[Openvpn-users] Fw: OpenVPN CCD Client Advertising LAN Route to Server

[me.meekone--- via Openvpn-users]

 <!--#yiv1360588030 .yiv1360588030EmailQuote 
{margin-left:1pt;padding-left:4pt;border-left:#800000 2px solid;}-->Hi guys, I 
have a rather simple issue but I cannot get it working Atm I have a VPS acting 
as the OpenVPN server and a OpenVPN client running on my home lan All works 
well and the VPN is solid until I’m advertising the home lan (10.10.10.0/24) 
from my raspi The VPN drops when I’m adding the following to server.conf 
client-to-clientclient-config-dir /etc/openvpn/ccdpush "route 10.10.10.0 
255.255.255.0"route 10.10.10.0 255.255.255.0  Please help meThanks for your 
time and helpStefan  On the Server root@oracle:/etc/openvpn# ls -latotal 
48drwxr-xr-x   4 root root 4096 Apr 12 10:53 .drwxr-xr-x 103 root root 4096 Apr 
12 06:07 ..-rw-r--r--   1 root root 1204 Apr  8 14:18 ca.crtdrwxr-xr-x   2 root 
root 4096 Mar 22 14:40 client-rw-------   1 root root  424 Apr  8 14:21 
dh.pemdrwxr-xr-x   2 root root 4096 Mar 22 14:40 server-rw-r--r--   1 root root 
 605 Apr 12 10:41 server.conf-rw-r--r--   1 root root 4652 Apr  8 14:18 
server.crt-rw-------   1 root root 1704 Apr  8 14:05 server.key-rw-------   1 
root root  636 Apr  8 14:21 ta.key-rwxr-xr-x   1 root root 1468 Mar 22 14:40 
update-resolv-conf  root@oracle:/etc/openvpn# cat server.confport 1194proto 
udpdev tunca ca.crtcert server.crtkey server.keydh dh.pemserver 10.8.0.0 
255.255.255.0ifconfig-pool-persist /var/log/openvpn/ipp.txtpush 
"redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 93.93.131.219"push 
"dhcp-option DNS 93.93.130.2"client-to-clientclient-config-dir 
/etc/openvpn/ccdpush "route 10.10.10.0 255.255.255.0"route 10.10.10.0 
255.255.255.0keepalive 10 120tls-auth ta.key 0cipher AES-256-CBCauth SHA256user 
nobodygroup nogrouppersist-keypersist-tunstatus 
/var/log/openvpn/openvpn-status.logverb 3explicit-exit-notify 
1root@oracle:/etc/openvpn#  root@oracle:/etc/openvpn# cat 
/etc/ufw/before.rules# START OPENVPN RULES# NAT table rules*nat:POSTROUTING 
ACCEPT [0:0]# Allow traffic from OpenVPN client to ens3-A POSTROUTING -s 
10.8.0.0/8 -o ens3 -j MASQUERADECOMMIT# END OPENVPN RULES  root@oracle:~# ufw 
status numberedStatus: active      To                         Action      From  
   --                         ------      ----[ 1] 22/tcp                     
ALLOW IN    Anywhere[ 2] 1194/udp                   ALLOW IN    Anywhere[ 3] 
22/tcp (v6)                ALLOW IN    Anywhere (v6)[ 4] 1194/udp (v6)          
    ALLOW IN    Anywhere (v6)  root@oracle:~# cat 
/etc/sysctl.confnet.ipv4.ip_forward=1  root@oracle:~# cat 
/etc/iptables/rules.v4# CLOUD_IMG: This file was created/modified by the Cloud 
Image build process# iptables configuration for Oracle Cloud Infrastructure # 
See the Oracle-Provided Images section in the Oracle Cloud Infrastructure# 
documentation for security impact of modifying or removing these rule 
*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT 
[463:49013]:InstanceServices - [0:0]-A INPUT -m state --state 
RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j 
ACCEPT-A INPUT -p udp --sport 123 -j ACCEPT-A INPUT -p tcp -m state --state NEW 
-m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with 
icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited-A 
OUTPUT -d 169.254.0.0/16 -j InstanceServices-A InstanceServices -d 
169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment 
--comment "See the Oracle-Provided Images section in the Oracle Cloud 
Infrastructure documentation for security impact of modifying or removing this 
rule"-j ACCEPT-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 
0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images 
section in the Oracle Cloud Infrastructure documentation for security impact of 
