Hi,
I've setup a TLS enabled OpenVPN server according to
https://wiki.debian.org/OpenVPN
Connection to the VPN seems fine.
I can ping external websites from the VPN server but can't ping from the client when connected to the VPN server.
I've googled all I can and see plenty other people with a similar issue but the answers just dont work for me. Any help would be greatly appreciated and would save me yet more hair loss which I really can't afford
Server is Debian 7.
Here's the config:
Server (IP: XX.XXX.XX.90)
=============================
Code:
server_name:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.9.8.2 * 255.255.255.255 UH 0 0 0 tun0
XX.XXX.XX.88 * 255.255.255.248 U 0 0 0 eth0
10.9.8.0 10.9.8.2 255.255.255.0 UG 0 0 0 tun0
default XX.XXX.XX.89 0.0.0.0 UG 0 0 0 eth0
server_name:~#
Code:
server_name:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:73:2b:bc
inet addr:XX.XXX.XX.90 Bcast:XX.XXX.XX.95 Mask:255.255.255.248
inet6 addr: fe80::216:3eff:fe73:2bbc/64 Scope:Link
inet6 addr: 2a01:7b8:2011:dc3b::7a9:adab/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1149 errors:0 dropped:0 overruns:0 frame:0
TX packets:707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:108363 (105.8 KiB) TX bytes:120686 (117.8 KiB)
Interrupt:8
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.8.1 P-t-P:10.9.8.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Code:
server_name:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.9.8.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Code:
server_name:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.9.8.0/24 anywhere
Code:
server_name:~# sysctl -a | grep ip_forw
net.ipv4.ip_forward = 1
Code:
server_name:~# cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.9.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status log/openvpn-status.log
verb 3 # verbose mode
client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS 10.9.8.1"
Client
===================
Code:
pollypock@hairymachine:~/.ssh$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.9.8.5 0.0.0.0 UG 0 0 0 tun0
10.9.8.0 10.9.8.5 255.255.255.0 UG 0 0 0 tun0
10.9.8.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XX.XXX.XX.90 192.168.55.1 255.255.255.255 UGH 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.55.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
pollypock@hairymachine:~/.ssh$
Code:
pollypock@hairymachine:~/.ssh$ ifconfig
eth0 Link encap:Ethernet HWaddr 1c:6f:65:32:98:ac
inet addr:192.168.55.10 Bcast:192.168.55.255 Mask:255.255.255.0
inet6 addr: fe80::1e6f:65ff:fe32:98ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3974105 errors:0 dropped:0 overruns:0 frame:0
TX packets:3259731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3306742028 (3.3 GB) TX bytes:545087419 (545.0 MB)
Interrupt:48
eth1 Link encap:Ethernet HWaddr 1c:6f:65:32:98:bc
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:49 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
TX packets:5108 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:471103 (471.1 KB) TX bytes:471103 (471.1 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.8.6 P-t-P:10.9.8.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:2 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:3603 (3.6 KB)
virbr0 Link encap:Ethernet HWaddr aa:fc:e5:5e:e4:1b
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Code:
pollypock@hairymachine:~/.ssh$ sudo iptables -L
[sudo] password for pollypock:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pollypock@hairymachine:~/.ssh$
Code:
cat /etc/NetworkManager/system-connections/MyVPN
[connection]
id=VPNServer VPN
uuid=b7a443d7-9a13-46c8-a022-ae13fb2313a2
type=vpn
permissions=user:pollypock:;
autoconnect=false
timestamp=1385938024
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=XX.XXX.XX.90
comp-lzo=yes
proto-tcp=no
tap-dev=no
cert-pass-flags=2
mssfix=no
ca=/etc/openvpn/easy-rsa/keys/ca.crt
cert=/etc/openvpn/easy-rsa/keys/pollypock.crt
key=/etc/openvpn/easy-rsa/keys/pollypock.key
redirect-gateway def1
[ipv6]
method=ignore
[ipv4]
method=auto
Code:
pollypock@hairymachine:~/.ssh$ ping 10.9.8.6
PING 10.9.8.6 (10.9.8.6) 56(84) bytes of data.
64 bytes from 10.9.8.6: icmp_req=1 ttl=64 time=0.052 ms
64 bytes from 10.9.8.6: icmp_req=2 ttl=64 time=0.034 ms
^C
--- 10.9.8.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.034/0.043/0.052/0.009 ms
pollypock@hairymachine:~/.ssh$
Code:
pollypock@hairymachine:~/.ssh$ ping XX.XXX.XX.90
PING tagadab (XX.XXX.XX.90) 56(84) bytes of data.
64 bytes from tagadab (XX.XXX.XX.90): icmp_req=1 ttl=49 time=20.4 ms
64 bytes from tagadab (XX.XXX.XX.90): icmp_req=2 ttl=49 time=21.3 ms
64 bytes from tagadab (XX.XXX.XX.90): icmp_req=3 ttl=49 time=21.7 ms
^C
--- tagadab ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 20.426/21.161/21.704/0.552 ms