Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 790
  • Last Modified:

OpenVPN not able to connect to Internal Subnet

Hi Guys,

I'm currently having a problem with an OpenVPN server im trying to setup, We have  10 remote workers who I need to be able to access a webpage on our internal network, no complicated configurations.

I have set-up a Cent OS 6 Server and installed OpevnVPN from the website guide.

We have a dedicated broadband line for this server and we have a Windows SBS network.

External Server IP Example : 123.123.123.123
Internal Server IP : 10.10.8.22 (SBS network 10.10.8.0/255.255.255.0
VPN Client Range: 10.66.4.0

I have setup the following config on the server

 
#OpenVPN Server Config
proto udp
port 1194
dev tun0
server 10.66.4.0 255.255.255.0
push "route 10.10.8.0 255.255.255.0"
local 123.123.123.123
tun-mtu 1500
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
client-to-client
keepalive 10 60
status-version 1
status openvpn-status.log
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
log-append  openvpn.log

Open in new window


I have then setup the following config on the client.

 
client
dev tun
proto udp

tun-mtu 1500
#Change my.publicdomain.com to your public domain or IP address
remote 123.123.123.123 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server



#comp-lzo

verb 3

Open in new window



When i ping 10.66.4.1   i get a reply, and i can ssh into the server and view the default page of the OpenVPN server.
When i ping 10.10.8.64 (the web server) i get no reply and cannot access anything within the subnet


here is the logs from the server.

 
##openvpn.log

Thu Sep 29 12:00:04 2011 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Thu Sep 29 12:00:04 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 29 12:00:04 2011 Diffie-Hellman initialized with 1024 bit key
Thu Sep 29 12:00:04 2011 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu Sep 29 12:00:04 2011 ROUTE default_gateway=10.10.8.1
Thu Sep 29 12:00:04 2011 TUN/TAP device tun0 opened
Thu Sep 29 12:00:04 2011 TUN/TAP TX queue length set to 100
Thu Sep 29 12:00:04 2011 /sbin/ip link set dev tun0 up mtu 1500
Thu Sep 29 12:00:04 2011 /sbin/ip addr add dev tun0 local 10.66.4.1 peer 10.66.4.2
Thu Sep 29 12:00:04 2011 /sbin/ip route add 10.66.4.0/24 via 10.66.4.2
Thu Sep 29 12:00:04 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 UDPv4 link local (bound): 123.123.123.123:1194
Thu Sep 29 12:00:04 2011 UDPv4 link remote: [undef]
Thu Sep 29 12:00:04 2011 MULTI: multi_init called, r=256 v=256
Thu Sep 29 12:00:04 2011 IFCONFIG POOL: base=10.66.4.4 size=62
Thu Sep 29 12:00:04 2011 Initialization Sequence Completed

Open in new window



here are the logs from the client.
 
Thu Sep 29 12:00:44 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Thu Sep 29 12:00:44 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 29 12:00:44 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Sep 29 12:00:44 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Local Options hash (VER=V4): '3514370b'
Thu Sep 29 12:00:44 2011 Expected Remote Options hash (VER=V4): '239669a8'
Thu Sep 29 12:00:44 2011 UDPv4 link local: [undef]
Thu Sep 29 12:00:44 2011 UDPv4 link remote: 123.123.123.123:1194
Thu Sep 29 12:00:44 2011 TLS: Initial packet from 123.123.123.123:1194, sid=9b1491fe ebb41df6
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=1, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=Resolveit-VPN-CA/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 VERIFY OK: nsCertType=SERVER
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=0, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=mviron-ca/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 29 12:00:44 2011 [mviron-ca] Peer Connection Initiated with 123.123.123.123:1194
Thu Sep 29 12:00:46 2011 SENT CONTROL [mviron-ca]: 'PUSH_REQUEST' (status=1)
Thu Sep 29 12:00:46 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.10.8.0 255.255.255.0,route 10.66.4.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.66.4.6 10.66.4.5'
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: route options modified
Thu Sep 29 12:00:46 2011 ROUTE default_gateway=192.168.2.1
Thu Sep 29 12:00:46 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}.tap
Thu Sep 29 12:00:46 2011 TAP-Win32 Driver Version 9.8 
Thu Sep 29 12:00:46 2011 TAP-Win32 MTU=1500
Thu Sep 29 12:00:46 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.66.4.6/255.255.255.252 on interface {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB} [DHCP-serv: 10.66.4.5, lease-time: 31536000]
Thu Sep 29 12:00:46 2011 Successful ARP Flush on interface [4] {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}
Thu Sep 29 12:00:52 2011 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.10.8.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.66.4.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 Initialization Sequence Completed

Open in new window


I have been googling for 3 days and cannot come up with an answer,im hoping someone could help.

Regards
Ben
0
Benji_
Asked:
Benji_
  • 4
  • 3
2 Solutions
 
kode99Commented:
The settings look alright and since the VPN is working it is not likely any kind of firewall issue.  Probably double check that on the web server just to be sure though.

My guess is you do not have a return route setup so the web server does not know how to send the packets back through the vpn.  So the ping hits the web server but the reply is sent to the default gateway which just drops it cause it does not know where to send it.

You can put a route on your networks gateway that will send vpn subnet traffic to the vpn server so the packets can get back to the remote clients.  It can also be added directly to the route table on the server but will only work for that one system vs the whole subnet if on the gateway.

0
 
Benji_Author Commented:
Hi,

Thanks for your reply, I have confirmed that the OpenVPN server can ping back to the client and they can transfer information between each other, just not on the 10.10.8.x subnet.

Regards
Ben
0
 
simplejackCommented:
is

cat /proc/sys/net/ipv4/ip_forward 

Open in new window


return 1?

and show your fw rules if any
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Benji_Author Commented:
Hi

The output on the command is 1

the results below from iptables -L

 
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall etc]# iptables -A FORWARD -i eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -i eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Open in new window

0
 
simplejackCommented:
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Open in new window


the problem is here. You are rejecting forwarding of all packets which aren't directed to your vpn gw host.
0
 
Benji_Author Commented:
Hi,

How would i resolve this, iptables is a new entity to me?

Regards
Ben
0
 
simplejackCommented:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Open in new window


it will flush all rules and allow everything, setting up iptables is a different topic :)
0
 
Benji_Author Commented:
Hi,

Thanks for that, i'm not particully bothered about iptables at all as long as it works!.

I have executed that command, and i get the following output, i have even tried rebooting still the same.

Thanks
Ben

 
[root@vpnfirewall ~]# iptables -F
[root@vpnfirewall ~]# iptables -X
[root@vpnfirewall ~]# iptables -t nat -F
[root@vpnfirewall ~]# iptables -t nat -X
[root@vpnfirewall ~]# iptables -t mangle -F
[root@vpnfirewall ~]# iptables -t mangle -X
[root@vpnfirewall ~]# iptables -P INPUT ACCEPT
[root@vpnfirewall ~]# iptables -P FORWARD ACCEPT
[root@vpnfirewall ~]# iptables -P OUTPUT ACCEPT
[root@vpnfirewall ~]#
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall ~]# iptables -l
iptables v1.4.7: option `-l' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall ~]#

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now