Discussion:
[Openvpn-users] PING works, TCP/UDP doesn't, please help
Bald0z
2007-03-28 14:23:56 UTC
Permalink
Hi, I have OpenVPN configured on a Linux server and on a Windows client.

The Linux server has this configuration:
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24

The client has this configuration:
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30

The LAN network on the server is routed on the client with a PUSH route command in the server.conf .
On the LAN gateway (192.169.0.254) there's a static route for 172.16.0.0/24 network to 192.168.0.60 gateway (the VPN server).

So, the problem is:
PING 192.168.0.1 from the client WORKS (notice that .1 is another machine on the LAN than the actual VPN server which is .60)
any other kind of connection doesn't work.

I've run properly edited ./firewall.sh on the server so iptables should be setup. I've enabled IP_FORWARDING on the server.

Notice tcpdump output:
linux:/openvpn # tcpdump -i tun0
tcpdump: listening on tun0
16:10:54.281974 172.16.0.10 > 192.168.0.1: icmp: echo request
16:10:54.698735 192.168.0.1 > 172.16.0.10: icmp: echo reply
16:11:16.438531 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S 3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK> (DF)
16:11:19.469585 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S 3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK> (DF)
16:11:25.485613 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S 3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK> (DF)

The first two lines logs a successful PING from the VPN client to a machine in the server's LAN.
The last three lines logs retries of a TCP connection for Windows Remote Desktop. That's just an example. Also netbios shares aren't working, and many other stuff.

On the LAN gateway, a message like this is present on the log every time a TCP connection is tried:
rule="internal policy" src=192.168.0.1 dst=172.16.0.10 proto=1826/tcp sport=3389 dport=1826 indev=0 inport=0(PRIVATE) rc=104 msg="TCP SYN checking: connection not established yet [-A--S-], firewall drop"

What I can't understand is why ICMP traffic works (so IP is okay, and routing should be okay too) but TCP isn't . It looks as a firewall issue, but the firewall is disabled on the TAP interface on the XP client and the iptables firewall on Linux is configured properly (I suppose, suggestions might help).

Thanks a lot for helping,
I'm really lost, already tried to reinstall and reconfigure OpenVPN from scratch on two different servers, and there's always the same problem.
Bill Ries-Knight
2007-03-28 15:04:23 UTC
Permalink
A very short answer for the below: Firewall rules deserve a look.

Just drop the firewall and see what happens.
Post by Bald0z
The first two lines logs a successful PING from the VPN client to a machine
in the server's LAN.
The last three lines logs retries of a TCP connection for Windows Remote
Desktop. That's just an example. Also netbios shares aren't working, and
many other stuff.
And this is intentional top posting.

Bill
Post by Bald0z
Hi, I have OpenVPN configured on a Linux server and on a Windows client.
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30
The LAN network on the server is routed on the client with a PUSH route
command in the server.conf .
On the LAN gateway (192.169.0.254) there's a static route for 172.16.0.0/24
network to 192.168.0.60 gateway (the VPN server).
PING 192.168.0.1 from the client WORKS (notice that .1 is another machine on
the LAN than the actual VPN server which is .60)
any other kind of connection doesn't work.
I've run properly edited ./firewall.sh on the server so iptables should be
setup. I've enabled IP_FORWARDING on the server.
linux:/openvpn # tcpdump -i tun0
tcpdump: listening on tun0
16:10:54.281974 172.16.0.10 > 192.168.0.1: icmp: echo request
16:10:54.698735 192.168.0.1 > 172.16.0.10: icmp: echo reply
16:11:16.438531 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
16:11:19.469585 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
16:11:25.485613 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
The first two lines logs a successful PING from the VPN client to a machine
in the server's LAN.
The last three lines logs retries of a TCP connection for Windows Remote
Desktop. That's just an example. Also netbios shares aren't working, and
many other stuff.
On the LAN gateway, a message like this is present on the log every time a
rule="internal policy" src=192.168.0.1 dst=172.16.0.10 proto=1826/tcp
sport=3389 dport=1826 indev=0 inport=0(PRIVATE) rc=104 msg="TCP SYN
checking: connection not established yet [-A--S-], firewall drop"
What I can't understand is why ICMP traffic works (so IP is okay, and
routing should be okay too) but TCP isn't . It looks as a firewall issue,
but the firewall is disabled on the TAP interface on the XP client and the
iptables firewall on Linux is configured properly (I suppose, suggestions
might help).
Thanks a lot for helping,
I'm really lost, already tried to reinstall and reconfigure OpenVPN from
scratch on two different servers, and there's always the same problem.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
--
Bill Ries-Knight
Stockton, CA

