Hi,
Yep, iptables is set up. Actually, seeing some odd results, and some debugging
with tcpdump (below). By all means comment if I'm doing something dumb (which
is entirely likely)!
- if I ping from the OpenVPN client, I see the icmp packet making it to the
gateway (excellent!). But no reply. Thinking that's a route issue, but ...
- if I ping from the gateway, to the OpenVPN client ... it works! Hmm .. so why
is the gateway not replying. It does reply to pings on the LAN side.
- if I ssh from the OpenVPN client to the gateway ... it connects. So perhaps
ping is fooling me (not replying to that subnet?). But,
- if I try to ping or ssh to another machine on the LAN ... ping works, but ssh
fails (as does http). OK, this one is very odd ... as I do see the ping replies
back through the gateway machine. And I see traffic (ssh and http) leaving the
"another machine", but it's not seeming to get back to the OpenVPN client.
Definitely open to suggestions - thanks!
... Russell
From: Jan Just Keijser [mailto:[email protected]]
Sent: Tuesday, July 11, 2017 5:27 PM
To: Morris, Russell <[email protected]>; Selva Nair <[email protected]>
Cc: [email protected]
Subject: Re: [Openvpn-users] Intermittent Connectivity
Hi,
On 11/07/17 23:28, Morris, Russell wrote:
Hi Selva,
Yep, that makes sense - and works, thanks! Now I can ping 172.16.1.1 from the
gateway machine ... but, I can't ping from the OpenVPN client to machines on
the subnet (only the OpenVPN machine itself, 192.168.1.10). Thoughts? I did add
the forward, and the iptables entries.
did you add any forwarding rules in iptables, e.g.
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
and is IP forwarding itself enabled on the server (see /etc/sysctl.conf).
HTH,
JJK
From: Selva Nair [mailto:[email protected]]
Sent: Tuesday, July 11, 2017 12:54 PM
To: Morris, Russell <[email protected]><mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: Re: [Openvpn-users] Intermittent Connectivity
On Tue, Jul 11, 2017 at 12:51 PM, Morris, Russell
<[email protected]<mailto:[email protected]>> wrote:
OK, a bit more on this (hopefully helping others out!),
- I got the route push working, was a misunderstanding on my part ... sorry!
Now the link stays up very reliably. And FYI, I still see a (much smaller)
delay variation, and no drop out. Excellent!
- with iptables in Ubuntu (v1.6.0), --state does not exist, but it's now
--ctstate. Again, just to help others.
- so now, I can try to ping back from the OpenVPN client to the LAN. I do see
traffic showing up in the iptables counters (good!), under NEW, but it's not
going past that. I assume that this is due to the (yet missing) route. But when
I try to enter that command (my OpenVPN server is on a machine on my LAN, not
on the GW), I get the following,
sudo ip route add 172.16.1.0/24<http://172.16.1.0/24> via 192.168.1.10
RTNETLINK answers: File exists
Thoughts?
Hi Russel,
Assuming 172.16.1.0/24<http://172.16.1.0/24> is the VPN network and
129.168.1.0/24<http://129.168.1.0/24> the LAN, make sure that route is added on
the GW. From the error message, it looks like you are trying to add it on the
VPN server.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
