OpenVPN: Can ping server, but cannot see files or other machines

[oranisme]

I am setting up an OpenVPN server on a Debian distribution behind a router at my office. I am connecting from a Windows 7 client. I have configured the OpenVPN server as posted below, and am able to connect remotely to the server over the virtual network. However, I am unable to see files on the server or ping other machines on the local network (LAN). All I really would like to do is be able to connect to a Drobo file server on the LAN. I recognize that all of the information that I need is probably very available on the internet, and suspect that I have read through it all, also (between the OpenVPN HOWTO and other forum posts), but I am not very well versed with networking, and I have difficulty understanding and applying a lot of what I have read. Below is some of the code that may be useful in understanding the current setup. Thank you for your help.

server.conf:

Code:

port 1194
proto udp
dev tun
push "route 192.168.3.0 255.255.255.0"
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4

'route' command returns:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
default         Leppert.Leppert 0.0.0.0         UG    0      0        0 eth0

'ifconfig' command returns:

Code:

eth0      Link encap:Ethernet  HWaddr 00:17:31:08:1f:e2  
          inet addr:192.168.3.199  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::217:31ff:fe08:1fe2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:158897 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24960 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:53596784 (51.1 MiB)  TX bytes:3525918 (3.3 MiB)
          Interrupt:20 Base address:0xdc00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:340 errors:0 dropped:0 overruns:0 frame:0
          TX packets:340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:35364 (34.5 KiB)  TX bytes:35364 (34.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:95 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:6542 (6.3 KiB)  TX bytes:6738 (6.5 KiB)

[zombykillah]

Hi,

Your configuration is setup with two devices, without bridge, so you will need to enable forward on your openVPN Server:

Here you find a little howto:
How to enable IP Forwarding in Linux | MDLog:/sysadmin

That done you may also check your iptables (firewall) settings.
You should have three tables or more:
INPUT (All traffic that is transported to a local process)
FORWARD (All traffic that is destined to be forwarded into a different network)
OUTPUT (All traffic that is send from a local process)

Interesting for you is the forward chain.
There should be a standard police like ACCEPT.
Or even better a rule that ACCEPTS forwards from your VPN to specific servers / services on your LAN.

Hope that helps!

[oranisme]

Thank you, zombykillah, for the IP forwarding suggestion. I had set this, but didn't understand it, nor had I made it permanent, so it was not still forwarding. I have a new issue, though. I had tried several configuration options and then moved the machine to the server room, and thought that I reset everything to its previous state, but I think that I have changed something and I don't know what. The log on the client machine is listed below.

Code:

Tue Dec 27 14:09:39 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Dec 27 14:09:39 2011 WARNING: No server certificate verification method has been enabled.  See http...openvpn...#mitm for more info.
Tue Dec 27 14:09:39 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 27 14:09:39 2011 LZO compression initialized
Tue Dec 27 14:09:39 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 27 14:09:39 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 27 14:09:39 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 27 14:09:39 2011 Local Options hash (VER=V4): '41690919'
Tue Dec 27 14:09:39 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue Dec 27 14:09:39 2011 UDPv4 link local: [undef]
Tue Dec 27 14:09:39 2011 UDPv4 link remote: x.x.x.x:1194
Tue Dec 27 14:09:39 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:41 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:45 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:53 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:10:10 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:10:39 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 27 14:10:39 2011 TLS Error: TLS handshake failed
Tue Dec 27 14:10:39 2011 TCP/UDP: Closing socket
Tue Dec 27 14:10:39 2011 SIGUSR1[soft,tls-error] received, process restarting

My iptable is below. I figured that this basically accepts anything:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Again, thanks for the help.

[oranisme]

Thank you, zombykillah, for the IP forwarding suggestion. I had set this, but didn't understand it, nor had I made it permanent, so it was not still forwarding. I have a new issue, though. I had tried several configuration options and then moved the machine to the server room, and thought that I reset everything to its previous state, but I think that I have changed something and I don't know what. The log on the client machine is listed below.

