 ms
^C
--- 172.20.1.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2054ms
rtt min/avg/max/mdev = 0.954/1.089/1.214/0.106 ms
I want to connect a windows client to this server so that it can see my internal network. My OpenVPN server configuration file is:
Code:
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.20.1.0 255.255.0.0"
push "dhcp-option DNS 172.20.1.2" # My internal network DNS server IP
push "redirect-gateway autolocal"
keepalive 10 120
tls-auth ta.key 0
data-ciphers AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
On OpenVPN server I did the following iptables rules:
dev tun
proto udp
remote 192.168.1.20 1194
route add 172.20.1.0 255.255.0.0
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-256-CBC
verb 3
When I connected to the OpenVPN server, then I got the following message:
Code:
Sun Jul 30 16:25:01 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sun Jul 30 16:25:01 2023 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
Sun Jul 30 16:25:01 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Sun Jul 30 16:25:01 2023 Windows version 6.1 (Windows 7), amd64 executable
Sun Jul 30 16:25:01 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Sun Jul 30 16:25:01 2023 DCO version: v0
Sun Jul 30 16:25:01 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Jul 30 16:25:01 2023 Need hold release from management interface, waiting...
Sun Jul 30 16:25:01 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1095
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state on'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'log on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'echo on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold off'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold release'
Sun Jul 30 16:25:02 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jul 30 16:25:02 2023 UDPv4 link local: (not bound)
Sun Jul 30 16:25:02 2023 UDPv4 link remote: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,WAIT,,,,,,
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,AUTH,,,,,,
Sun Jul 30 16:25:02 2023 TLS: Initial packet from [AF_INET]192.168.1.20:1194, sid=859b58ea 7fe7a961
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=1, CN=Server
Sun Jul 30 16:25:02 2023 VERIFY KU OK
Sun Jul 30 16:25:02 2023 Validating certificate extended key usage
Sun Jul 30 16:25:02 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 30 16:25:02 2023 VERIFY EKU OK
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=0, CN=server
Sun Jul 30 16:25:02 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jul 30 16:25:02 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Jul 30 16:25:02 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Jul 30 16:25:02 2023 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 172.20.1.0 255.255.0.0,dhcp-option DNS 172.20.1.2,dhcp-option DNS 172.20.1.7,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: route options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: tun-mtu set to 1500
Sun Jul 30 16:25:02 2023 interactive service msg_channel=312
Sun Jul 30 16:25:02 2023 open_tun
Sun Jul 30 16:25:02 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened
Sun Jul 30 16:25:02 2023 TAP-Windows Driver Version 9.24
Sun Jul 30 16:25:02 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {6A2BF0FA-B68E-4062-9447-B078773E36FD} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Jul 30 16:25:02 2023 Successful ARP Flush on interface [15] {6A2BF0FA-B68E-4062-9447-B078773E36FD}
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,ASSIGN_IP,,10.8.0.6,,,,
Sun Jul 30 16:25:02 2023 IPv4 MTU set to 1500 on interface 15 using service
Sun Jul 30 16:25:02 2023 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1
Sun Jul 30 16:25:02 2023 Timers: ping 10, ping-restart 120
Sun Jul 30 16:25:02 2023 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sun Jul 30 16:25:07 2023 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 192.168.1.20 MASK 255.255.255.255 192.168.1.20 IF 11
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,ADD_ROUTES,,,,,,
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 Initialization Sequence Completed
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,CONNECTED,ROUTE_ERROR,10.8.0.6,192.168.1.20,1194,,
Sun Jul 30 16:25:07 2023 ERROR: Some routes were not successfully added. The connection may not function correctly
Hello,
I think it's because my OpenVPN server has two NICs. I can ping the targets with their IP addresses, but not their names. I added the following lines in the client file and I can ping the targets by their names too:
Code:
route 172.20.1.0 255.255.255.0
push "dhcp-option dns Your_DNS_Server_IP"
dhcp-option DOMAIN Your_Domain
Based on your last update i'm assuming that all is well!?
I'm curious if you also browse each of the clients via Windows Explorer when connected to the VPN (Are you still seeing any errors at all?) - See the following - it's a cut-down version of the contents of my /etc/sysconfig/iptables file - with simply the bits applicable to you remaining :
Code:
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun 3 08:17:36 2023
*mangle
:PREROUTING ACCEPT [25625:604582999]
:INPUT ACCEPT [25625:604582999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22186:620942369]
:POSTROUTING ACCEPT [22186:620942369]
COMMIT
# Completed on Sat Jun 3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun 3 08:17:36 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun 3 08:17:36 2023
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -s 192.168.1.0/28 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.60.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.50.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/28 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 10.60.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 10.50.0.0/29 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.1.0/28 --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.60.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.50.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/28 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 10.60.0.0/29 --dport 445 -j ACCEPT
-A INPUT -p udp -m udp -s 10.50.0.0/29 --dport 445 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i enp3s0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i enp3s0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jun 3 08:17:36 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Jun 3 08:17:36 2023
*nat
:PREROUTING ACCEPT [5:260]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [338:21675]
:POSTROUTING ACCEPT [338:21675]
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Completed on Sat Jun 3 08:17:36 2023
In relation to the above:
- I have added my routes to my router
- Port 1194 is the OpenVPN port
- I only have 1 NIC installed - enp3s0
- My VPN Network range is 10.60.0.0/29
- My Internal Network is 192.168.1.0
- The above allows me to ping all clients on the network when connected AND more importantly for me browse them all via Windows Explorer - By default I could only initially browse the Server itself (As you can see I enabled the smb ports and installed Samba on the Server as well)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.