OpenVPN, can connect, can't ping

[croxis]

After a good couple hours I finally managed to set up a bridged openvpn server and client on hardy server. I can connect from inside and outside my network but I can't ping anyone on the network. From what I have read in various tutorials it seems that it is an issue with firewall or iptables. As far as I know there is no firewall and webmin says there are no iptables set up.

Here are the configs

Server:

Code:

;local 192.168.1.5

daemon
port 1194
proto tcp-server
dev tap0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/dh1024.pem

server-bridge 192.168.100.1 255.255.255.0 192.168.100.2 192.168.100.100
ifconfig-pool-persist openvpn.dhcp
;ifconfig 192.168.100.1 255.255.255.0


keepalive 10 120
comp-lzo

user nobody
group nogroup

persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 4
mute 20

;push "route 192.168.100.0 255.255.255.0"
;push "route 192.168.173.0 255.255.255.0"
;push "redirect-gateway def1"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
client-to-client
max-clients 10

# plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
# client-cert-not-required
# username-as-common-name

Client:

Code:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node OpenVPN

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
;proto udp
proto tcp-client

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote server 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization 

(non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert planata.crt
key planata.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

ifconfig

Code:

br0       Link encap:Ethernet  HWaddr 00:10:dc:6a:df:77
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::210:dcff:fe6a:df77/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59110 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109417 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4828350 (4.6 MB)  TX bytes:9575432 (9.1 MB)

eth0      Link encap:Ethernet  HWaddr 00:10:dc:6a:df:77
          inet6 addr: fe80::210:dcff:fe6a:df77/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109946 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5674762 (5.4 MB)  TX bytes:9669542 (9.2 MB)
          Interrupt:16 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:42179 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42179 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2340151 (2.2 MB)  TX bytes:2340151 (2.2 MB)

tap0      Link encap:Ethernet  HWaddr 00:ff:0d:ae:7e:d2
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::2ff:dff:feae:7ed2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:595 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7298 errors:0 dropped:360 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:71374 (69.7 KB)  TX bytes:1396301 (1.3 MB)

Please let me know if more info is needed. Thank you for any help!

[samosamo]

I don't have time to look into your problem right now, maybe later, but may I suggest having Webmin's OpenVPN module take care of this for you? I have configured openvpn and ssl keys many times in the past and when I saw how easy it was with webmin I almost cried tears of joy because of how easy it was.

Good luck...

[samosamo]

I took a quick look, don't see anything wrong. I suggest you look at the client for problems. I know that Vista has a problem with the tap driver in OpenVPN GUI client. You need to use the latest beta for it to work.

[croxis]

it isn't a client issue as both windows xp and linux clients can't ping. As far as I can tell it is a serverside iptables issue, a subject I have never delt with before and I have no idea where to start to even diagnose if that is the problem or not. Thanks for your help though, and I did get the openvpn webmin module as well for future use.

edit: for my first entry into iptables I typed in the following as su, but no change, i still can't ping server and clients:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

[Sef]

Moved per OP request.

[croxis]

*polite bump*

Still having the same issue, still would like help figuring out how I am failing

[croxis]

I figured out the problem, and for the sake of those who find this thread via search with similar problems I will post my solution.

I am an idiot.

I was under the assumption that the tap/bridged interface would make its own virtual network with its own ip range (so my physical network is 192.168.1.x while the virtual network is 192.168.100.x). Most of the walkthoughs and tutorials are for the tun (tunnel) which indicate this, so I assumed it wa the case for tap as well. Nope! I adjusted my router settings so that the router assigns 10.0.0.2-99 for physical and wireless connections and openvpn assigns 10.0.0.100-200 for virtual connections. I chose 10.0.0.0 to prevent any conflicts with the popular 192.168 series. Now it works like a charm!

[kacheng]

croxis,
would you be kind enough to post your final configs?

[igpf]

Hey guys, I'm about to call it on this. But here's the deal.
I've installed samba (active as wins) with openvpn. I was able to connect to the machine from a windows pc and connect no problem. I was able to push the wins info out and everything. I can't ping anything. But i cant connect via remote desktop if i enter the ip address.

when i say ping, i'm refering to ping 'hostname'... the old way.

anyway's i've gone crazy with these forums looking for answers and i get the feeling i'm just missing one little thing...

the server ip subnet is 192.168.0.0 and the vpn is 172.16.x.x and my home is 192.168.1.x...

any new ideas, would be greatly appreciated.
thanks...
-ivan

[kacheng]

igpf,

I just solved my similar problems.
Try this instead of the server directive:

Code:

server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254

My dhcp server/gateway (my linksys router in this case) is 192.168.1.1, and it gives out addresses from .100 to .150. The above directive uses the dhcp server/gateway instead of openvpn to hand out openvpn client addresses in the .200 to .254 range. I was now able to ping and resolve all clients.
With this directive, using tap interface, I did not have to push any route or gateway or DHCP or WINS information. i used no push directives whatsoever.

Oh, don't forget to include the client-to-client directive to enable openvpn clients to connect to other computers on the subnet.

Code:

client-to-client

Also, the only firewall configuration I had to do was to open up the openvpn port (in my case UDP 443).

Code:

iptables -I INPUT -p udp --dport 443 -j ACCEPT

Hope that helps.