openvpn connected to Tap server.. but can't ping or access anything

precioso777 · 03-23-2011, 01:27 AM

hello everyone.. im able to connect and get the client tap an ip address but can't ping or do anything..

my server conf is (server ip is 192.168.0.40)

Code:

port 445
proto udp
dev tap
ca /etc/openvpn/key_server/openvpn_tap/ca.crt
cert /etc/openvpn/key_server/openvpn_tap/server_openvpn_tap.crt
key /etc/openvpn/key_server/openvpn_tap/server_openvpn_tap.key  # This file should be kept secret
dh /etc/openvpn/key_server/openvpn_tap/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.40 255.255.255.0 192.168.0.128 192.168.0.254
push "route 192.0.0.0 255.0.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

the client conf is

Code:

client
dev tap
proto udp
remote ****** 50006 #port forwarding is set on the server router
resolv-retry infinite
nobind
script-security 2
ca    /etc/openvpn/keys_40_openvpn_tap/ca.crt
cert  /etc/openvpn/keys_40_openvpn_tap/client_40_openvpn_tap.crt
key   /etc/openvpn/keys_40_openvpn_tap/client_40_openvpn_tap.key
tls-client 
comp-lzo
verb 6

after connection the client gets the correct ip but cant ping

Code:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:18:8b:68:f5:70 
          inet addr:192.168.35.10  Bcast:192.168.35.255  Mask:255.255.255.0
          inet6 addr: fe80::218:8bff:fe68:f570/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41871 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31774 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46451656 (44.2 MiB)  TX bytes:5216966 (4.9 MiB)
          Interrupt:16

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14221 (13.8 KiB)  TX bytes:14221 (13.8 KiB)

tap0      Link encap:Ethernet  HWaddr be:b2:9b:0a:b9:45 
          inet addr:192.168.0.129  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::bcb2:9bff:fe0a:b945/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:74 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:8005 (7.8 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.35.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     192.168.0.40    255.255.255.0   UG    0      0        0 tap0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
0.0.0.0         192.168.35.1    0.0.0.0         UG    0      0        0 eth0

am i missing anything in the routing or iptables ??

I dont think its a firewall issue b/c i dont have any firewall enabled on either side.. when i try the similar configuration for tunneling instead of bridging i am able to ping from server to client..
the only thing to mention is that i am behind dsl routers on both sides and port forwarding is enabled and working on the server side

many thanks

TimothyEBaldwin · 03-23-2011, 08:10 AM

You have the server using TCP and the client using UDP, they will never connect like that. Did you post the wrong config files?

Code:

push "route 192.0.0.0 255.0.0.0"

That's probably wrong, do you really want to route traffic for part of Latin America over the VPN? If the public IP address of the server is in that range, that statement will result in a tunnel loop.

The default permit everything iptables policy is OK, but some distributions change that.

Try using tcpdump or Wireshark to see where the packets disappear.

Please provide the output of iptables-save, ifconfig, and route on both the client and server.

precioso777 · 03-23-2011, 01:08 PM

sorry.. i have corrected that earlier but didnt update here.. now it says

push "route 192.168.0.0 255.255.255.0"

and the issue is still the same

on the server.. this is the ifconfig and route

Code:

# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0b:db:ce:10:b1  
          inet addr:192.168.0.40  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:dbff:fece:10b1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1528425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1194058 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:801408736 (764.2 MiB)  TX bytes:1098242503 (1.0 GiB)

eth0      Link encap:Ethernet  HWaddr 00:0b:db:ce:10:b1  
          inet6 addr: fe80::20b:dbff:fece:10b1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4097590 errors:0 dropped:654 overruns:0 frame:0
          TX packets:3722922 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2594101651 (2.4 GiB)  TX bytes:2488096708 (2.3 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:204049 errors:0 dropped:0 overruns:0 frame:0
          TX packets:204049 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:17084294 (16.2 MiB)  TX bytes:17084294 (16.2 MiB)

tap0      Link encap:Ethernet  HWaddr fe:e9:0e:5d:76:ef  
          inet6 addr: fe80::fce9:eff:fe5d:76ef/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:110026 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 br0

