[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Can ping across to LAN, but no http, mail, etc.

  • Subject: Re: [Openvpn-users] Can ping across to LAN, but no http, mail, etc.
  • From: Jefferson Wagener <jefferson@xxxxxxxxxxx>
  • Date: Sat, 1 Jan 2005 11:19:56 -0500

Running openvpn2.0rc1

Have a link up in server-client ala the sample files.

Can ping both the remote gateway (e.g. and other machines
on the remote lan (e.g. from the client (e.g.
Can resolve DNS from remote gateway.
Can see the webserver on the gateway (e.g.

Can't see the webserver on other machines (e.g., even tho'
ping works.

I don't have ethernet bridging on, but didn't think I needed it for
I have run both udp and tcp connections
The gateway is running iptables with outbound permissive

Suggestions? This is probably something simple...

Can't reach via IP address or name?

Traceroute tp the IP then to the name if you are trying this.

Can you telnet to the port and get a response?

Leonard Isham, CISSP
Ostendo non ostento.

Right. Let me try an give some more detailed info here:

Client (NATed to, OpenVPN Assigns LAN IP of
Router/Home Gateway (Dynamic IP)
Methuselah (my.real.ip.addr on eth0, on eth1, OpenVPN assigns
Prometheus (

Access web server on prometheus from client

Can ping prometheus, but no http.

Output snippets, with OpenVPN up:
client> ifconfig
tap0: flags=843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500
        inet netmask 0xffffff00 broadcast
        ether 74:61:70:00:00:00
        open (pid 602)

methuselah> ifconfig
tap0      Link encap:Ethernet  HWaddr 00:FF:87:00:90:BE
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::2ff:87ff:fe00:90be/64 Scope:Link
          RX packets:6936 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4428 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:539684 (527.0 KiB)  TX bytes:812674 (793.6 KiB)

client> ping #ping the OpenVPN interface of the server
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=98.543 ms

client> ping #ping the eth1 interface of the server, on LAN
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=45.978 ms

client> ping #ping prometheus, on LAN
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=63 time=59.167 ms

client> traceroute #trace to the eth1 of methuselah, the OpenVPN server
traceroute to (, 30 hops max, 40 byte packets
1 methuselah.mydomain.com ( 42.677 ms 49.906 ms 136.441 ms

client> traceroute #trace to prometheus
traceroute to (, 30 hops max, 40 byte packets
 1 (  88.071 ms  42.745 ms  64.88 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  *^C

methuselah> traceroute #trace back to client from server
traceroute to (, 30 hops max, 38 byte packets
 1 (  156.715 ms  134.620 ms  31.698 ms

methuselah> traceroute #trace to prometheus from methuselah
traceroute to (, 30 hops max, 38 byte packets
 1  prometheus.mydomain.com (  0.767 ms  0.659 ms  0.480 ms

client> netstat -rt #the routes on the client, which look fine...
Destination Gateway Flags Refs Use Netif Expire
default UGSc 20 1 en1
10.0.1/24 link#5 UCS 2 0 en1 0:3:93:e2:68:9e UHLW 19 4954 en1 1079 localhost UHS 0 1 lo0 link#5 UHLWb 1 6 en1
127 localhost UCS 0 0 lo0
localhost localhost UH 50 125721 lo0
169.254 link#5 UCS 0 0 en1
172.16.1/24 UGSc 2 8 tap0
172.16.2/24 link#7 UC 3 0 tap0 0:ff:87:0:90:be UHLW 2 3 tap0 1006 link#7 UHLWb 1 8 tap0

methuselah> netstat -rt #the routes on the server, these also look fine to me...
Destination Gateway Genmask Flags MSS Window irtt Iface
my.real.ip.0 * U 0 0 0 eth0 * U 0 0 0 tap0 * U 0 0 0 eth1 * U 0 0 0 eth1
default my.real.ip.gateway UG 0 0 0 eth0

methuselah> iptables-save #I've only put a couple lines of iptables here, not all...
#OpenVPN stuff
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o tap+ -j ACCEPT
#We are NATing (are THESE lines the issue?, are we somehow remapping ports, from tap0?)
-A FORWARD -d -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d -p udp -m udp --dport 1023:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

The web server running on methuselah (gateway & VPN server, can be seen by the client.
The web server running on can not be seen by the client.

OK, hopefully that was a lot more detailed info, and we can shed some light on this now...
Happy new year!

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list