2

I have a setup pretty similar to this except the LAN clients are behind a DHCP relaying router. The outermost router forwards traffic to the OpenVPN server on port 1194 and I can connect clients succesfully, routing traffic going into the VPN server, out through it's own NAT. My VPN virtual ip range is 172.31.0.0/24

                          +-------------------------+
               (public IP)|                         |
  {INTERNET}=============={     Router              |
                          |                         |
                          |         LAN switch      |
                          +------------+------------+
                                       | (192.168.5.1)
                                       |
                                       |              +-----------------------+
                                       |              |                       |
                                       |              |        OpenVPN        |  eth0: 192.168.5.96/24
                                       +--------------{eth0    server         |  tun0: 172.31.0.0/24
                                       |              |                       |
                                       |              |           {tun0}      |
                                       |              +-----------------------+
                                       |
                              +--------+-----------+
                              |     Router B       |
                              |  Other LAN clients |
                              |                    |
                              |   192.168.1.0/24   |
                              |   (internal net)   |
                              +--------------------+

Connecting as a VPN client outside the network, I am therefore able to get traffic on the internet, as well as to all the other clients connected to the first router hosting its own DHCP. (192.168.5.0/24). But when I try to access the second routers inner LAN I get the following response to pings:

PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable

The OpenVPN server is hosted on a box with restricted access so I can only retrieve the .conf files through the web ui, of which it only displays a limited amount of information. Connecting from the client gives me the following information:

Thu Dec 29 13:36:30 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 29 13:36:30 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 29 13:36:30 2016 Attempting to establish TCP connection with [AF_INET]<public ip>:1194 [nonblock]
Thu Dec 29 13:36:31 2016 TCP connection established with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link local: [undef]
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link remote: [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TLS: Initial packet from [AF_INET]<public ip>:1194, sid=1081d793 4873f1e6
Thu Dec 29 13:36:31 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=1, CN=*, OU=RV320, O=*., L=*, C=*, ST=*
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=0, C=*, OU=*, CN=*
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 29 13:36:32 2016 [com] Peer Connection Initiated with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:35 2016 SENT CONTROL [com]: 'PUSH_REQUEST' (status=1)
Thu Dec 29 13:36:35 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.3,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN <company>.LOCAL,route 172.31.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.31.0.6 172.31.0.5'
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: route options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 29 13:36:35 2016 ROUTE_GATEWAY <client ip>/255.255.255.240 IFACE=eth1 HWADDR=*
Thu Dec 29 13:36:35 2016 TUN/TAP device tun0 opened
Thu Dec 29 13:36:35 2016 TUN/TAP TX queue length set to 100
Thu Dec 29 13:36:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec 29 13:36:35 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 29 13:36:35 2016 /sbin/ip addr add dev tun0 local 172.31.0.6 peer 172.31.0.5
Thu Dec 29 13:36:35 2016 /etc/openvpn/update-resolv-conf.sh tun0 1500 1559 172.31.0.6 172.31.0.5 init
dhcp-option DNS 192.168.1.3
dhcp-option DNS 192.168.1.10
dhcp-option DOMAIN <company>.LOCAL
Illegal option -x
Thu Dec 29 13:36:35 2016 /sbin/ip route add <public ip>/32 via <client ip>
Thu Dec 29 13:36:35 2016 /sbin/ip route add 0.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 128.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 172.31.0.0/24 via 172.31.0.5
Thu Dec 29 13:36:35 2016 Initialization Sequence Completed

My clients (linux boxes) has ip.forwarding enabled and their routing tables looks like this, connected from the outside:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.0.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         <client ip>     0.0.0.0         UG    0      0        0 eth1
<public ip>  <client ip>     255.255.255.255 UGH   0      0        0 eth1
128.0.0.0       172.31.0.5      128.0.0.0       UG    0      0        0 tun0
<client ip>     0.0.0.0         255.255.255.240 U     1      0        0 eth1
172.31.0.0      172.31.0.5      255.255.255.0   UG    0      0        0 tun0
172.31.0.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

I've also tried setting up a static route as suggested here https://community.openvpn.net/openvpn/wiki/BridgingAndRouting but without any luck.

Syncretic
  • 31
  • 5
  • What are the IP addresses of the router, and VPN server in the private network space? – Tero Kilkanen Dec 29 '16 at 19:54
  • run `traceroute 192.168.1.x` on client, and print – xl0shk Dec 29 '16 at 14:30
  • This does not provide an answer to the question. Once you have sufficient [reputation](http://serverfault.com/help/whats-reputation) you will be able to [comment on any post](http://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/301674) – kasperd Dec 29 '16 at 15:01
  • traceroute to 192.168.1.3 (192.168.1.3), 30 hops max, 60 byte packets 1 172.31.0.1 (172.31.0.1) 109.040 ms 188.994 ms 219.714 ms 2 * * * 3 * * * .... – Syncretic Dec 30 '16 at 08:58
  • @tero -> router A: 192.168.5.1 (lan) router B: 192.168.5.2 (wan), 192.168.1.1 (lan). Vpn server: 192.168.5.96 – Syncretic Dec 31 '16 at 18:50
  • What are the `172.31.0.5` etc. IP addresses in the routing table in the question? – Tero Kilkanen Jan 01 '17 at 07:55
  • 172.31.0.0/24 subnet are Virtual IP's from the vpn – Syncretic Jan 01 '17 at 11:54

0 Answers0