Respect the process, Vote.
Bald0z
2007-03-28 23:57:44 UTC
Permalink
Post by Bill Ries-Knight
A very short answer for the below: Firewall rules deserve a look.
Just drop the firewall and see what happens.
I have been looking very deeply in the firewall and nothing is getting
blocked.
There are explicit allow rules for both:
source lan address -> any
source vpn address -> any

Though what I am not very able to understand is this line in the WatchGuard
Post by Bill Ries-Knight
Post by Bald0z
rule="internal policy" src=192.168.0.1 dst=172.16.0.10 proto=1826/tcp
sport=3389 dport=1826 indev=0 inport=0(PRIVATE) rc=104 msg="TCP SYN
checking: connection not established yet [-A--S-], firewall drop"
that "firewall drop" looks like the firewall being unable to route a packet
more than rejecting it ...
that "internal policy" is not listed in my rules list.

What else could it be? Any options?
Maybe some static routes on the linux vpn server that are missing?
Currently is as that:

linux:/openvpn # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0
172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
83.136.248.0 * 255.255.255.0 U 0 0 0 eth0
default 83.136.248.1 0.0.0.0 UG 0 0 0 eth0

The first two lines are added by "openvpn" when launched.

I also need to do this for PING to work ...
echo 1 > /proc/sys/net/ipv4/ip_forward

Maybe there's something else to enable for full TCP/IP forward ?
Post by Bill Ries-Knight
And this is intentional top posting.
Bill
Me too ;)

Marco
Post by Bill Ries-Knight
Post by Bald0z
Hi, I have OpenVPN configured on a Linux server and on a Windows client.
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30
The LAN network on the server is routed on the client with a PUSH route
command in the server.conf .
On the LAN gateway (192.169.0.254) there's a static route for
172.16.0.0/24
network to 192.168.0.60 gateway (the VPN server).
PING 192.168.0.1 from the client WORKS (notice that .1 is another machine on
the LAN than the actual VPN server which is .60)
any other kind of connection doesn't work.
I've run properly edited ./firewall.sh on the server so iptables should be
setup. I've enabled IP_FORWARDING on the server.
linux:/openvpn # tcpdump -i tun0
tcpdump: listening on tun0
16:10:54.281974 172.16.0.10 > 192.168.0.1: icmp: echo request
16:10:54.698735 192.168.0.1 > 172.16.0.10: icmp: echo reply
16:11:16.438531 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
16:11:19.469585 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
16:11:25.485613 172.16.0.10.4246 > 192.168.0.1.ms-wbt-server: S
3687217830:3687217830(0) win 65535 <mss 1350,nop,wscale 3,nop,nop,sackOK>
(DF)
The first two lines logs a successful PING from the VPN client to a machine
in the server's LAN.
The last three lines logs retries of a TCP connection for Windows Remote
Desktop. That's just an example. Also netbios shares aren't working, and
many other stuff.
On the LAN gateway, a message like this is present on the log every time a
rule="internal policy" src=192.168.0.1 dst=172.16.0.10 proto=1826/tcp
sport=3389 dport=1826 indev=0 inport=0(PRIVATE) rc=104 msg="TCP SYN
checking: connection not established yet [-A--S-], firewall drop"
What I can't understand is why ICMP traffic works (so IP is okay, and
routing should be okay too) but TCP isn't . It looks as a firewall issue,
but the firewall is disabled on the TAP interface on the XP client and the
iptables firewall on Linux is configured properly (I suppose, suggestions
might help).
Thanks a lot for helping,
I'm really lost, already tried to reinstall and reconfigure OpenVPN from
scratch on two different servers, and there's always the same problem.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
--
Bill Ries-Knight
Stockton, CA
Respect the process, Vote.
Giampaolo Carmagnani
2007-03-28 23:12:42 UTC
Permalink
Post by Bald0z
Hi, I have OpenVPN configured on a Linux server and on a Windows client.
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30
the tunnels's subnets don't match
the network range for 172.16.0.10/30 is from 172.16.0.8 to
172.16.0.11, so the server's ip away from it network.

Regards

Giampaolo Carmagnani


(...)
Bald0z
2007-03-29 00:07:28 UTC
Permalink
Post by Giampaolo Carmagnani
Post by Bald0z
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30
the tunnels's subnets don't match
the network range for 172.16.0.10/30 is from 172.16.0.8 to
172.16.0.11, so the server's ip away from it network.
First of all thanks for the answer.

I think what you say is "by design" in OpenVPN, the IP's are assigned by the
DHCP server built-in the openvpn server, and I can reach 172.16.0.1 from the
clients.
Every client in his route list has the follow to make all that stuff
working: (all of that added automatically by openvpn)

C:\Documents and Settings\Marco>route PRINT
Indirizzo rete Mask Gateway Interfac. Metric
172.16.0.0 255.255.255.0 172.16.0.9 172.16.0.10 1
172.16.0.8 255.255.255.252 172.16.0.10 172.16.0.10 30
172.16.0.10 255.255.255.255 127.0.0.1 127.0.0.1 30
172.16.255.255 255.255.255.255 172.16.0.10 172.16.0.10 30
192.168.0.0 255.255.255.0 172.16.0.9 172.16.0.10 1

After what you said, tough, I made a few test like:
ping 172.16.0.9 <--- no reply
ping 172.16.0.1 <--- 5ms

Again, I think it's by design, and shouldn't break anything. Quite
interesting setting up tho :)

Please keep it up,
thanks again !
Post by Giampaolo Carmagnani
Regards
Giampaolo Carmagnani
Ciao !!! ;-)

Marco
Giampaolo Carmagnani
2007-03-29 01:21:35 UTC
Permalink
Post by Bald0z
Post by Giampaolo Carmagnani
Post by Bald0z
eth0 WAN public_ip/24
eth1 LAN 192.168.0.60/24
tun0 VPN 172.16.0.1/24
eth0 WAN public_ip/24
tun0 VPN 172.16.0.10/30
the tunnels's subnets don't match
the network range for 172.16.0.10/30 is from 172.16.0.8 to
172.16.0.11, so the server's ip away from it network.
First of all thanks for the answer.
I think what you say is "by design" in OpenVPN, the IP's are assigned by the
DHCP server built-in the openvpn server, and I can reach 172.16.0.1 from the
clients.
Every client in his route list has the follow to make all that stuff
working: (all of that added automatically by openvpn)
C:\Documents and Settings\Marco>route PRINT
Indirizzo rete Mask Gateway Interfac. Metric
172.16.0.0 255.255.255.0 172.16.0.9 172.16.0.10 1
172.16.0.8 255.255.255.252 172.16.0.10 172.16.0.10 30
172.16.0.10 255.255.255.255 127.0.0.1 127.0.0.1 30
172.16.255.255 255.255.255.255 172.16.0.10 172.16.0.10 30
192.168.0.0 255.255.255.0 172.16.0.9 172.16.0.10 1
What is the route table in the lan gateway?
Post by Bald0z
Post by Giampaolo Carmagnani
rule="internal policy" src=192.168.0.1 dst=172.16.0.10 proto=1826/tcp
sport=3389 dport=1826 indev=0 inport=0(PRIVATE) rc=104 msg="TCP SYN
checking: connection not established yet [-A--S-], firewall drop"
that "firewall drop" looks like the firewall being unable to route a packet
more than rejecting it ...
that "internal policy" is not listed in my rules list.

check anything like this:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

or do:

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

at the command prompt
as the name say affect only TCP packets.

If its work next is to see why these packets were droped.
Post by Bald0z
ping 172.16.0.9 <--- no reply
ping 172.16.0.1 <--- 5ms
Again, I think it's by design, and shouldn't break anything. Quite
interesting setting up tho :)
I understood this 'by design' but don't agree with it :-)


Good luck,

Ciao!!


Giampaolo Carmagnani

Loading...