Code:

Tue Dec 27 14:09:39 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Dec 27 14:09:39 2011 WARNING: No server certificate verification method has been enabled.  See http...openvpn...#mitm for more info.
Tue Dec 27 14:09:39 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 27 14:09:39 2011 LZO compression initialized
Tue Dec 27 14:09:39 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 27 14:09:39 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 27 14:09:39 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 27 14:09:39 2011 Local Options hash (VER=V4): '41690919'
Tue Dec 27 14:09:39 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue Dec 27 14:09:39 2011 UDPv4 link local: [undef]
Tue Dec 27 14:09:39 2011 UDPv4 link remote: x.x.x.x:1194
Tue Dec 27 14:09:39 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:41 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:45 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:09:53 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:10:10 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 27 14:10:39 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 27 14:10:39 2011 TLS Error: TLS handshake failed
Tue Dec 27 14:10:39 2011 TCP/UDP: Closing socket
Tue Dec 27 14:10:39 2011 SIGUSR1[soft,tls-error] received, process restarting

My iptable is below. I figured that this basically accepts anything:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Again, thanks for the help.

I realized where my configuration change was. I selected the wrong port when making a firewall change on my router, and told port 1194 to only accept TCP. It is changed back to UDP, and I am in the same place as before. I suspect that zombykillah's advice about iptables should be looked into, but I am not sure where to start. The iptables configuration is as is quoted above, and I have ensured that IP forwarding is set in /etc/sysctl.conf.

Thanks!

[Qwertyyouup]

I setup an OpenVPN-AS server which took care of all the local iptables for me, so I can't provide specific advise in that regard. However your problem sounds very similar to a problem I experienced:

Is your computer in the LAN receiving the ping request? If the server does not receive any ICMP request then it is an iptables setting on the OpenVPN server.

In my situation my computers on the LAN were receiving ICMP requests. The ping request was from my VPN connected computer with an ipaddress of 10.8.0.X. The response was ping request was going to the LAN's gateway. My gateway, unfortunately, didn't know where the 10.8.0.0/16 network was.

My solution was to add a route to the 10.8.0.0/16 network through the LAN's OpenVPN server. Routing was one of those things I learned many times over the years, but never fully understood until this exercise.

[oranisme]

I took a couple of weeks off to move across the country, but am now back to setting up this server. Only now I'm setting it up remotely, using SSH . Anyways...

My situation is:

• I can connect to the server from the client, and recieve an IP address 10.8.0.X
• I can ping the server
• I do not see any folders or other machines on the server's network
• I cannot, or do not understand how to, ping any other machines on the server's network

When connecting, I get the following log from the OpenVPN client:

Code:

Thu Jan 12 12:10:29 2012 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Thu Jan 12 12:10:29 2012 WARNING: No server certificate verification method has been enabled.  See url#mitm for more info.
Thu Jan 12 12:10:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jan 12 12:10:29 2012 LZO compression initialized
Thu Jan 12 12:10:29 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jan 12 12:10:29 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jan 12 12:10:29 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jan 12 12:10:29 2012 Local Options hash (VER=V4): '41690919'
Thu Jan 12 12:10:29 2012 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jan 12 12:10:29 2012 UDPv4 link local: [undef]
Thu Jan 12 12:10:29 2012 UDPv4 link remote: X.X.X.X:1194
Thu Jan 12 12:10:29 2012 TLS: Initial packet from X.X.X.X:1194, sid=9124f222 0cd7dc5f
Thu Jan 12 12:10:29 2012 VERIFY OK: depth=1, /C=US/ST=CO/L=Golden/O=LeppertAssociates/OU=Operations/CN=Leppert/emailAddress=me@myurl.com
Thu Jan 12 12:10:29 2012 VERIFY OK: depth=0, /C=US/ST=CO/L=Golden/O=LeppertAssociates/OU=Operations/CN=server/emailAddress=me@myurl.com
Thu Jan 12 12:10:30 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 12 12:10:30 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 12 12:10:30 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 12 12:10:30 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 12 12:10:30 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 12 12:10:30 2012 [server] Peer Connection Initiated with X.X.X.X:1194
Thu Jan 12 12:10:33 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 12 12:10:33 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Jan 12 12:10:33 2012 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 12 12:10:33 2012 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 12 12:10:33 2012 OPTIONS IMPORT: route options modified
Thu Jan 12 12:10:33 2012 ROUTE default_gateway=192.168.0.1
Thu Jan 12 12:10:33 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{75BAA28C-4DCE-4E93-83BD-F42797272EF9}.tap
Thu Jan 12 12:10:33 2012 TAP-Win32 Driver Version 9.8 
Thu Jan 12 12:10:33 2012 TAP-Win32 MTU=1500
Thu Jan 12 12:10:33 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {75BAA28C-4DCE-4E93-83BD-F42797272EF9} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Jan 12 12:10:33 2012 Successful ARP Flush on interface [21] {75BAA28C-4DCE-4E93-83BD-F42797272EF9}
Thu Jan 12 12:10:38 2012 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Jan 12 12:10:38 2012 C:\WINDOWS\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.8.0.5
Thu Jan 12 12:10:38 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Jan 12 12:10:38 2012 Route addition via IPAPI succeeded [adaptive]
Thu Jan 12 12:10:38 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Jan 12 12:10:38 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Jan 12 12:10:38 2012 Route addition via IPAPI succeeded [adaptive]
Thu Jan 12 12:10:38 2012 Initialization Sequence Completed

