[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] can ping one way but not the other?


  • Subject: [Openvpn-users] can ping one way but not the other?
  • From: "Andrew Hall" <andyjohnhall@xxxxxxxxx>
  • Date: Tue, 22 May 2007 17:57:58 +0100

Hi.

I have setup a site-to-site OpenVPN connection that is behaving in a
very strange way. I cannot work out what is wrong and would like some
help please!

One of the networks has an OpenVPN server connecting as a client to an
OpenVPN server at the other network.

I have done this following the instructions here...

http://openvpn.net/howto.html#scope

...so I am including multiple machines on the client side and the server side.

Here's the odd bit.

I can ping from machines on the client side LAN to machines on the
server side LAN, but I cannot ping from machines on the server side
LAN to machines on the client side LAN.

I actually thought this was impossible, but no - it's true.

And to make it even stranger, I can ping from machines on the server
side LAN all the way to the IP address of the client side OpenVPN
server, but it will not travel any further.

Please let me explain this with an example.

The client LAN machine is 172.18.140.48
The client LAN VPN server is 172.18.140.200

The server LAN VPN server is 172.17.140.115
The server LAN machine is 172.17.140.61

Both networks have a mask of 255.255.252.0

Here is a traceroute from the client side to the server side. Please
note that packets hit the gateways first, which then direct them to
the OpenVPN servers.

traceroute 172.17.140.61
traceroute to 172.17.140.61 (172.17.140.61), 30 hops max, 40 byte packets
 1  172.18.140.100 (172.18.140.100)  4.780 ms  4.838 ms  4.974 ms
 2  172.18.140.200 (172.18.140.200)  1.294 ms  1.307 ms  1.458 ms
 3  10.8.0.1 (10.8.0.1)  59.252 ms  59.338 ms  60.567 ms
 4  172.17.140.61 (172.17.140.61)  60.662 ms  62.088 ms  62.173 ms

As you can see, this is fine.

But here's a traceroute going the other way, from the server side to
the client side...

traceroute 172.18.140.48
traceroute to 172.18.140.48 (172.18.140.48), 30 hops max, 38 byte packets
 1  fw1 (172.17.140.98)  0.243 ms  0.237 ms  0.253 ms
 2  openvpn (172.17.140.115)  0.362 ms  0.305 ms  0.293 ms
 3  10.8.0.86 (10.8.0.86)  48.636 ms  57.712 ms  55.865 ms
 4  * * *

As you can see, if gets as far as the client side TUN interface, but
won't route any further.

However, I can trace a route to the client side VPN server ethernet interface...

traceroute 172.18.140.200
traceroute to 172.18.140.200 (172.18.140.200), 30 hops max, 38 byte packets
 1  fw1 (172.17.140.98)  0.214 ms  0.274 ms  0.284 ms
 2  openvpn (172.17.140.115)  0.310 ms  0.345 ms  0.281 ms
 3  172.18.140.200 (172.18.140.200)  47.390 ms  49.065 ms  52.224 ms

The initial question would be "well, do you have a route from your
client side VPN server interface to your client side machines", but
yes, I do...

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.18.140.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0

traceroute 172.18.140.48
traceroute to 172.18.140.48 (172.18.140.48), 30 hops max, 38 byte packets
 1  172.18.140.48 (172.18.140.48)  0.280 ms  1.477 ms  0.230 ms

The problem by the way is that I cannot access any services on the
server side LAN from the client side LAN - all I can do is ping them!
Even simple telnet connections are failing.

Can anyone explain what the problem might be?

Please note that I have enabled ip forwarding on both VPN servers.
This can be confirmed if I cat /proc/sys/net/ipv4/ip_forward (the
value is 1)
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users