Yep, that works. Thanks for all the help and suggestions - very much
appreciated! And I can use the workaround Selva proposed - life is good ... :).
Have a nice weekend!
... Russell
From: Jan Just Keijser [mailto:janj...@nikhef.nl]
Sent: Friday, July 14, 2017 5:37 AM
To: Morris, Russell <rmor...@rkmorris.us>; Selva Nair <selva.n...@gmail.com>
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Intermittent Connectivity
Hi,
On 13/07/17 05:29, Morris, Russell wrote:
Thanks for the replies! And Selva had a good lead - the firewall (gateway
machine ... running pfSense).
The gateway is blocking the traffic ... because the traffic incoming from the
OpenVPN client is routed directly to the other machine on the LAN (bypassing
the gateway, it's on the subnet so doesn't need to go to the gateway), but the
return traffic is routed through the firewall / gateway (OpenVPN subnet) ...
but as the firewall didn't see the initial traffic, it believes this is an
issue and blocks it.
Make sense?
you can test this by adding a direct route on a host on your LAN, e.g.
route add -net 172.16.1.0/24 gw <LAN-IP-of-VPN-server>
and then ping that host from the VPN client - traffic should not hit the GW at
all in this case. If that does work, then indeed you are looking at an
assymetric route+pfsense issue.
HTH,
JJK
From: Jan Just Keijser [mailto:janj...@nikhef.nl]
Sent: Wednesday, July 12, 2017 5:12 AM
To: Morris, Russell <rmor...@rkmorris.us><mailto:rmor...@rkmorris.us>; Selva
Nair <selva.n...@gmail.com><mailto:selva.n...@gmail.com>
Cc:
openvpn-users@lists.sourceforge.net<mailto:openvpn-users@lists.sourceforge.net>
Subject: Re: [Openvpn-users] Intermittent Connectivity
Hi Russell,
On 12/07/17 04:35, Morris, Russell wrote:
Hi,
Yep, iptables is set up. Actually, seeing some odd results, and some debugging
with tcpdump (below). By all means comment if I'm doing something dumb (which
is entirely likely)!
- if I ping from the OpenVPN client, I see the icmp packet making it to the
gateway (excellent!). But no reply. Thinking that's a route issue, but ...
what exactly is 'the gateway' ? your VPN server? your LAN router/gateway?
does the gateway have a return route for packets coming from the VPN subnet?
which routes ARE listed on the gateway? is 172.16.1.0/24 included?
- if I ping from the gateway, to the OpenVPN client ... it works! Hmm .. so why
is the gateway not replying. It does reply to pings on the LAN side.
are you sure that packets end up on the VPN client? did you verify this using
tcpdump on the OpenVPN client?
sometimes masquerading/NATting might lead to unexpected results here.
If the gateway is your VPN server, then it does not surprise me that packets
are getting through, nor that you can reach the client but not the LAN address
of the gateway itself. A 'ping' to the OpenVPN client will use the vpn server's
IP address as the source address, not the LAN address.
- if I ssh from the OpenVPN client to the gateway ... it connects. So perhaps
ping is fooling me (not replying to that subnet?). But,
- if I try to ping or ssh to another machine on the LAN ... ping works, but ssh
fails (as does http). OK, this one is very odd ... as I do see the ping replies
back through the gateway machine. And I see traffic (ssh and http) leaving the
"another machine", but it's not seeming to get back to the OpenVPN client.
again, this still looks like a 'missing return route' issue to me. Without
routing tables from the VPN server and the local LAN router it is impossible to
tell, however.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
