Hi all,
I recently set up an openvpn site to site configuration between two COS 7.2 machines. The connections is up, both 7.2 machines can ping each other via local LAN ip addresses and now that the routes are correct both OpenVPN machine can ping other network devices such as side B can ping the printer at side A. However the ultimate goal is for everything on Side A & B to be able to ping each other. That seems to be the one part of this that I can't quite get figured out just yet.
I'm not sure if this something obvious and really no information about my set up is necessary or if a lot of information about my set up is necessary to be able to provide a solution. Nevertheless please let me know your thoughts and what needs to be done, I feel like it's something simple but I haven't been able to figure that out just yet.
Thank you!
I recently set up an openvpn site to site configuration between two COS 7.2 machines. The connections is up, both 7.2 machines can ping each other via local LAN ip addresses and now that the routes are correct both OpenVPN machine can ping other network devices such as side B can ping the printer at side A. However the ultimate goal is for everything on Side A & B to be able to ping each other. That seems to be the one part of this that I can't quite get figured out just yet.
I'm not sure if this something obvious and really no information about my set up is necessary or if a lot of information about my set up is necessary to be able to provide a solution. Nevertheless please let me know your thoughts and what needs to be done, I feel like it's something simple but I haven't been able to figure that out just yet.
Thank you!
In OpenVPN
Share this post:
Responses (9)
-
Accepted Answer
Still no luck on getting Side A & B to completely ping each other. Played around with routes but still am only able to ping the other network from my router. Can ping other devices from my router but not able to ping a server at side B with my surface. The lans do not overlap Side A - 192.168.2.x Side B - 192.168.1.x
Output of the command route below, the only thing I can think of is that routes are wrong somehow even though it allows me to connect across the tunnel.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default c-73-35-184-1.h 0.0.0.0 UG 0 0 0 eno50336512
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.222.41 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
wan.ip.address 0.0.0.0 255.255.252.0 U 0 0 0 eno50336512
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno33557248 -
Accepted Answer
It could be routes or the firewall, but you have to look at both ends at the same time. I'd love you to start using code tags, and I'd appreciate it if you would do what I requested in my last post to your IPsec thread.
For this issue, please post the configs, routing tables and output to "iptables -nvL" from both ends, indicating which is which and putting the results between code tags. -
Accepted Answer
Hi Nick,
I've never been asked (outside of you) to use code tags before. Had no idea they existed and even how to use them. So hopefully as I use them now it will display correctly for you. I apologize if it doesn't.
Side A config file
dev tun
port 1195
remote fqdn.wan.ip.address 1195
ifconfig 10.8.222.40 10.8.222.41
route 192.168.1.0 255.255.255.0
push "route 192.168.2.0 225.255.255.0"
push "route 192.168.1.0 255.255.255.0"
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret blinkinglights.key
Side A routing table
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default c-73-35-184-1.h 0.0.0.0 UG 0 0 0 eno50336512
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.222.41 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
wan.ip.address.0 0.0.0.0 255.255.252.0 U 0 0 0 eno50336512
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno33557248
Side A iptables -nvL
Chain INPUT (policy DROP 9572 packets, 1210K bytes)
pkts bytes target prot opt in out source destination
593 30713 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
69 7008 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- eno50336512 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eno50336512 * 169.254.0.0/16 0.0.0.0/0
401 33541 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
25 2212 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
48496 5775K ACCEPT all -- eno33557248 * 0.0.0.0/0 0.0.0.0/0
1140 33060 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
9 4680 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
14 610 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
326 109K ACCEPT udp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:8443
136 13696 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1195
240K 21M ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:81
9094 1331K ACCEPT udp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
13404 23M ACCEPT tcp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.191 tcp dpt:9000
7 360 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.9 tcp dpt:81
0 0 ACCEPT udp -- * eno33557248 0.0.0.0/0 192.168.2.9 udp dpt:1194
70 9506 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.157 tcp dpt:8443
9 360 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.9 tcp dpt:80
4730K 4596M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
30964 3006K ACCEPT all -- eno33557248 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
451 36141 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
46 3864 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
16591 5683K ACCEPT all -- * eno33557248 0.0.0.0/0 0.0.0.0/0
5124 541K ACCEPT icmp -- * eno50336512 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eno50336512 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * eno50336512 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:4500
0 0 ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:1194
0 0 ACCEPT tcp -- * eno50336512 wan.ip.address 0.0.0.0/0 tcp spt:8443
12054 1063K ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:1195
171K 69M ACCEPT tcp -- * eno50336512 wan.ip.address 0.0.0.0/0 tcp spt:81
18046 1146K ACCEPT all -- * eno50336512 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Side B config file
dev tun
port 1195
remote fqdn.of.my.wan.ip 1195
ifconfig 10.8.222.41 10.8.222.40
route 192.168.2.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret blinkinglights.key
push "dhcp-option DNS 192.168.1.3"
push "dhcp-option WINS 192.168.1.3"
push "route 192.168.1.0 255.255.255.0"
Side B routing table
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 71.227.132.1 0.0.0.0 UG 0 0 0 enp64s0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.222.40 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
wan.ip.address.0 0.0.0.0 255.255.252.0 U 0 0 0 enp64s0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp5s9
192.168.2.0 10.8.222.40 255.255.255.0 UG 0 0 0 tun0
Side B iptables -nvL
Chain INPUT (policy DROP 16 packets, 692 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
4 168 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- enp64s0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- enp64s0 * 169.254.0.0/16 0.0.0.0/0
36 3448 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
7 588 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
352 30559 ACCEPT all -- enp5s9 * 0.0.0.0/0 0.0.0.0/0
8 232 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
4 1492 ACCEPT udp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
54 4888 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1195
0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:4500
341 26107 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1194
12 480 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:81
0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0 wan.ip.address
0 0 ACCEPT ah -- * * 0.0.0.0/0 wan.ip.address
0 0 ACCEPT all -- * * 0.0.0.0/0 wan.ip.address mark match 0x64
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.3 mark match 0x64
7 609 ACCEPT udp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x64
207K 208M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
320 17215 ACCEPT all -- enp5s9 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 3448 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
7 588 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
286 29343 ACCEPT all -- * enp5s9 0.0.0.0/0 0.0.0.0/0
8 232 ACCEPT icmp -- * enp64s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * enp64s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * enp64s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
61 8264 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:1195
0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:4500
193 22819 ACCEPT tcp -- * enp64s0 wan.ip.address 0.0.0.0/0 tcp spt:22
0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:1194
12 480 ACCEPT tcp -- * enp64s0 wan.ip.address 0.0.0.0/0 tcp spt:81
0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * enp64s0 wan.ip.address 0.0.0.0/0
0 0 ACCEPT ah -- * enp64s0 wan.ip.address 0.0.0.0/0
7 498 ACCEPT all -- * enp64s0 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
As I said, I hope all of this turns out properly, if not I apologize this is my first time trying to use code tags as you described. I did not see your latest update in my IPSec post until you said something in your last post. Basically if either IPSEC or OpenVPN work I am just looking for one or another solution it doesn't matter which.
Thank you for your help Nick. -
Accepted Answer
I hope you now see the effects of your code tags. They all worked well. Compare one of your routing tables you've just posted to what you posted this morning/last night. It also makes firewall listings much easier to read.
Have you seen this doc for configuring OpenVPN to connect networks together? Can you have a look at it then remove all your push lines from your configs? I'm pretty certain you don't need the additional firewall rules.
Also in the example config they only have one side configured with a "remote" line, but I an not sure that matters. -
Accepted Answer
That is the guide that I've followed and derived the config files below from. I've since edited the config files again to match the sections of "Create the Headquarters Configuration" & "Create the Remote Office Configuration"
The ClearOS 7 router for side A (192.168.2.10) can ping across the tunnel to side B, anything and everything on side B can be reached by the router at side A (192.168.2.10). The same goes for side B's router, it can ping across the tunnel and reach all network devices on Side A.
I'm reading further into that guide and am not sure it talks about what I'm looking to do. The next thing I'm looking for is a device on side A (i.e. laptop, surface, desktop) to be able to ping and reach shares on side B on a server past the router on side B. (192.168.2.184 should be able to access shares from 192.168.1.120). I'm not sure the "Appendix: Alternate implicit site to site" configs are what I'm looking for, for that configuration I described above.
Hopefully that all makes sense. Thanks! -
Accepted Answer
You should not need the implicit set up. Is should work by IP address (but not name). What happens when you ping from a LAN device to the remote LAN gateway and a remote LAN device. If your remote LAN device you are pinging is a Windoze box can you make sure its firewall is set to respond to pings from outside its own LAN subnet? -
Accepted Answer
When pinging from a LAN device on Side A (Windoze Surface using cmd, 192.168.2.184) behind the gateway 192.168.2.10 (which can ping both the remote devices tested below) are the results.
ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping 192.168.1.181
Pinging 192.168.1.181 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.181:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Device 192.168.1.3 on the remote side (side B) is their ClearOS machine hosting the configuration that connects to side A. 192.168.1.181 is a tablet device behind side B's ClearOS router (192.168.1.3)
The above ping results are the same from a LAN device on Side B's network pinging 192.168.2.10 (Side A's gateway/OpenVPN server) and 192.168.2.184 (Windoze Surface with firewall set to respond to pings from outside its own LAN subnet). -
Accepted Answer
-
Accepted Answer
is this problem fixed ? i was dealing with the same problem last week. you have to enter a new entry on both side for MASQUERADE.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno33557248 -j MASQUERADE
i used custom firewall app within the Marketplace, to be able to easily add rules to my iptables
Also, you have to make sure that both side have packet forwarding enabled. You can check with this command: cat /proc/sys/net/ipv4/ip_forward It will return 0 or 1.
If it's currently 0, you have to add these line in /etc/sysctl.conf and reboot:
# Packet forwarding
net.ipv4.ip_forward = 1
net.inet.ip.fastforwarding = 1
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »