[Openvpn-users] Routing problem with Debain 10.6 & openvpn 2.4.7

Mon, 28 Dec 2020 00:17:43 -0800 

Good morning everybody,
I have no idea why routing doesn't work - and I thing I did everything I have to do to make it work ... When establishing a connection I can only ping the tun-devices ip-adress, and the eht0-devices ip-adress, but I can't ping/traceroute any other device on that network (192.168.178.0/24). The second network (192.168.180.0/24 was only fpr testing, too, and there's no device at all). 


Openvpn is running on a raspberry, which is for testing on another side 
(my wife's appartment), and I try to connect from a Windows system.


What am I doing wrong?
Or what's missing?

Here are the related files ....

/etc/openvpn/server.conf:
local 192.168.178.56
port 1194
proto udp4
dev tun
mode server
script-security 2
#
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/dh2048.pem
status openvpn-status.log
log-append /var/log/openvpn/server.log
verb 3
persist-key
persist-tun
server 10.7.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.7.0.0 255.255.255.0"
push "route 192.168.178.0 255.255.255.0"
push "route 192.168.180.0 255.255.255.0"
user nobody
group nogroup
keepalive 10 60
float
comp-lzo
max-clients 5
client-to-client

openvpn on Windows machine:
client
dev tun
proto udp
remote ABC.myfritz.net 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert torsten.crt
key torsten.key
comp-lzo
verb 3

/etc/sysctl:
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#


# Uncomment the next two lines to enable Spoof protection (reverse-path 
filter)

# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438


routing on Windows machine before starting openvpn:
C:\Windows\system32>route print
===========================================================================
Schnittstellenliste
  8...40 8d 5c 52 57 33 ......Killer E2200 Gigabit Ethernet Controller
 17...........................Wintun Userspace Tunnel
 18...40 8d 5c 52 57 31 ......Intel(R) Ethernet Connection (2) I219-V
 15...00 ff bd 5d 63 07 ......TAP-Windows Adapter V9
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.199.2   192.168.199.16    281

        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1 
 331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1 
 331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1 
 331
    192.168.199.0    255.255.255.0   Auf Verbindung    192.168.199.16 
 281
   192.168.199.16  255.255.255.255   Auf Verbindung    192.168.199.16 
 281
  192.168.199.255  255.255.255.255   Auf Verbindung    192.168.199.16 
 281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1 
 331
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.199.16 
 281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1 
 331
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.199.16 
 281

===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0    192.168.199.2  Standard
===========================================================================

routing on Windows machine after starting openvpn:
C:\Windows\system32>route print
===========================================================================
Schnittstellenliste
  8...40 8d 5c 52 57 33 ......Killer E2200 Gigabit Ethernet Controller
 17...........................Wintun Userspace Tunnel
 18...40 8d 5c 52 57 31 ......Intel(R) Ethernet Connection (2) I219-V
 15...00 ff bd 5d 63 07 ......TAP-Windows Adapter V9
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.199.2   192.168.199.16    281
         10.7.0.0    255.255.255.0         10.7.0.5         10.7.0.6    281

         10.7.0.4  255.255.255.252   Auf Verbindung          10.7.0.6 
 281
         10.7.0.6  255.255.255.255   Auf Verbindung          10.7.0.6 
 281
         10.7.0.7  255.255.255.255   Auf Verbindung          10.7.0.6 
 281
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1 
 331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1 
 331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1 
 331

   134.147.166.32  255.255.255.255         10.8.0.5         10.7.0.6     26
    192.168.178.0    255.255.255.0         10.7.0.5         10.7.0.6    281
    192.168.180.0    255.255.255.0         10.7.0.5         10.7.0.6    281

    192.168.199.0    255.255.255.0   Auf Verbindung    192.168.199.16 
 281
   192.168.199.16  255.255.255.255   Auf Verbindung    192.168.199.16 
 281
  192.168.199.255  255.255.255.255   Auf Verbindung    192.168.199.16 
 281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1 
 331
        224.0.0.0        240.0.0.0   Auf Verbindung          10.7.0.6 
 281
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.199.16 
 281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1 
 331
  255.255.255.255  255.255.255.255   Auf Verbindung          10.7.0.6 
 281
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.199.16 
 281

===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0    192.168.199.2  Standard
===========================================================================

/var/log/openvpn/server.log:

Mon Dec 28 08:20:29 2020 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL 
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 
20 2019
Mon Dec 28 08:20:29 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, 
LZO 2.10

Mon Dec 28 08:20:29 2020 Diffie-Hellman initialized with 2048 bit key

Mon Dec 28 08:20:29 2020 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 
IFACE=eth0 HWADDR=dc:a6:32:8b:6d:9e

Mon Dec 28 08:20:29 2020 TUN/TAP device tun0 opened
Mon Dec 28 08:20:29 2020 TUN/TAP TX queue length set to 100
Mon Dec 28 08:20:29 2020 /sbin/ip link set dev tun0 up mtu 1500

Mon Dec 28 08:20:29 2020 /sbin/ip addr add dev tun0 local 10.7.0.1 peer 
10.7.0.2

Mon Dec 28 08:20:29 2020 /sbin/ip route add 192.168.178.0/24 via 10.7.0.2
Mon Dec 28 08:20:29 2020 /sbin/ip route add 192.168.180.0/24 via 10.7.0.2
Mon Dec 28 08:20:29 2020 /sbin/ip route add 10.7.0.0/24 via 10.7.0.2

Mon Dec 28 08:20:29 2020 Socket Buffers: R=[180224->180224] 
S=[180224->180224]
Mon Dec 28 08:20:29 2020 UDPv4 link local (bound): 
[AF_INET]192.168.178.56:1194