As always, thanks for the help. Please let me know if I can provide any more information.

[zombykillah]

Hi there,
sorry I didn't answer you yet, for some reason the report that I got an answer was shifted into the spam.

You may have a problem with the route config on the client.

Thu Jan 12 12:10:33 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {75BAA28C-4DCE-4E93-83BD-F42797272EF9} [DHCP-serv: 10.8.0.5, lease-time: 31536000]

Your client gets the address 10.8.0.6/255.255.255.252
In that network (10.8.0.4/31) you can only have two IPs

Thu Jan 12 12:10:38 2012 C:\WINDOWS\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.8.0.5

Your client is told that the network 192.168.3.0/24 can be found behind PC: 10.8.0.5

Thu Jan 12 12:10:38 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5

Also the PC with the IP 10.8.0.1 can be found behind 10.8.0.5

Since you wrote you can ping the Server itself 10.8.0.5 seems to exist.
What addresses of your Server can you ping?
10.8.0.1
10.8.0.5
192.168.3.199

What's the IP configuration of the client after connecting?

[zombykillah]

Another common problem is the firewall of the share server.
Most firewalls will only allow access to shares and other services if the requesting computer is in the same network.

[oranisme]

Hi there,
sorry I didn't answer you yet, for some reason the report that I got an answer was shifted into the spam.

You may have a problem with the route config on the client.


Your client gets the address 10.8.0.6/255.255.255.252
In that network (10.8.0.4/31) you can only have two IPs

Your client is told that the network 192.168.3.0/24 can be found behind PC: 10.8.0.5
Also the PC with the IP 10.8.0.1 can be found behind 10.8.0.5

Since you wrote you can ping the Server itself 10.8.0.5 seems to exist.
What addresses of your Server can you ping?
10.8.0.1
10.8.0.5
192.168.3.199

What's the IP configuration of the client after connecting?

I can ping 10.8.0.1 and 192.168.3.199, but not 10.8.0.5. Is that because, as you said, in the network 10.8.0.4/31 there can only be two IPs, and they have already been assigned (being the server at 10.8.0.1 and the client at 10.8.0.6)?

The client contains the following ipconfig (note "Ethernet adapter Local Area Connection 2"):

Code:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : APOLLO
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-75-BA-A2-8C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9980:8fda:694:9a7%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Friday, January 13, 2012 4:32:55 PM
   Lease Expires . . . . . . . . . . : Saturday, January 12, 2013 4:32:54 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.5
   DHCPv6 IAID . . . . . . . . . . . : 251723637
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-6E-50-7D-00-24-2B-DE-5C-4E

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
   Physical Address. . . . . . . . . : 00-22-68-4C-17-58
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::159a:ed7a:db66:832e%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.15(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 12, 2012 9:53:03 AM
   Lease Expires . . . . . . . . . . : Friday, January 20, 2012 8:03:22 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 268444264
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-6E-50-7D-00-24-2B-DE-5C-4E

   DNS Servers . . . . . . . . . . . : 209.18.47.61
                                       209.18.47.62
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:38ef:3028:cda5:6d9e(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::38ef:3028:cda5:6d9e%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{75BAA28C-4DCE-4E93-83BD-F42797272EF9}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{98B3C345-8700-4253-A167-D968DF5E411F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes