<!--#yiv1360588030 .yiv1360588030EmailQuote
{margin-left:1pt;padding-left:4pt;border-left:#800000 2px solid;}-->Hi guys, I
have a rather simple issue but I cannot get it working Atm I have a VPS acting
as the OpenVPN server and a OpenVPN client running on my home lan All works
well and the VPN is solid until I’m advertising the home lan (10.10.10.0/24)
from my raspi The VPN drops when I’m adding the following to server.conf
client-to-clientclient-config-dir /etc/openvpn/ccdpush "route 10.10.10.0
255.255.255.0"route 10.10.10.0 255.255.255.0 Please help meThanks for your
time and helpStefan On the Server root@oracle:/etc/openvpn# ls -latotal
48drwxr-xr-x 4 root root 4096 Apr 12 10:53 .drwxr-xr-x 103 root root 4096 Apr
12 06:07 ..-rw-r--r-- 1 root root 1204 Apr 8 14:18 ca.crtdrwxr-xr-x 2 root
root 4096 Mar 22 14:40 client-rw------- 1 root root 424 Apr 8 14:21
dh.pemdrwxr-xr-x 2 root root 4096 Mar 22 14:40 server-rw-r--r-- 1 root root
605 Apr 12 10:41 server.conf-rw-r--r-- 1 root root 4652 Apr 8 14:18
server.crt-rw------- 1 root root 1704 Apr 8 14:05 server.key-rw------- 1
root root 636 Apr 8 14:21 ta.key-rwxr-xr-x 1 root root 1468 Mar 22 14:40
update-resolv-conf root@oracle:/etc/openvpn# cat server.confport 1194proto
udpdev tunca ca.crtcert server.crtkey server.keydh dh.pemserver 10.8.0.0
255.255.255.0ifconfig-pool-persist /var/log/openvpn/ipp.txtpush
"redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 93.93.131.219"push
"dhcp-option DNS 93.93.130.2"client-to-clientclient-config-dir
/etc/openvpn/ccdpush "route 10.10.10.0 255.255.255.0"route 10.10.10.0
255.255.255.0keepalive 10 120tls-auth ta.key 0cipher AES-256-CBCauth SHA256user
nobodygroup nogrouppersist-keypersist-tunstatus
/var/log/openvpn/openvpn-status.logverb 3explicit-exit-notify
1root@oracle:/etc/openvpn# root@oracle:/etc/openvpn# cat
/etc/ufw/before.rules# START OPENVPN RULES# NAT table rules*nat:POSTROUTING
ACCEPT [0:0]# Allow traffic from OpenVPN client to ens3-A POSTROUTING -s
10.8.0.0/8 -o ens3 -j MASQUERADECOMMIT# END OPENVPN RULES root@oracle:~# ufw
status numberedStatus: active To Action From
-- ------ ----[ 1] 22/tcp
ALLOW IN Anywhere[ 2] 1194/udp ALLOW IN Anywhere[ 3]
22/tcp (v6) ALLOW IN Anywhere (v6)[ 4] 1194/udp (v6)
ALLOW IN Anywhere (v6) root@oracle:~# cat
/etc/sysctl.confnet.ipv4.ip_forward=1 root@oracle:~# cat
/etc/iptables/rules.v4# CLOUD_IMG: This file was created/modified by the Cloud
Image build process# iptables configuration for Oracle Cloud Infrastructure #
See the Oracle-Provided Images section in the Oracle Cloud Infrastructure#
documentation for security impact of modifying or removing these rule
*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
[463:49013]:InstanceServices - [0:0]-A INPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j
ACCEPT-A INPUT -p udp --sport 123 -j ACCEPT-A INPUT -p tcp -m state --state NEW
-m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with
icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited-A
OUTPUT -d 169.254.0.0/16 -j InstanceServices-A InstanceServices -d
169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment
--comment "See the Oracle-Provided Images section in the Oracle Cloud
Infrastructure documentation for security impact of modifying or removing this
rule"-j ACCEPT-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner
0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images
section in the Oracle Cloud Infrastructure documentation for security impact of
modifying or removing this rule"-j ACCEPT-A InstanceServices -d 169.254.4.0/24
