Solved

OpenVPN not able to connect to Internal Subnet

Posted on 2011-09-29
10
734 Views
Last Modified: 2013-11-08
Hi Guys,

I'm currently having a problem with an OpenVPN server im trying to setup, We have  10 remote workers who I need to be able to access a webpage on our internal network, no complicated configurations.

I have set-up a Cent OS 6 Server and installed OpevnVPN from the website guide.

We have a dedicated broadband line for this server and we have a Windows SBS network.

External Server IP Example : 123.123.123.123
Internal Server IP : 10.10.8.22 (SBS network 10.10.8.0/255.255.255.0
VPN Client Range: 10.66.4.0

I have setup the following config on the server

 
#OpenVPN Server Config
proto udp
port 1194
dev tun0
server 10.66.4.0 255.255.255.0
push "route 10.10.8.0 255.255.255.0"
local 123.123.123.123
tun-mtu 1500
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
client-to-client
keepalive 10 60
status-version 1
status openvpn-status.log
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
log-append  openvpn.log

Open in new window


I have then setup the following config on the client.

 
client
dev tun
proto udp

tun-mtu 1500
#Change my.publicdomain.com to your public domain or IP address
remote 123.123.123.123 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server



#comp-lzo

verb 3

Open in new window



When i ping 10.66.4.1   i get a reply, and i can ssh into the server and view the default page of the OpenVPN server.
When i ping 10.10.8.64 (the web server) i get no reply and cannot access anything within the subnet


here is the logs from the server.

 
##openvpn.log

Thu Sep 29 12:00:04 2011 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Thu Sep 29 12:00:04 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 29 12:00:04 2011 Diffie-Hellman initialized with 1024 bit key
Thu Sep 29 12:00:04 2011 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu Sep 29 12:00:04 2011 ROUTE default_gateway=10.10.8.1
Thu Sep 29 12:00:04 2011 TUN/TAP device tun0 opened
Thu Sep 29 12:00:04 2011 TUN/TAP TX queue length set to 100
Thu Sep 29 12:00:04 2011 /sbin/ip link set dev tun0 up mtu 1500
Thu Sep 29 12:00:04 2011 /sbin/ip addr add dev tun0 local 10.66.4.1 peer 10.66.4.2
Thu Sep 29 12:00:04 2011 /sbin/ip route add 10.66.4.0/24 via 10.66.4.2
Thu Sep 29 12:00:04 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:04 2011 UDPv4 link local (bound): 123.123.123.123:1194
Thu Sep 29 12:00:04 2011 UDPv4 link remote: [undef]
Thu Sep 29 12:00:04 2011 MULTI: multi_init called, r=256 v=256
Thu Sep 29 12:00:04 2011 IFCONFIG POOL: base=10.66.4.4 size=62
Thu Sep 29 12:00:04 2011 Initialization Sequence Completed

Open in new window



here are the logs from the client.
 
Thu Sep 29 12:00:44 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Thu Sep 29 12:00:44 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 29 12:00:44 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Sep 29 12:00:44 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Sep 29 12:00:44 2011 Local Options hash (VER=V4): '3514370b'
Thu Sep 29 12:00:44 2011 Expected Remote Options hash (VER=V4): '239669a8'
Thu Sep 29 12:00:44 2011 UDPv4 link local: [undef]
Thu Sep 29 12:00:44 2011 UDPv4 link remote: 123.123.123.123:1194
Thu Sep 29 12:00:44 2011 TLS: Initial packet from 123.123.123.123:1194, sid=9b1491fe ebb41df6
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=1, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=Resolveit-VPN-CA/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 VERIFY OK: nsCertType=SERVER
Thu Sep 29 12:00:44 2011 VERIFY OK: depth=0, /C=GB/ST=EN/L=Staffordshire/O=Resolveit/OU=Resolveit/CN=mviron-ca/name=Resolveit-VPN/emailAddress=support@resolveit.co.uk
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 29 12:00:44 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 29 12:00:44 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 29 12:00:44 2011 [mviron-ca] Peer Connection Initiated with 123.123.123.123:1194
Thu Sep 29 12:00:46 2011 SENT CONTROL [mviron-ca]: 'PUSH_REQUEST' (status=1)
Thu Sep 29 12:00:46 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.10.8.0 255.255.255.0,route 10.66.4.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.66.4.6 10.66.4.5'
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 29 12:00:46 2011 OPTIONS IMPORT: route options modified
Thu Sep 29 12:00:46 2011 ROUTE default_gateway=192.168.2.1
Thu Sep 29 12:00:46 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}.tap
Thu Sep 29 12:00:46 2011 TAP-Win32 Driver Version 9.8 
Thu Sep 29 12:00:46 2011 TAP-Win32 MTU=1500
Thu Sep 29 12:00:46 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.66.4.6/255.255.255.252 on interface {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB} [DHCP-serv: 10.66.4.5, lease-time: 31536000]
Thu Sep 29 12:00:46 2011 Successful ARP Flush on interface [4] {6D5887F4-51BE-4080-B5B0-F2E5464AEBCB}
Thu Sep 29 12:00:52 2011 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.10.8.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 C:\WINDOWS\system32\route.exe ADD 10.66.4.0 MASK 255.255.255.0 10.66.4.5
Thu Sep 29 12:00:52 2011 Route addition via IPAPI succeeded [adaptive]
Thu Sep 29 12:00:52 2011 Initialization Sequence Completed

