Reply
New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2
Accepted Solution

OpenVPN client routing issue

Hi,

 

I have weird issue relating to usage of ER-X as openVPN client and now after a few frustrating days investigation as alone, I need your eyes as help to find out that I don't see to cause problem. Issue is that I have two ER-X routers (ouluGW and kamppiGW) with almost identical configurations (two different physical locations), both are connecting as openVPN client to same openVPN server (Linux server as third location), but LAN machines (subnet: 192.168.10.0/24) behind of second ER-X (kamppiGW) are not able to reach subnet behind of openVPN server, but LAN machines (subnet: 192.168.35.10/24) behind of "ouluGW" ER-X are able to reach that subnet via openVPN server.

 

Image as description of network's topolocy:

 

aatmanet2.png

 

In image seen IPSEC site-to-site tunnel between ERXs is working.

 

Here is configuration, routing etc details as background information of setup:

 

- ER-X configuration of ouluGW (with that ER-X all is working correctly), please see attachment file with name: oulugw_ERX.txt

 

- ER-X configuration of kamppiGW (LAN machines behind of this router at 192.168.10.0/24 subnet are not able to reach 192.168.25.0/24 subnet via openVPN server), please see attachment file with name: kamppigw_ERX.txt

 

- Routes at ouluGW relating to vtun0 interface:

S    *> 192.168.20.0/24 [1/0] via 192.168.20.13, vtun0
C    *> 192.168.20.13/32 is directly connected, vtun0
C    *> 192.168.20.14/32 is directly connected, vtun0
S    *> 192.168.25.0/24 [1/0] via 192.168.20.13, vtun0

- Routes at kamppiGW relating to vtun0 interface:

S    *> 192.168.20.0/24 [1/0] via 192.168.20.17, vtun0
C    *> 192.168.20.17/32 is directly connected, vtun0
C    *> 192.168.20.18/32 is directly connected, vtun0
S    *> 192.168.25.0/24 [1/0] via 192.168.20.17, vtun0

- OpenVPN server (APOLLO) has "192.168.20.0/24" as subnet where from ER-Xs as VPN clients get IP-address and "192.168.25.0/24" as subnet where this "APOLLO" server is providing some network services what LAN machines behind of "ouluGW" and "kamppiGW" routers are utilizing.

 

-- Relating routes at APOLLO server:

192.168.20.2 dev tun0  proto kernel  scope link  src 192.168.20.1
192.168.10.0/24 via 192.168.20.2 dev tun0 
192.168.20.0/24 via 192.168.20.2 dev tun0 
192.168.35.0/24 via 192.168.20.2 dev tun0

192.168.25.0/24 dev eth0  proto kernel  scope link  src 192.168.25.10

-- Configuration of openVPN server:

Spoiler
port 1194
proto udp
dev tun
ca ca.crt
cert apollo.crt
key apollo.key
dh dh1024.pem
server 192.168.20.0 255.255.255.0
ifconfig-pool-persist "/etc/openvpn/ipp.txt" 10
client-config-dir "/etc/openvpn/ccd"
route 192.168.10.0 255.255.255.0
route 192.168.35.0 255.255.255.0
client-to-client
keepalive 10 60
tls-auth ta.key
cipher DES-EDE3-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status 		"/etc/openvpn/openvpn-status.log"
management 	/var/run/openvpn.mgmt unix
log             "/var/log/openvpn.log"
log-append      "/var/log/openvpn_append.log"
verb 6
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

-- Both VPN clients are using same configuration where only differences are inlined KEY and CERT details per client:

Spoiler
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 86400
remote-cert-tls server
auth-user-pass /config/openvpn/apollo_vpnauth.txt
comp-lzo
verb 4
route-nopull
fast-io
cipher DES-EDE3-CBC
keysize 192

<ca>
</ca>

key-direction 1
<tls-auth>
</tls-auth>

<key>
</key>

<cert>
</cert>

-- OpenVPN server has CCD file per client to define IP and subnet what is existing behind of client (as information for openVPN server):

Spoiler
ouluGW:
ifconfig-push 192.168.20.14 192.168.20.13
iroute 192.168.35.0 255.255.255.0

kamppiGW:
fconfig-push 192.168.20.18 192.168.20.17
iroute 192.168.10.0 255.255.255.0

 

Okey, if I start from working setup (ouluGW):