modifying or removing this rule"-j ACCEPT-A InstanceServices -d 169.254.4.0/24 
-p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the 
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation 
for security impact of modifying or removing this rule"-j ACCEPT-A 
InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 
3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle 
Cloud Infrastructure documentation for security impact of modifying or removing 
this rule"-j ACCEPT-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 
80 -m comment --comment "See the Oracle-Provided Images section in the Oracle 
Cloud Infrastructure documentation for security impact of modifying or removing 
this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp -m udp 
--dport 53 -m comment --comment "See the Oracle-Provided Images section in the 
Oracle Cloud Infrastructure documentation for security impact of modifying or 
removing this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p tcp 
-m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section 
in the Oracle Cloud Infrastructure documentation for security impact of 
modifying or removing this rule" -j ACCEPT-A InstanceServices -d 169.254.0.3/32 
-p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the 
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation 
for security impact of modifying or removing this rule"-j ACCEPT-A 
InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment 
--comment "See the Oracle-Provided Images section in the Oracle Cloud 
Infrastructure documentation for security impact of modifying or removing this 
rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 
80 -m comment --comment "See the Oracle-Provided Images section in the Oracle 
Cloud Infrastructure documentation for security impact of modifying or removing 
this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp -m udp 
--dport 67 -m comment --comment "See the Oracle-Provided Images section in the 
Oracle Cloud Infrastructure documentation for security impact of modifying or 
removing this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp 
-m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section 
in the Oracle Cloud Infrastructure documentation for security impact of 
modifying or removing this rule" -j ACCEPT-A InstanceServices -d 
169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the 
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation 
for security impact of modifying or removing this rule" -j ACCEPT-A 
InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the 
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation 
for security impact of modifying or removing this rule" -j REJECT --reject-with 
tcp-reset-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment 
--comment "See the Oracle-Provided Images section in the Oracle Cloud 
Infrastructure documentation for security impact of modifying or removing this 
rule" -j REJECT --reject-with icmp-port-unreachable ### OpenVPN-A INPUT -p udp 
--dport 1194 -j ACCEPTCOMMIT  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 On the Client root@raspberrypi:/etc/openvpn# tree.├── ccd│   └── 
raspberrypi_Minorca├── client├── raspberrypi_Minorca.conf├── server└── 
update-resolv-conf 3 directories, 3 filesroot@raspberrypi:/etc/openvpn# ls 
-latotal 44drwxr-xr-x   5 root root  4096 Apr 12 11:35 .drwxr-xr-x 129 root 
root 12288 Apr 12 09:50 ..drwxr-xr-x   2 root root  4096 Apr 12 11:35 
ccddrwxr-xr-x   2 root root  4096 Apr 11 18:57 client-rw-------   1 root root 
11830 Apr  8 20:56 raspberrypi_Minorca.confdrwxr-xr-x   2 root root  4096 Apr 
28  2021 server-rwxr-xr-x   1 root root  1468 Apr 28  2021 
update-resolv-confroot@raspberrypi:/etc/openvpn# ls -la ccd/total 12drwxr-xr-x 
2 root root 4096 Apr 12 11:35 .drwxr-xr-x 5 root root 4096 Apr 12 11:35 
..-rw-r--r-- 1 root root   32 Apr 12 00:16 
raspberrypi_Minorcaroot@raspberrypi:/etc/openvpn# cat 