Mon Dec 28 08:20:29 2020 UDPv4 link remote: [AF_UNSPEC]
Mon Dec 28 08:20:29 2020 GID set to nogroup
Mon Dec 28 08:20:29 2020 UID set to nobody
Mon Dec 28 08:20:29 2020 MULTI: multi_init called, r=256 v=256
Mon Dec 28 08:20:29 2020 IFCONFIG POOL: base=10.7.0.4 size=62, ipv6=0

Mon Dec 28 08:20:29 2020 ifconfig_pool_read(), in='torsten,10.7.0.4', 
TODO: IPv6

Mon Dec 28 08:20:29 2020 succeeded -> ifconfig_pool_set()
Mon Dec 28 08:20:29 2020 IFCONFIG POOL LIST
Mon Dec 28 08:20:29 2020 torsten,10.7.0.4
Mon Dec 28 08:20:29 2020 Initialization Sequence Completed

Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 TLS: Initial packet from 
[AF_INET]AAA.BBB.CCC.DDD:61471, sid=ca48818d 802af7d8
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 VERIFY OK: depth=1, 
CN=Easy-RSA CA
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 VERIFY OK: depth=0, 
CN=torsten

Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_VER=2.5.0
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_PLAT=win
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_PROTO=6
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_NCP=2

Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: 
IV_CIPHERS=AES-256-GCM:AES-128-GCM

Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_LZ4=1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_LZ4v2=1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_LZO=1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_COMP_STUB=1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_COMP_STUBv2=1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: IV_TCPNL=1

Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 peer info: 
IV_GUI_VER=OpenVPN_GUI_11
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 WARNING: 'cipher' is 
present in local config but missing in remote config, local='cipher BF-CBC'
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 Control Channel: TLSv1.3, 
cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Mon Dec 28 08:20:46 2020 AAA.BBB.CCC.DDD:61471 [torsten] Peer Connection 
Initiated with [AF_INET]AAA.BBB.CCC.DDD:61471
Mon Dec 28 08:20:46 2020 torsten/AAA.BBB.CCC.DDD:61471 MULTI_sva: pool 
returned IPv4=10.7.0.6, IPv6=(Not enabled)
Mon Dec 28 08:20:46 2020 torsten/AAA.BBB.CCC.DDD:61471 MULTI: Learn: 
10.7.0.6 -> torsten/AAA.BBB.CCC.DDD:61471
Mon Dec 28 08:20:46 2020 torsten/AAA.BBB.CCC.DDD:61471 MULTI: primary 
virtual IP for torsten/AAA.BBB.CCC.DDD:61471: 10.7.0.6
Mon Dec 28 08:20:47 2020 torsten/AAA.BBB.CCC.DDD:61471 PUSH: Received 
control message: 'PUSH_REQUEST'
Mon Dec 28 08:20:47 2020 torsten/AAA.BBB.CCC.DDD:61471 SENT CONTROL 
[torsten]: 'PUSH_REPLY,route 10.7.0.0 255.255.255.0,route 192.168.178.0 
255.255.255.0,route 192.168.180.0 255.255.255.0,route 10.7.0.0 
255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.7.0.6 
10.7.0.5,peer-id 0,cipher AES-256-GCM' (
Mon Dec 28 08:20:47 2020 torsten/AAA.BBB.CCC.DDD:61471 Data Channel: 
using negotiated cipher 'AES-256-GCM'
Mon Dec 28 08:20:47 2020 torsten/AAA.BBB.CCC.DDD:61471 Outgoing Data 
Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec 28 08:20:47 2020 torsten/AAA.BBB.CCC.DDD:61471 Incoming Data 
Channel: Cipher 'AES-256-GCM' initialized with 256 bit key


Some pings:
C:\Windows\system32>ping 10.7.0.6

Ping wird ausgeführt für 10.7.0.6 mit 32 Bytes Daten:
Antwort von 10.7.0.6: Bytes=32 Zeit<1ms TTL=128
Antwort von 10.7.0.6: Bytes=32 Zeit<1ms TTL=128
Antwort von 10.7.0.6: Bytes=32 Zeit<1ms TTL=128
Antwort von 10.7.0.6: Bytes=32 Zeit<1ms TTL=128

Ping-Statistik für 10.7.0.6:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Windows\system32>ping 10.7.0.1

Ping wird ausgeführt für 10.7.0.1 mit 32 Bytes Daten:
Antwort von 10.7.0.1: Bytes=32 Zeit=9ms TTL=64
Antwort von 10.7.0.1: Bytes=32 Zeit=10ms TTL=64
Antwort von 10.7.0.1: Bytes=32 Zeit=10ms TTL=64
Antwort von 10.7.0.1: Bytes=32 Zeit=10ms TTL=64

Ping-Statistik für 10.7.0.1:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 10ms, Mittelwert = 9ms

C:\Windows\system32>ping 192.168.178.56

Ping wird ausgeführt für 192.168.178.56 mit 32 Bytes Daten:
Antwort von 192.168.178.56: Bytes=32 Zeit=9ms TTL=64
Antwort von 192.168.178.56: Bytes=32 Zeit=10ms TTL=64
Antwort von 192.168.178.56: Bytes=32 Zeit=10ms TTL=64
Antwort von 192.168.178.56: Bytes=32 Zeit=10ms TTL=64

Ping-Statistik für 192.168.178.56:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 10ms, Mittelwert = 9ms

C:\Windows\system32>ping 192.168.178.1

Ping wird ausgeführt für 192.168.178.1 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.178.1:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),

C:\Windows\system32>


Thanks in advance!

Cheers,
Torsten


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to