- When I ping from LAN machine at "192.168.35.0/24" subnet to IP-address at "192.168.25.0/24" (for example: 192.168.25.10) at APOLLO server, I get response correctly as is able to seen from below tcpdumps, packages from LAN machine at IP-addres 192.168.35.102 to 192.168.25.10 goes correctly and return correctly:

# TCPDUMP from workstation at 192.168.35.0/24 network point of view looking for eth0 interface:
13:21:35.152225 IP 192.168.35.102 > 192.168.25.10: ICMP echo request, id 6044, seq 1, length 64
13:21:35.210125 IP 192.168.25.10 > 192.168.35.102: ICMP echo reply, id 6044, seq 1, length 64

# TCPDUMP from APOLLO's point of view looking for tun0 interface:
14:18:41.386466 IP 192.168.35.102 > 192.168.25.10: ICMP echo request, id 6031, seq 1, length 64
14:18:41.386494 IP 192.168.25.10 > 192.168.35.102: ICMP echo reply, id 6031, seq 1, length 64

- When I ping from ER-X (ouluGW with VPN IP: 192.168.20.14) to 192.168.25.10 at APOLLO, packages leave correctly via "vtun0" interface at ER-X and "tun0" at APOLLO get then in and return route is also OK:

#TCPDUMP from ouluGW point of view for vtun0 interface:
15:24:16.860084 IP 192.168.20.14 > 192.168.25.10: ICMP echo request, id 11320, seq 1, length 64
15:24:16.917294 IP 192.168.25.10 > 192.168.20.14: ICMP echo reply, id 11320, seq 1, length 64


# TCPDUMP from APOLLO's point of view looking for tun0 interface:
14:19:54.441171 IP 192.168.20.14 > 192.168.25.10: ICMP echo request, id 10983, seq 1, length 64
14:19:54.441199 IP 192.168.25.10 > 192.168.20.14: ICMP echo reply, id 10983, seq 1, length 64

- I can ping from APOLLO to "192.168.35.0/24" subnet behind of "ouluGW" ER-X as well as "ouluGW" itself:

# TCPDUMP from APOLLO's point of view looking:
18:22:58.927844 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10296, seq 11, length 64
18:22:58.985811 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10296, seq 11, length 64

# TCPDUMP from ouluGW point of view looking:
19:25:29.870730 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10310, seq 1, length 64
19:25:29.871248 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10310, seq 1, length 64

# TCPDUMP from 192.168.35.0/24 subnet machine point of view looking:
17:26:41.724282 IP 192.168.20.1 > 192.168.35.102: ICMP echo request, id 10311, seq 1, length 64
17:26:41.724306 IP 192.168.35.102 > 192.168.20.1: ICMP echo reply, id 10311, seq 1, length 64

 

Then what doesn't for some reason will works and I just cannot understand and see, why (kamppiGW):

- When I ping from LAN machine at "192.168.10.0/24" subnet to IP-address at "192.168.25.0/24" subnet at APOLLO server, I can see packages to leave via vtun0 interface of ER-X and arriving to APOLLO via tun0 interface as ICMP request, but ICMP reply won't go out from APOLLO:

# Ping from 192.168.10.51 to 192.168.25.10 from APOLLO's point of view looking:
09:30:14.871439 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 380, length 40
09:30:19.599280 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 381, length 40

# From kamppiGW point of view looking:
10:32:27.384204 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 388, length 40
10:32:32.063683 IP 192.168.10.51 > 192.168.25.10: ICMP echo request, id 1, seq 389, length 40

- But I am able to ping APOLLO from kamppiGW and able to ping that LAN machine at "192.168.10.0/24" subnet from APOLLO:

 

# ping from APOLLO to LAN machine from APOLLO's point of view:
10:06:10.769927 IP 192.168.20.1 > 192.168.10.51: ICMP echo request, id 8541, seq 14, length 64
10:06:10.828172 IP 192.168.10.51 > 192.168.20.1: ICMP echo reply, id 8541, seq 14, length 64

# ping from APOLLO to LAN machine from kamppiGW point of view:
11:04:41.121912 IP 192.168.20.1 > 192.168.10.51: ICMP echo request, id 8489, seq 17, length 64
11:04:41.123171 IP 192.168.10.51 > 192.168.20.1: ICMP echo reply, id 8489, seq 17, length 64