-p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation
for security impact of modifying or removing this rule"-j ACCEPT-A
InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport
3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle
Cloud Infrastructure documentation for security impact of modifying or removing
this rule"-j ACCEPT-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport
80 -m comment --comment "See the Oracle-Provided Images section in the Oracle
Cloud Infrastructure documentation for security impact of modifying or removing
this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp -m udp
--dport 53 -m comment --comment "See the Oracle-Provided Images section in the
Oracle Cloud Infrastructure documentation for security impact of modifying or
removing this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p tcp
-m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section
in the Oracle Cloud Infrastructure documentation for security impact of
modifying or removing this rule" -j ACCEPT-A InstanceServices -d 169.254.0.3/32
-p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation
for security impact of modifying or removing this rule"-j ACCEPT-A
InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment
--comment "See the Oracle-Provided Images section in the Oracle Cloud
Infrastructure documentation for security impact of modifying or removing this
rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport
80 -m comment --comment "See the Oracle-Provided Images section in the Oracle
Cloud Infrastructure documentation for security impact of modifying or removing
this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp -m udp
--dport 67 -m comment --comment "See the Oracle-Provided Images section in the
Oracle Cloud Infrastructure documentation for security impact of modifying or
removing this rule" -j ACCEPT-A InstanceServices -d 169.254.169.254/32 -p udp
-m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section
in the Oracle Cloud Infrastructure documentation for security impact of
modifying or removing this rule" -j ACCEPT-A InstanceServices -d
169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation
for security impact of modifying or removing this rule" -j ACCEPT-A
InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the
Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation
for security impact of modifying or removing this rule" -j REJECT --reject-with
tcp-reset-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment
--comment "See the Oracle-Provided Images section in the Oracle Cloud
Infrastructure documentation for security impact of modifying or removing this
rule" -j REJECT --reject-with icmp-port-unreachable ### OpenVPN-A INPUT -p udp
--dport 1194 -j ACCEPTCOMMIT
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
On the Client root@raspberrypi:/etc/openvpn# tree.├── ccd│ └──
raspberrypi_Minorca├── client├── raspberrypi_Minorca.conf├── server└──
update-resolv-conf 3 directories, 3 filesroot@raspberrypi:/etc/openvpn# ls
-latotal 44drwxr-xr-x 5 root root 4096 Apr 12 11:35 .drwxr-xr-x 129 root
root 12288 Apr 12 09:50 ..drwxr-xr-x 2 root root 4096 Apr 12 11:35
ccddrwxr-xr-x 2 root root 4096 Apr 11 18:57 client-rw------- 1 root root
11830 Apr 8 20:56 raspberrypi_Minorca.confdrwxr-xr-x 2 root root 4096 Apr
28 2021 server-rwxr-xr-x 1 root root 1468 Apr 28 2021
update-resolv-confroot@raspberrypi:/etc/openvpn# ls -la ccd/total 12drwxr-xr-x
2 root root 4096 Apr 12 11:35 .drwxr-xr-x 5 root root 4096 Apr 12 11:35
..-rw-r--r-- 1 root root 32 Apr 12 00:16
raspberrypi_Minorcaroot@raspberrypi:/etc/openvpn# cat
ccd/raspberrypi_Minorcairoute 10.10.10.0
255.255.255.0root@raspberrypi:/etc/openvpn# root@raspberrypi:/etc/openvpn#
cat raspberrypi_Minorca.confclientdev tunproto udpremote <public openvpn server
ipv4> 1194resolv-retry infinitenobinduser nobodygroup
nogrouppersist-keypersist-tunca ca.crtcert client.crtkey
client.keyremote-cert-tls servertls-auth ta.key 1cipher AES-256-CBCauth
SHA256verb 3key-direction 1script-security 2up
/etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf
root@raspberrypi:# cat /etc/sysctl.confnet.ipv4.ip_forward=1
root@raspberrypi:/etc/openvpn# ufw status numberedStatus: active To
Action From -- ------
----[ 1] Anywhere ALLOW OUT Anywhere on tun0
(out)[ 2] Anywhere on tun0 ALLOW IN Anywhere[ 3] 1194/udp
ALLOW OUT Anywhere (out)[ 4] 22/tcp
ALLOW IN Anywhere[ 5] 10.10.10.0/24 ALLOW OUT Anywhere
(out)[ 6] 224.0.0.0/24 ALLOW OUT Anywhere
(out)[ 7] 239.0.0.0/8 ALLOW OUT Anywhere
(out)[ 8] Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
(out)[ 9] Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)[10] 1194/udp
(v6) ALLOW OUT Anywhere (v6) (out)[11] 22/tcp (v6)
ALLOW IN Anywhere (v6) root@raspberrypi:/etc/openvpn# tail -f
/var/log/syslogApr 12 12:03:42 raspberrypi rngd[531]: stats: Entropy
starvations: 0Apr 12 12:03:42 raspberrypi rngd[531]: stats: Time spent starving
for entropy: (min=0; avg=0.000; max=0)usApr 12 12:06:47 raspberrypi
ovpn-raspberrypi_Minorca[1501]: Connection reset command was pushed by server
('')Apr 12 12:06:47 raspberrypi ovpn-raspberrypi_Minorca[1501]:
SIGUSR1[soft,server-pushed-connection-reset] received, process restartingApr 12
12:06:47 raspberrypi ovpn-raspberrypi_Minorca[1501]: Restart pause, 5
second(s)Apr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]: NOTE: the
current --script-security setting may allow this configuration to call
user-defined scriptsApr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]:
TCP/UDP: Preserving recently used remote address:
[AF_INET]132.226.195.34:1194Apr 12 12:06:52 raspberrypi
ovpn-raspberrypi_Minorca[1501]: Socket Buffers: R=[180224->180224]
S=[180224->180224]Apr 12 12:06:52 raspberrypi ovpn-raspberrypi_Minorca[1501]:
UDP link local: (not bound)Apr 12 12:06:52 raspberrypi
ovpn-raspberrypi_Minorca[1501]: UDP link remote:
[AF_INET]132.226.195.34:1194Apr 12 12:07:52 raspberrypi
ovpn-raspberrypi_Minorca[1501]: TLS Error: TLS key negotiation failed to occur
within 60 seconds (check your network connectivity)Apr 12 12:07:53 raspberrypi
ovpn-raspberrypi_Minorca[1501]: TLS Error: TLS handshake failedApr 12 12:07:53
raspberrypi ovpn-raspberrypi_Minorca[1501]: SIGUSR1[soft,tls-error] received,
process restartingApr 12 12:07:53 raspberrypi ovpn-raspberrypi_Minorca[1501]:
Restart pause, 5 second(s)Apr 12 12:07:58 raspberrypi
ovpn-raspberrypi_Minorca[1501]: NOTE: the current --script-security setting may
allow this configuration to call user-defined scriptsApr 12 12:07:58
raspberrypi ovpn-raspberrypi_Minorca[1501]: TCP/UDP: Preserving recently used
remote address: [AF_INET]132.226.195.34:1194Apr 12 12:07:58 raspberrypi
ovpn-raspberrypi_Minorca[1501]: Socket Buffers: R=[180224->180224]
S=[180224->180224]Apr 12 12:07:58 raspberrypi ovpn-raspberrypi_Minorca[1501]:
UDP link local: (not bound)Apr 12 12:07:58 raspberrypi
ovpn-raspberrypi_Minorca[1501]: UDP link remote: [AF_INET]132.226.195.34:1194
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
