0

As a proof of concept, I'm trying to configure an OpenVPN Access Server (AS) with two clients on respective private networks. The goal of the experiment is for the clients to communicate with each other through a tunnel using multiple protocols, passing through their respective NAT routers transparently (i.e. without the need for port forwarding or static routing on the router).

The setup looks something like this: vpn passthrough experiment setup

Here, I'm using two Windows PCs as clients on different private networks. They're both able to connect and ping the OpenVPN AS at it's VPN IP Address 10.8.0.1. However, the AS cannot ping either client, nor can the clients ping each other, despite being "virtually" on the same network. (Both clients are assigned dynamic VPN IP addresses on 10.8.0.0/24).

I suspect the problem is related to routing on the server side, but I'm lacking the understanding to prove it!

On OpenVPN Access Server

openvpnas@openvpnas2:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.30.0.1      0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 as0t0
172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0

openvpnas@openvpnas2:~$ ping 10.8.0.59
PING 10.8.0.59 (10.8.0.59) 56(84) bytes of data.
^C
--- 10.8.0.59 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

Where 10.8.0.59 is the VPN IP address of the Windows 8 machine.

But I can telnet to the same client port 443.

openvpnas@openvpnas2:~$ telnet 10.8.0.59 443
Trying 10.8.0.59...
Connected to 10.8.0.59.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

On Windows clients

The AS is configured through a web interface and so far I've been unable to locate the server.conf on the AS.

I've allowed inbound traffic in Windows firewall for both clients on UDP 1194 and TCP 443.

The client config file looks like this (inline certificates, key and signature removed).

setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote 54.169.10.97
port 1194
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

It feels like I've tried every configuration option on the AS and I'm losing the will to live! I really need some help on how to systematically diagnose the problem. Just ask if you need me to post the output of a command up here...

doughgle
  • 99
  • 6
  • I know it's basic, but have you enabled ICMP Echo replies on the Win 8 machines? – garethTheRed Sep 19 '14 at 07:44
  • Can you also add the server configuration? – unlink Sep 19 '14 at 07:44
  • @garethTheRed I followed the instruction in this answer http://serverfault.com/a/422836/149456 to enable pings, but how should I test it? Doesn't pinging from a machine on the same network work anyway? – doughgle Sep 19 '14 at 07:55
  • @unlink where can I find the server configuration on the OpenVPN Access Server? – doughgle Sep 19 '14 at 07:57
  • I suppose the way to test would be to connect the two machines on the same physical network (no VPN) as see if they can ping (connect both Win machines to the same router and test). Pinging only works if ICMP is enabled regardless of whether they are on the same network or not - it Windows that blocks, not the network. – garethTheRed Sep 19 '14 at 08:03
  • Yep, I can ping my Windows 8 machine (192.168.1.42) from a linux machine on the same subnet (192.168.1.213). – doughgle Sep 19 '14 at 08:13

0 Answers0