I was able to see packages at LAN machine with Wireshark (this one is windows 10 machine)!
# Ping from APOLLO to kamppiGW from apollo's point of view:
09:33:53.298899 IP 192.168.20.10 > 192.168.25.18: ICMP echo request, id 11629, seq 1, length 64
09:33:53.298931 IP 192.168.25.18 > 192.168.20.10: ICMP echo reply, id 11629, seq 1, length 64

# Ping from APOLLO to kamppiGW from kamppiGW's point of view:
10:35:33.842667 IP 192.168.20.10 > 192.168.25.18: ICMP echo request, id 11702, seq 1, length 64
10:35:33.897732 IP 192.168.25.18 > 192.168.20.10: ICMP echo reply, id 11702, seq 1, length 64

- There is no any firewall rules to block/reject traffic IN or OUT at APOLLO server relating to subnet 192.168.10.0/24.

 

 

So, any ideas what is reason, why LAN machine at 192.168.10.0/24 subnet is not able to reach subnet 192.168.25.0/24?

 

 


Accepted Solutions
Established Member
Posts: 1,614
Registered: ‎03-02-2016
Kudos: 367
Solutions: 119

Re: OpenVPN client routing issue

[ Edited ]

I really don't know. It's not a complicated setup. I have it running on three EdgeRouters myself, and it has always just worked. Either something else is happening that you're not aware of, or some setting you have, that I don't, is interfering. If it helps, here is my config.

 

 

 Capture.PNG

 

From any of the three LANs I can connect to any of the other two LANs, including ping.

 

Server router config:

Spoiler
david@RoutyMcRouterson# show interfaces openvpn vtun0
 description "Home VPN Server"
 encryption aes256
 hash sha256
 mode server
 openvpn-option --client-to-client
 openvpn-option "--keepalive 10 60"
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--verb 1"
 openvpn-option "--user nobody"
 openvpn-option "--group nogroup"
 server {
     client parents {
         subnet 192.168.1.0/24
         subnet 10.0.0.0/24
     }
     client phineas {
         subnet 10.195.1.0/24
     }
     client rena {
         subnet 192.168.10.0/24
     }
     name-server 192.168.4.1
     push-route 192.168.4.0/24
     push-route 192.168.15.0/24
     subnet 10.8.0.0/24
 }
 tls {
     ca-cert-file /config/auth/openvpn/DaveServer/ca.crt
     cert-file /config/auth/openvpn/DaveServer/RoutyMcRouterson.crt
     dh-file /config/auth/openvpn/DaveServer/dh.pem
     key-file /config/auth/openvpn/DaveServer/RoutyMcRouterson.key
 }

david@RoutyMcRouterson# show protocols static
 interface-route 10.0.0.0/24 {
     next-hop-interface vtun0 {
     }
 }
}
 interface-route 10.195.1.0/24 {
     next-hop-interface vtun0 {
         description phineas
     }
 }
 interface-route 192.168.1.0/24 {
     next-hop-interface vtun0 {
         description parents
     }
 }
 interface-route 192.168.10.0/24 {
     next-hop-interface vtun0 {
         description Rena
     }
 }

Parents router config:

Spoiler
david@590Router# show interfaces openvpn vtun1
 description "Dave VPN"
 encryption aes256
 hash sha256
 ipv6 {
     address {
         eui64 fd00::/64
     }
     dup-addr-detect-transmits 1
 }
 mode client
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--keepalive 10 60"
 openvpn-option "--verb 1"
 protocol udp
 remote-host home.xxx.com
 remote-port 1194
 tls {
     ca-cert-file /config/auth/dave/ca.crt
     cert-file /config/auth/dave/parents.crt
     key-file /config/auth/dave/parents.key
 }

Phineas router config:

Spoiler
david@router# show interfaces openvpn vtun0
 encryption aes256
 hash sha256
 mode client
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--verb 1"
 protocol udp
 remote-host home.xxx.com
 remote-port 1194
 tls {
     ca-cert-file /config/vpn/ca.crt
     cert-file /config/vpn/phineas.crt
     key-file /config/vpn/phineas.key
 }

 

View solution in original post

New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2

Re: OpenVPN client routing issue

 

Hi,

Thank you for your posted configurations. I compared my openVPN server configurations (at Apollo, The linux server) and OpenVPN client configuration at ER-X againts to your configurations to find out what might be the name of case.

 

I got it working over "kamppiGW" finally with next kind of changes:

- I added "push route" directive to server.conf file at OpenVPN server to push "192.168.25.0/24" subnet to clients.

- I added "route" directive to OVPN file of OpenVPN at ER-X for 192.168.25.0/24 subnet

- I removed static routes from ER-X

- I added new NAT rule for push all traffic from 192.168.10.0/24 to 192.168.25.0/24 via vtun0

 

All is now like wanted with that, maybe not most beatyfull way to do it, but works.

That, what for original configuration at "ouluGW" is working without any changes is still huge mystery, but like they say, don't change working setup Man Happy

 

 

View solution in original post


All Replies
Established Member
Posts: 1,614
Registered: ‎03-02-2016
Kudos: 367
Solutions: 119

Re: OpenVPN client routing issue

Don't you need to push a route for 192.168.25.0/24 to your clients, or manually tell each client to route that subnet over the VPN?

 

Also you have route-nopull defined, which means your clients will ignore routes the server tries to push.

New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2

Re: OpenVPN client routing issue

[ Edited ]

Good evening / Hello Gfunkdave,

 

Did you notice from my text (I know, long like life) that ER-X is VPN client and if you read ER-X configuration file, you can see that there is static route to 192.168.25.0/24 via "peer IP" of VPN connection? And that setup is working with "ouluGW", but same doesn't with "kamppiGW".

 

I know, there is "route no-pull" at VPN client's configuration file at ER-X, but it's there actually like with no matter, because I'm not pushing any routes to ER-X from OpenVPN server (Apollo). If you mean "iroute" defination of CCD file at OpenVPN server, that doesn't try push route to ER-X instead of it tells to OpenVPN server that such subnet will found via that VPN client.

Thanks for your open to discussion of this issue Man Happy

Highlighted
Established Member
Posts: 1,614
Registered: ‎03-02-2016
Kudos: 367
Solutions: 119

Re: OpenVPN client routing issue

Oh, I missed that.

 

I don't know the answer to your question, but I have a couple thoughts from setting up OpenVPN connections myself:

 

1. OpenVPN needs you to define routes twice: once as a system static route as you have done, and again in OpenVPN using a route directive. The reason for this is that the OpenVPN directive tells OpenVPN how to route a given subnet within the OpenVPN installation, while the system static route tells the Linux kernel how to handle those packets. I actually don't know why it's working for one of your installations, since as far as I can tell you are only doing the system static route. Try adding the route in OpenVPN too.

 

1a. Have you tried using an interface route instead of a next-hop route in your ERX? I always use interface routes over OpenVPN, but I don't statically assign VPN IP addresses. It's worth a try.

 

 

New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2

Re: OpenVPN client routing issue

Hi,

 

You wrote that need tell to OpenVPN, do you mean to OpenVPN's server side? If you do, then You can see server configuration of OpenVPN in my original post under "spoiler tag", where is reading "route 192.168.10.0 255.255.255.0" indeed to tell for kernel of OpenVPN server (apollo), that OpenVPN needs this route to server's own routing table and it exists at routes of OpenVPN server:

 

# ip route show|grep "192.168.10.0"
192.168.10.0/24 via 192.168.20.2 dev tun0

Did I understood correctly, what you meant?

 

If I remember correctly, I tried usage of interface route with vtun0 interface as static route method at ER-X without success, but I can try that tomorrow again (it's already over middnight here at Finland and early wake-up is waiting after just few hours Man Very Happy). But that, what for it indeed works with "ouluGW" correctly due as far as I understand, all needed setups are done and so on also with "kamppiGW", but anyway LAN machine under 192.168.10.0/24 subnet behind of this "kamppiGW" isn't anyway able to reach 192.168.25.10 IP-address at "apollo" server over OpenVPN tunnel like LAN machine under 192.168.35.0/24 subnet does from behind of "ouluGW".

 

If I wouldn't be already almost bald, I would try rip off hairs from by head due this issue as just cannot understand why it won't works like it should Man Very Happy

 

 

 

Established Member
Posts: 1,614
Registered: ‎03-02-2016
Kudos: 367
Solutions: 119

Re: OpenVPN client routing issue

No, that's the system/kernel routing table. Add a line to your client ovpn file:

route 192.168.25.0 255.255.255.0

I really do not know why it is working at all, because as far as I can tell it shouldn't be. It needs the route in the system (kernel) and in OpenVPN.

There is probably something else happening that you haven't noticed.
New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2

Re: OpenVPN client routing issue

Hi,

 

I tested theese changes now with "kamppiGW" ER-X, but no luck Man Sad

 

- I added "route 192.168.25.0 255.255.255.0" to ovpn file of OpenVPN at ER-X to add it also that way to route table of ER-X, but => No change to situation.