# iptables-save
# Generated by iptables-save v1.4.8 on Wed Mar 23 22:08:03 2011
*filter
:INPUT ACCEPT [134:48202]
:FORWARD ACCEPT [3:285]
:OUTPUT ACCEPT [128:19608]
-A INPUT -i tap+ -j ACCEPT 
-A FORWARD -i tap+ -j ACCEPT 
COMMIT
# Completed on Wed Mar 23 22:08:03 2011

and on the client

Code:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:18:8b:68:f5:70  
          inet addr:192.168.35.10  Bcast:192.168.35.255  Mask:255.255.255.0
          inet6 addr: fe80::218:8bff:fe68:f570/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7396 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3069442 (2.9 MiB)  TX bytes:1425589 (1.3 MiB)
          Interrupt:16 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:128854 (125.8 KiB)  TX bytes:128854 (125.8 KiB)

tap0      Link encap:Ethernet  HWaddr 0a:30:8d:2c:d0:8e  
          inet addr:192.168.0.151  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::830:8dff:fe2c:d08e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:6437 (6.2 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.35.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     192.168.0.40    255.255.255.0   UG    0      0        0 tap0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
0.0.0.0         192.168.35.1    0.0.0.0         UG    0      0        0 eth0

# iptables-save
(no entries)

will try the tcpdump and see if that gives any hints

many thanks

TimothyEBaldwin · 03-23-2011, 06:54 PM

Quote:

Originally Posted by precioso777

sorry.. i have corrected that earlier but didnt update here.. now it says

push "route 192.168.0.0 255.255.255.0"

Get rid of that, it's at best redundant to route to a directly connected subnet.

Is tap0 really part of the bridge br0? What is the output of "brctl show" on the server?

precioso777 · 03-24-2011, 05:17 AM

Quote:

Get rid of that, it's at best redundant to route to a directly connected subnet.

removed already.. my routing table (as you mentioned only one entry now for tap0) now looks like this

Code:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.35.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
0.0.0.0         192.168.35.1    0.0.0.0         UG    0      0        0 eth0

and "brctl show" outputs the following:

Code:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000bdbce10b1       no              eth0
                                                        tap0
pan0            8000.000000000000       no

i tried running some tcpdump commands on eth0, br0 and tap0 but im not sure i know what im looking for anyways.. here they are.. while pinging from the client

Code:

# tcpdump -n -i br0 host 208.109.104.205
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:06:01.773454 IP 208.109.104.205.54803 > 192.168.0.40.1194: UDP, length 77
15:06:02.772374 IP 208.109.104.205.54803 > 192.168.0.40.1194: UDP, length 77
15:06:03.769947 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 2541636656:2541636816, ack 4121844117, win 112, options [nop,nop,TS val 111101744 ecr 2780336], length 160
15:06:03.769971 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [.], ack 160, win 1002, options [nop,nop,TS val 2781336 ecr 111101744], length 0
15:06:03.771522 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 160:256, ack 1, win 112, options [nop,nop,TS val 111101744 ecr 2780336], length 96
15:06:03.771529 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [.], ack 256, win 1002, options [nop,nop,TS val 2781336 ecr 111101744], length 0
15:06:04.772206 IP 208.109.104.205.54803 > 192.168.0.40.1194: UDP, length 77
15:06:05.771922 IP 208.109.104.205.54803 > 192.168.0.40.1194: UDP, length 77
15:06:06.771393 IP 208.109.104.205.54803 > 192.168.0.40.1194: UDP, length 77
15:06:07.768562 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 256:480, ack 1, win 112, options [nop,nop,TS val 111102144 ecr 2781336], length 224
15:06:07.768589 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [.], ack 480, win 1002, options [nop,nop,TS val 2782335 ecr 111102144], length 0
15:06:07.773556 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [P.], seq 1:49, ack 480, win 1002, options [nop,nop,TS val 2782337 ecr 111102144], length 48
15:06:08.035412 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 480:528, ack 49, win 112, options [nop,nop,TS val 111102170 ecr 2782337], length 48
15:06:08.042044 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 528:608, ack 49, win 112, options [nop,nop,TS val 111102170 ecr 2782337], length 80
15:06:08.042058 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 608:736, ack 49, win 112, options [nop,nop,TS val 111102170 ecr 2782337], length 128
15:06:08.042151 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [.], ack 736, win 1002, options [nop,nop,TS val 2782404 ecr 111102170], length 0
15:06:08.304710 IP 208.109.104.205.22 > 192.168.0.40.42724: Flags [P.], seq 736:928, ack 49, win 112, options [nop,nop,TS val 111102197 ecr 2782404], length 192
15:06:08.341484 IP 192.168.0.40.42724 > 208.109.104.205.22: Flags [.], ack 928, win 1002, options [nop,nop,TS val 2782479 ecr 111102197], length 0
15:06:09.814608 IP 192.168.0.40.1194 > 208.109.104.205.54803: UDP, length 53

im seriously clueless at this stage.. saw many posts that instruct for iptables manuevering.. not sure if that is the way out at this stage

many thanks

TimothyEBaldwin · 03-24-2011, 10:22 AM

Your ping packets are arriving encrypted at br0 on the server but do not arrive back there after being decrypted. Your SSH session is also visible.

Do you see traffic on tap0 on the server?

precioso777 · 03-24-2011, 03:51 PM

thx for your help timothy.. by the way what is the difference between "ns-cert-type server" & "tls-client" ?

i found some interesting entries in the log that might help

Code:

tls_server = ENABLED
tls_client = DISABLED

Thu Mar 24 23:54:41 2011 us=707351 92.97.4.40:55327 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Mar 24 23:54:41 2011 us=707377 92.97.4.40:55327 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Mar 24 23:54:41 2011 us=707437 92.97.4.40:55327 

Fri Mar 25 00:04:39 2011 us=121209 client_40_openvpn_tap/92.97.4.40:49762 UDPv4 READ [53] from [AF_INET]92.97.4.40:49762: P_DATA_V1 kid=0 DATA len=52
Fri Mar 25 00:04:39 2011 us=121237 client_40_openvpn_tap/92.97.4.40:49762 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]92.97.4.40:49762
Fri Mar 25 00:04:39 2011 us=121281 client_40_openvpn_tap/92.97.4.40:49762 RECEIVED PING PACKET
Fri Mar 25 00:04:39 2011 us=121308 client_40_openvpn_tap/92.97.4.40:49762 TLS: tls_pre_encrypt: key_id=0
Fri Mar 25 00:04:39 2011 us=121346 client_40_openvpn_tap/92.97.4.40:49762 SENT PING
Fri Mar 25 00:04:39 2011 us=121387 client_40_openvpn_tap/92.97.4.40:49762 UDPv4 WRITE [53] to [AF_INET]92.97.4.40:49762: P_DATA_V1 kid=0 DATA len=52

Fri Mar 25 00:05:40 2011 us=617199 GET INST BY REAL: :49762 [failed]

and tap0 had the following output

Code:

# tcpdump -n -i tap0
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:45:14.691609 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:14.775455 IP 192.168.0.25.5353 > 224.0.0.251.5353: 0 [3q] A (QM)? NASC6A58A.local. SRV (QM)? NASC6A58A(FTP)._ftp._tcp.local. SRV (QM)? NASC6A58A._http._tcp.local. (86)
00:45:14.775651 IP 192.168.0.50.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/3 (Cache flush) A 192.168.0.50, (Cache flush) SRV NASC6A58A.local.:8080 0 0, (Cache flush) SRV NASC6A58A.local.:21 0 0 (183)
00:45:16.681555 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:17.162745 IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:17.837320 IP 192.168.0.1 > 224.0.0.1: igmp query v2
00:45:17.874880 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:17.877723 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:18.162897 (NOV-ETHII) IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:18.573482 IP 192.168.0.40 > 224.0.0.251: igmp v2 report 224.0.0.251
00:45:18.624875 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:18.626712 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:18.678036 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:19.162928 (NOV-ETHII) IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:19.277372 IP 192.168.0.1 > 224.0.0.1: igmp query v2
00:45:19.374823 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:19.376700 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:20.129857 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:20.162778 IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:20.672238 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:20.879624 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:21.163062 IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:21.629680 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:22.162975 (NOV-ETHII) IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:22.383700 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:22.667564 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:23.133551 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:23.162930 (NOV-ETHII) IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:23.883539 IP 192.168.0.82.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:45:24.163107 IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:24.655278 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1e:c1:91:e9:e0.8028, length 43
00:45:25.163126 IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:26.162991 (NOV-ETHII) IPX 00000000.00:00:74:b5:80:14.4100 > 00000000.ff:ff:ff:ff:ff:ff.0452: ipx-sap-nearest-req 0004
00:45:26.325479 IP 192.168.0.40 > 224.0.0.251: igmp v2 report 224.0.0.251

should i be using "ns-cert-type server" or "tls-client" ??

i tried all the combinations.. removing all tls-client & tls-server from both client and server and ns-cert-type or adding ns-cert-type only and also tried having only tls-client and tls-server in their respective places..

i have attached some exerts of the server and client log with verb 9

many thanks

precioso777 · 03-26-2011, 03:13 AM

timothy.. many thanks for your help i figured out that the issue was related to tls or certificates so i must have done something wrong somewhere..

i re-did the certificates from scratch and followed the example in this tutorial http://www.cryptolife.org/index.php/...ged_mode_howto
and managed to get it working..

one thing to point out is that server-bridge in that example points to the router and not the vpnserver.. anyways.. it works

regards