DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th September 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default OpenVPN tunnel problem on OBSD 4.9

Hello dear experts,

I have OpenVPN-2.2.1 configured on two OpenBSD 4.9
I am able to ping: client -> server and all networks behind
I am not able to ping: server -> client at all

I already checked my FW, you can see the configuration below.
Ping works with pf and OpenVPN stopped. (OK)
Ping does not work with pf enabled and openVPN stopped. (OK)
Ping works in only one direction with pf and OpenVPN enabled (NOT OK)

And a small question: why is there one tunnel from the client's point of view (10.0.1.6 -> 10.0.1.5), but from the server's point of view - there is a different tunnel (10.0.1.1 -> 10.0.1.2)? What am I missing here? In my understanding, there should be only one tunnel (for example 10.0.1.0/30, with .0 being the net, .1 server, .2 the client and .3 the broadcast).


Please help me figure that out... i have a feeling it is something really simple, but I dont know where to go from here...
Uploaded are screenshots with my setup (it wont allow me to post the links, so please remove the leading zero and copy-paste the addresses. Thanks! ):

The simple topology:
0http://img651.imageshack.us/img651/7789/topologyg.png

Firewall setup:
0http://img41.imageshack.us/img41/3781/66277080.png

OpenVPN configurations:
0http://img827.imageshack.us/img827/8523/confg.png

Interface IPs + routing tables:
0http://img842.imageshack.us/img842/6941/ifconfigiproutes.png

Ping from client to server succeeds:
0http://img828.imageshack.us/img828/5552/pingclientserver.png

Ping from server to client fails:
0http://img196.imageshack.us/img196/3708/pingserverclient.png

I am also uploading the OpenVPN logs (verb=6). The successful ping (client->server, 5 packets) was initiated exactly at 21:29:30 and the 'unsuccessful' ping (server->client, 6 packets) was initiated at 21:29:45
OpenVPN Server-side log:
link #1 (w/ 10 sec timer): 0http://www.yourfilelink.com/get.php?fid=714560
link #2 (local file share server): 0http://dox.bg/files/dw?a=5535558a24

OpenVPN Client-side log:
link #1 (w/ 10 sec timer): 0http://www.yourfilelink.com/get.php?fid=714563
link #2 (local file share server): 0http://dox.bg/files/dw?a=2b17aa9164

I hope I havent missed any important information... one thing worth noting is the "openvpn: writing to routing socket: Protocol not supported" during OpenVPN startup on the server...


Thank you VERY much in advance for your help, it is greatly appreciated!
Kind regards,
Simeonf
Reply With Quote
  #2   (View Single Post)  
Old 26th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It appears to me that you have UDP traffic flowing between client and server, from looking at the OpenVPN logs you provided. I don't think your problem is OpenBSD; it appears to be an OpenVPN configuration issue.

I have not played with OpenVPN in six or seven years; all I can remember is that the UDP or TCP tunnels are easy to set up, but that provisioning OpenVPN properly to actually work with them is much more difficult.

Unfortunately, since I'm not an OpenVPN user and my knowledge of it has faded, all I can do is recommend that you focus on the server and client configurations as the likely root cause.
Reply With Quote
  #3   (View Single Post)  
Old 26th September 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

Thanks for your response, jggimi. You are goddamn right about the setup - easy, with several commands - but troubleshooting to actually make it work is a lot more complex...

Last screenshot (ping from server to client) is confusing me a lot - packets just dissappear somewhere between tun0 and vic0! Firewalls are 100% identical on server and client...

I forgot to mention that a ping sweep (10.0.1.1 to 10.0.1.10) from the client succeeds only on 10.0.1.1, and from the server - only on 10.0.1.6, i.e. they can only ping their address as shown in ifconfig tun0 (4th screenshot)

I hope somebody sheds some light in here
Reply With Quote
  #4   (View Single Post)  
Old 26th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Looking through the forum, I found several OpenVPN threads which may be of interest to you:

http://www.daemonforums.org/showthread.php?t=5653 -- regarding the use of layer2 vs. layer3 tun(4) devices, ARP packets being ignored, and a script to circumvent the problem.

http://www.daemonforums.org/showthread.php?t=3205 -- it includes an older, but working client configuration from forum member There0 which may provide some insight.

http://www.daemonforums.org/showthread.php?t=5625 -- a long thread discussing routing, PF, tun devices, and more. From February of this year.
Reply With Quote
  #5   (View Single Post)  
Old 27th September 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

Okay, I resolved my problem, here is what it:

On the VPN server, there should be a file "[ccd directory]/[client_OU]". Both are specified in the "vars" file. In my case i had to create a file "/etc/openvpn/ccd/192.168.2.200". This file should contain the "iroute" command to the remote network. In my case it was "iroute 192.168.0.0 255.255.255.0"

Thanks everyone (jggimi )for your help.

Cheers!
Reply With Quote
  #6   (View Single Post)  
Old 28th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'm glad you got the problem resolved; sorry I couldn't help much.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn on openbsd problem.... michaelk OpenBSD Security 8 9th February 2011 04:49 AM
OBSD 4.6 Installed - Problem building Kernel for -current IronForge OpenBSD Installation and Upgrading 11 10th November 2009 09:34 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
Multiple IPSEC Tunnel problem RMSZaphod FreeBSD Security 1 28th June 2008 10:08 AM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM


All times are GMT. The time now is 01:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick