What's new

Openvpn site to site not working.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

octopus

Part of the Furniture
I have setup point to point vpn and it's workning for years.
Now after experimenting with DOT-over-TLS it have stop working (not sure that is the problem, have turned that off for now).

Connection is over Internet, client have 100-address (CGNAT) connected to server (public ip).
Clients subnet 192.168.14.1 and server 192.168.12.1 and TUN.

I can ping client on server side from client side but not other way.

Everything looks right but no connection from server to client side.

I hope I have described this correct.

Any suggestions ? @ColinTaylor @eibgrad

Server
Code:
2022-05-19 09:28:01 MULTI: Learn: 192.168.14.1 -> octopus-3/98.128.229.51:39013
2022-05-19 09:30:18 octopus-3/98.128.229.51:39013 MULTI: Learn: 192.168.14.1 -> octopus-3/98.128.229.51:39013
2022-05-19 09:31:12 MULTI: Learn: 192.168.14.239 -> octopus-3/98.128.229.51:39013
2022-05-19 09:32:03 MULTI: Learn: 192.168.14.1 -> octopus-3/98.128.229.51:39013
2022-05-19 09:33:31 octopus-3/98.128.229.51:39013 MULTI: Learn: 192.168.14.239 -> octopus-3/98.128.229.51:39013

Client
Code:
May 19 21:07:52 openvpn[15043]: /usr/sbin/ip route add 158.174.xxx.xxx/32 via 100.69.0.1
May 19 21:07:52 openvpn[15043]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.40.1
May 19 21:07:52 openvpn[15043]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.40.1
May 19 21:07:52 openvpn[15043]: /usr/sbin/ip route add 192.168.12.0/24 metric 500 via 10.8.40.1
 
In the VPN client settings have you set "Inbound Firewall" to "Allow"?
On client side I use john's on RT-AC56U "53D4" there is no such setting in john's.
 
Is the device unreachable only by hostname, or both hostname and explicit IP? I want to be sure if this is a DNS problem, esp. since that's what you changed.

I assume the OpenVPN server is configured to advertise DNS to clients, and the OpenVPN client is configured to accept DNS from the server.
 
So the VPN connection is active, and client-to-server requests work, but server-to-client requests do not work?
 
Is the device unreachable only by hostname, or both hostname and explicit IP? I want to be sure if this is a DNS problem, esp. since that's what you changed.
Can't reach with either hostname or ip.
I assume the OpenVPN server is configured to advertise DNS to clients, and the OpenVPN client is configured to accept DNS from the server.
Server is adviced DNS to client and client is accepting DNS from server.

So the VPN connection is active, and client-to-server requests work, but server-to-client requests do not work?
Yes
 
If you still don't have it working, it might be helpful if you posted screen shots of your settings on both ends.
 
I think I found the problem with site to site routing in my case.

My local vpnclient(1) ip hade changed, when I rebooted and tried igain I get it to work.
TCP/UDP: Preserving recently used remote address: [AF_INET]217.64.148.70:1194

octopus@RT-AX86U-EA08:/tmp/home/root# ip route show table 111
default via 10.128.0.1 dev tun11
10.8.40.0/24 dev tun22 proto kernel scope link src 10.8.40.1
10.128.0.0/22 dev tun11 proto kernel scope link src 10.128.3.85
10.129.0.0/22 dev tun13 proto kernel scope link src 10.129.2.77
10.133.0.0/22 dev tun12 proto kernel scope link src 10.133.2.169
127.0.0.0/8 dev lo scope link
158.17x.xxx.0/22 dev eth0 proto kernel scope link src 158.174.xxx.xx
158.17x.xxx.1 dev eth0 proto kernel scope link
192.168.12.0/24 dev br0 proto kernel scope link src 192.168.12.1
192.168.14.0/24 via 10.8.40.2 dev tun22
213.80.98.2 via 158.17x.xxx.1 dev eth0 metric 1
213.80.101.3 via 158.17x.xxx.1 dev eth0 metric 1
217.64.148.70 via 158.17x.xxx.1 dev eth0 <<<=== this rule was wrong (Loacal IP) !!!

How do I add/del this routing rule?
Have tried:
ip route del
ip route add

Thanks !

@eibgrad @ColinTaylor
 
Last edited:
You lost me when it comes to that route that you say it's wrong.

That appears to be the static route the OpenVPN client establishes on the WAN once it gets connected to the OpenVPN server. That's done to ensure the OpenVPN server's IP is NOT routed through the tunnel, which would be a recursive routing situation. Each time the OpenVPN client (re)connects, it reestablishes that static route. So there's no reason it would be wrong.

Besides, I don't see what that has to do w/ being unable to ping from the server side to the client side of the tunnel.
 
You lost me when it comes to that route that you say it's wrong.
I have tested too much and it turned out that the route did not match the connected one. Worked after I restarted the client again.
That appears to be the static route the OpenVPN client establishes on the WAN once it gets connected to the OpenVPN server. That's done to ensure the OpenVPN server's IP is NOT routed through the tunnel, which would be a recursive routing situation. Each time the OpenVPN client (re)connects, it reestablishes that static route. So there's no reason it would be wrong.
There isn't anything wrong it's working.
Besides, I don't see what that has to do w/ being unable to ping from the server side to the client side of the tunnel.
Tested to manything at same time and did not see the problem directly.

I have Stubby running at same time and works also, that was the target from beginning.

[n]ext menu | disable [w]an check | hide [h]eader | [+/-] interval (3) | [p]ause | [e]xit
WAN/LAN IP: x.x.x.x/192.168.12.1

WAN DNS: 213.80.98.2, 213.80.101.3, 127.0.1.1
DHCP DNS: /bahnhof.se/213.80.98.2, /bahnhof.se/213.80.101.3, 127.0.1.1
DoT DNS: 213.80.98.3 (Strict)

OVPN1 IP/DNS Config/Redirect Internet: 10.128.3.198/Exclusive/VPN Director
OVPN2 IP/DNS Config/Redirect Internet: 10.132.3.20/Exclusive/VPN Director
OVPN3 IP/DNS Config/Redirect Internet: 10.129.0.76/Exclusive/VPN Director

Active DNS (Do53/DoT) UDP/TCP Connections
Do53 (plaintext) routed over the WAN
DoT (ciphertext) routed over the WAN
Do53/DoT NOT routed over the WAN (loopback, local, or VPN)

v-------------- sender ---------------v v------------- recipient -------------v
udp src=127.0.0.1 dst=127.0.1.1 dport=53 src=127.0.1.1 dst=127.0.0.1 (80)
udp src=x.x.x.x dst=213.80.98.2 dport=53 src=213.80.98.2 dst=x.x.x.x
udp src=192.168.12.110 dst=192.168.12.1 dport=53 src=46.227.67.134 dst=10.128.3.198 (3)
udp src=192.168.12.154 dst=192.168.12.1 dport=53 src=192.168.12.1 dst=192.168.12.154 (15)
udp src=192.168.12.161 dst=192.168.12.1 dport=53 src=46.227.67.134 dst=10.128.3.198
udp src=192.168.12.187 dst=8.8.8.8 dport=53 src=46.227.67.134 dst=10.128.3.198 (3)
tcp src=x.x.x.x dst=213.80.98.3 dport=853 src=213.80.98.3 dst=x.x.x.x
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top