Open in new window


I have been googling for 3 days and cannot come up with an answer,im hoping someone could help.

Regards
Ben
0
Comment
Question by:Benji_
  • 4
  • 3
10 Comments
 
LVL 25

Accepted Solution

by:
kode99 earned 350 total points
Comment Utility
The settings look alright and since the VPN is working it is not likely any kind of firewall issue.  Probably double check that on the web server just to be sure though.

My guess is you do not have a return route setup so the web server does not know how to send the packets back through the vpn.  So the ping hits the web server but the reply is sent to the default gateway which just drops it cause it does not know where to send it.

You can put a route on your networks gateway that will send vpn subnet traffic to the vpn server so the packets can get back to the remote clients.  It can also be added directly to the route table on the server but will only work for that one system vs the whole subnet if on the gateway.

0
 
LVL 2

Author Comment

by:Benji_
Comment Utility
Hi,

Thanks for your reply, I have confirmed that the OpenVPN server can ping back to the client and they can transfer information between each other, just not on the 10.10.8.x subnet.

Regards
Ben
0
 
LVL 2

Assisted Solution

by:simplejack
simplejack earned 150 total points
Comment Utility
is

cat /proc/sys/net/ipv4/ip_forward 

Open in new window


return 1?

and show your fw rules if any
0
 
LVL 2

Author Comment

by:Benji_
Comment Utility
Hi

The output on the command is 1

the results below from iptables -L

 
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall etc]# iptables -A FORWARD -i eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth1 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -i eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -A FORWARD -o eth0 -j ACCEPT
[root@vpnfirewall etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Open in new window

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Expert Comment

by:simplejack
Comment Utility
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho

Open in new window


the problem is here. You are rejecting forwarding of all packets which aren't directed to your vpn gw host.
0
 
LVL 2

Author Comment

by:Benji_
Comment Utility
Hi,

How would i resolve this, iptables is a new entity to me?

Regards
Ben
0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Open in new window


it will flush all rules and allow everything, setting up iptables is a different topic :)
0
 
LVL 2

Author Comment

by:Benji_
Comment Utility
Hi,

Thanks for that, i'm not particully bothered about iptables at all as long as it works!.

I have executed that command, and i get the following output, i have even tried rebooting still the same.

Thanks
Ben

 
[root@vpnfirewall ~]# iptables -F
[root@vpnfirewall ~]# iptables -X
[root@vpnfirewall ~]# iptables -t nat -F
[root@vpnfirewall ~]# iptables -t nat -X
[root@vpnfirewall ~]# iptables -t mangle -F
[root@vpnfirewall ~]# iptables -t mangle -X
[root@vpnfirewall ~]# iptables -P INPUT ACCEPT
[root@vpnfirewall ~]# iptables -P FORWARD ACCEPT
[root@vpnfirewall ~]# iptables -P OUTPUT ACCEPT
[root@vpnfirewall ~]#
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall ~]# iptables -l
iptables v1.4.7: option `-l' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
[root@vpnfirewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vpnfirewall ~]#

Open in new window

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now