ccd/raspberrypi_Minorcairoute 10.10.10.0 
255.255.255.0root@raspberrypi:/etc/openvpn#   root@raspberrypi:/etc/openvpn# 
cat raspberrypi_Minorca.confclientdev tunproto udpremote <public openvpn server 
ipv4> 1194resolv-retry infinitenobinduser nobodygroup 
nogrouppersist-keypersist-tunca ca.crtcert client.crtkey 
client.keyremote-cert-tls servertls-auth ta.key 1cipher AES-256-CBCauth 
SHA256verb 3key-direction 1script-security 2up 
/etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf  
root@raspberrypi:# cat /etc/sysctl.confnet.ipv4.ip_forward=1 
root@raspberrypi:/etc/openvpn# ufw status numberedStatus: active      To        
                 Action      From     --                         ------      
----[ 1] Anywhere                   ALLOW OUT   Anywhere on tun0           
(out)[ 2] Anywhere on tun0           ALLOW IN    Anywhere[ 3] 1194/udp          
         ALLOW OUT   Anywhere                   (out)[ 4] 22/tcp                
     ALLOW IN    Anywhere[ 5] 10.10.10.0/24              ALLOW OUT   Anywhere   
                (out)[ 6] 224.0.0.0/24               ALLOW OUT   Anywhere       
            (out)[ 7] 239.0.0.0/8                ALLOW OUT   Anywhere           
        (out)[ 8] Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0  
    (out)[ 9] Anywhere (v6) on tun0      ALLOW IN    Anywhere (v6)[10] 1194/udp 
(v6)              ALLOW OUT   Anywhere (v6)              (out)[11] 22/tcp (v6)  
              ALLOW IN    Anywhere (v6)  root@raspberrypi:/etc/openvpn# tail -f 
/var/log/syslogApr 12 12:03:42 raspberrypi rngd[531]: stats: Entropy 
starvations: 0Apr 12 12:03:42 raspberrypi rngd[531]: stats: Time spent starving 
for entropy: (min=0; avg=0.000; max=0)usApr 12 12:06:47 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: Connection reset command was pushed by server 
('')Apr 12 12:06:47 raspberrypi ovpn-raspberrypi_Minorca[1501]: 
SIGUSR1[soft,server-pushed-connection-reset] received, process restartingApr 12 
12:06:47 raspberrypi ovpn-raspberrypi_Minorca[1501]: Restart pause, 5 
second(s)Apr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]: NOTE: the 
current --script-security setting may allow this configuration to call 
user-defined scriptsApr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]: 
TCP/UDP: Preserving recently used remote address: 
[AF_INET]132.226.195.34:1194Apr 12 12:06:52 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: Socket Buffers: R=[180224->180224] 
S=[180224->180224]Apr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]: 
UDP link local: (not bound)Apr 12 12:06:52 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: UDP link remote: 
[AF_INET]132.226.195.34:1194Apr 12 12:07:52 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: TLS Error: TLS key negotiation failed to occur 
within 60 seconds (check your network connectivity)Apr 12 12:07:53 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: TLS Error: TLS handshake failedApr 12 12:07:53 
raspberrypi ovpn-raspberrypi_Minorca[1501]: SIGUSR1[soft,tls-error] received, 
process restartingApr 12 12:07:53 raspberrypi ovpn-raspberrypi_Minorca[1501]: 
Restart pause, 5 second(s)Apr 12 12:07:58 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: NOTE: the current --script-security setting may 
allow this configuration to call user-defined scriptsApr 12 12:07:58 
raspberrypi ovpn-raspberrypi_Minorca[1501]: TCP/UDP: Preserving recently used 
remote address: [AF_INET]132.226.195.34:1194Apr 12 12:07:58 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: Socket Buffers: R=[180224->180224] 
S=[180224->180224]Apr 12 12:07:58 raspberrypi ovpn-raspberrypi_Minorca[1501]: 
UDP link local: (not bound)Apr 12 12:07:58 raspberrypi 
ovpn-raspberrypi_Minorca[1501]: UDP link remote: [AF_INET]132.226.195.34:1194




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users