Re: [Openvpn-users] ping only ... cannot route telnet, http, smtp etc ...

["Ian Macnaughtan" <macnaughtani@xxxxxxxxxxxxxx>]

>From: Christoph Haas <email@xxxxx>
>Re: ping only ... cannot route telnet, http, smtp etc ...  
>2006-09-25 05:34
>
>On Monday 25 September 2006 12:29, Ian Macnaughtan wrote:
>> I have one openvpn server in our main office with a number of
regional
>> offices connecting as client networks. All are OpenVPN 2.0.7 on
CentOS
>> 4.3. I used yum to install. All are behind firewall routers. 4 client
>> networks are connected and working well (1 is a windows xp home
>> roadwarrior client). All machines on the client lan's can ping all
>> machines on the server lan. So far so good.
>>
>> However, here is my problem. On 2 of my client networks i cannot
access
>> any servers (http, smtp etc) on the server network except from the
vpn
>> client itself. However, i can ping. The openvpn client machine can
>> access http etc on the server lan.
>>
>> I have also noticed that the openvpn server can only ping the vpn
client
>> machine on either its vpn ip or lan ip. It cannot ping any other
machine
>> on the client network. I suspect that these 2 problems are related.
>> However, as far as i can see routing is configured correctly.
>
> Sounds like firewall rules.
> 
>> The routers at both ends have a static route configured for the vpn
>> subnet and the respective lan subnet. 'IP Forwarding' is enabled on
all
>> machines. No firewalls are enabled.
>
> If ping works but other protocols do not there is some kind of
security 
> mechanism. Perhaps router ACLs, access restrictions on the client, 
> client-side firewall or something like that.
> 
>> Note that the lan clients are in a workgroup, not a domain.
> 
> Not relevant. We are talking about IPs and TCP ports here.
> 
>> The only difference that i can see between working and non-working
>> client networks is the router.
>> 
> Again... ACLs?
> 
>> I have watched 'tcpdump -i tun0' and i can see the traffic going
through
>> the interface. So, i am guessng that it is stopping at the openvpn
>> client machine for some reason. Here is a dump from a client machine
>> (xp) trying to connect to a httpd server using IE ...
> 
> Windows XP firewall disabled?
> 
> Kindly
> Christoph
> 

Thanks Christoph. I have been away for awhile so have not been able to
reply.

All firewalls are disabled.
As far as I can tell there are no ACL's on the routers. 

I agree that the absence of a domain controller should be irrelevant.
However, this is common to my lans that have trouble routing. On the
non-working lans the internet router is also the dhcp and dns server for
the lan. On the working lans the windows dc's provide dhcp and dns
services for the lan. I don't really understand why this would cause a
problem. I wondered whether it might be worth adding a Samba domain
controller to the lan? However, I haven't had time to experiment yet.

This doesn't really make sense though because on all networks the static
routes are defined on the internet router and not the domain controller.
Therefore, the route packets follow should be totally independent of any
domain controller etc.

The other confusing thing is that traffic appears to reach the vpn
interface on the openvpn but does not go any further. For example, when
I ping from a lan pc I can see traffic going out of the vpn interface
and returning on the vpn interface. However, the lan pc does not see the
return traffic. Yet, I can ping the lan pc from the openvpn pc and visa
versa. Perhaps I am not reading the tcpdump output correctly.

Note that since my original post, I did manage to get one of these lans
working by adding persistent static routes to each individual pc
(windows xp) on the lan. I added a route for the vpn subnet and the vpn
server lan subnet. I can now route all traffic in both directions. This
is not the ideal situation but it seems to work. 

Regards
Ian Macnaughtan.
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users