Hi Tiago, Tiago Vasconcelos wrote: > Hi Gert > > On 25-08-2015 13:20, Gert Doering wrote: > >> If it pings, it should SSH. If it doesn't, someone is firewalling >> you (INPUT chain, not FORWARD) >> > > I also thought so. Which makes this case a mystery to me. > Here's why: > > > # SSH is indeed running on the OpenVPN server > > $ netstat -ln | grep 22 > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > > > # No firewall rules on the server side... > > $ iptables-save > # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015 > *nat > :PREROUTING ACCEPT [9:777] > :POSTROUTING ACCEPT [19:1364] > :OUTPUT ACCEPT [19:1364] > COMMIT > # Completed on Tue Aug 25 14:34:07 2015 > # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015 > *mangle > :PREROUTING ACCEPT [925:77105] > :INPUT ACCEPT [924:77005] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [599:67933] > :POSTROUTING ACCEPT [599:67933] > COMMIT > # Completed on Tue Aug 25 14:34:07 2015 > # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015 > *filter > :INPUT ACCEPT [843:70905] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [599:67933] > COMMIT > > > # Server capture while running 'telnet 192.168.1.2 22' on the client > # As can be seen, the SYN is not responded and the client keeps retrying > > $ tcpdump -i tun0 -n > 14:30:41.389162 IP 172.31.0.6.60902 > 192.168.1.2.22: Flags [S], seq > 3893675608, win 4350, options [mss 1130,sackOK,TS val 6434347 ecr > 0,nop,wscale 1], length 0 > 14:30:44.338170 IP 172.31.0.6.60902 > 192.168.1.2.22: Flags [S], seq > 3893675608, win 4350, options [mss 1130,sackOK,TS val 6437347 ecr > 0,nop,wscale 1], length 0 > > > # Doing a strace on the SSH daemon (Dropbear) confirms it doesn't > # receive any connection attempt > > $ strace -p 218 > Process 218 attached > select(8, [4], NULL, NULL, NULL > > > # Strangely, pings from the client do work! > > $ ping 192.168.1.2 > PING 192.168.1.2 (192.168.1.2): 56 data bytes > 64 bytes from 192.168.1.2: seq=0 ttl=64 time=105.582 ms > 64 bytes from 192.168.1.2: seq=1 ttl=64 time=103.611 m > > > I ran out of ideas... > your VPN IP range seems to be 172.31.0.x ? if so, try SSH'ing to the VPN IP of the server (normally 172.31.0.1) . Also, what does a traceroute to 192.168.1.2 give ?
HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