 

- I changed static route at "kamppiGW" ER-X for 192.168.25.0/24 subnet of "Apollo" server from next-hop route to interface-route with vtun0 inteface -> No change, 192.168.10.51 still not able to reach 192.168.25.10

 

- I removed added "route" defination from ovpn file of OpenVPN at ER-X to see if static route change would been the key to happyness, but...no luck.

 

So, What next?

 

Established Member
Posts: 1,614
Registered: ‎03-02-2016
Kudos: 367
Solutions: 119

Re: OpenVPN client routing issue

[ Edited ]

I really don't know. It's not a complicated setup. I have it running on three EdgeRouters myself, and it has always just worked. Either something else is happening that you're not aware of, or some setting you have, that I don't, is interfering. If it helps, here is my config.

 

 

 Capture.PNG

 

From any of the three LANs I can connect to any of the other two LANs, including ping.

 

Server router config:

Spoiler
david@RoutyMcRouterson# show interfaces openvpn vtun0
 description "Home VPN Server"
 encryption aes256
 hash sha256
 mode server
 openvpn-option --client-to-client
 openvpn-option "--keepalive 10 60"
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--verb 1"
 openvpn-option "--user nobody"
 openvpn-option "--group nogroup"
 server {
     client parents {
         subnet 192.168.1.0/24
         subnet 10.0.0.0/24
     }
     client phineas {
         subnet 10.195.1.0/24
     }
     client rena {
         subnet 192.168.10.0/24
     }
     name-server 192.168.4.1
     push-route 192.168.4.0/24
     push-route 192.168.15.0/24
     subnet 10.8.0.0/24
 }
 tls {
     ca-cert-file /config/auth/openvpn/DaveServer/ca.crt
     cert-file /config/auth/openvpn/DaveServer/RoutyMcRouterson.crt
     dh-file /config/auth/openvpn/DaveServer/dh.pem
     key-file /config/auth/openvpn/DaveServer/RoutyMcRouterson.key
 }

david@RoutyMcRouterson# show protocols static
 interface-route 10.0.0.0/24 {
     next-hop-interface vtun0 {
     }
 }
}
 interface-route 10.195.1.0/24 {
     next-hop-interface vtun0 {
         description phineas
     }
 }
 interface-route 192.168.1.0/24 {
     next-hop-interface vtun0 {
         description parents
     }
 }
 interface-route 192.168.10.0/24 {
     next-hop-interface vtun0 {
         description Rena
     }
 }

Parents router config:

Spoiler
david@590Router# show interfaces openvpn vtun1
 description "Dave VPN"
 encryption aes256
 hash sha256
 ipv6 {
     address {
         eui64 fd00::/64
     }
     dup-addr-detect-transmits 1
 }
 mode client
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--keepalive 10 60"
 openvpn-option "--verb 1"
 protocol udp
 remote-host home.xxx.com
 remote-port 1194
 tls {
     ca-cert-file /config/auth/dave/ca.crt
     cert-file /config/auth/dave/parents.crt
     key-file /config/auth/dave/parents.key
 }

Phineas router config:

Spoiler
david@router# show interfaces openvpn vtun0
 encryption aes256
 hash sha256
 mode client
 openvpn-option "--comp-lzo adaptive"
 openvpn-option "--verb 1"
 protocol udp
 remote-host home.xxx.com
 remote-port 1194
 tls {
     ca-cert-file /config/vpn/ca.crt
     cert-file /config/vpn/phineas.crt
     key-file /config/vpn/phineas.key
 }

 

New Member
Posts: 13
Registered: ‎08-29-2017
Solutions: 2

Re: OpenVPN client routing issue

 

Hi,

Thank you for your posted configurations. I compared my openVPN server configurations (at Apollo, The linux server) and OpenVPN client configuration at ER-X againts to your configurations to find out what might be the name of case.

 

I got it working over "kamppiGW" finally with next kind of changes:

- I added "push route" directive to server.conf file at OpenVPN server to push "192.168.25.0/24" subnet to clients.

- I added "route" directive to OVPN file of OpenVPN at ER-X for 192.168.25.0/24 subnet

- I removed static routes from ER-X

- I added new NAT rule for push all traffic from 192.168.10.0/24 to 192.168.25.0/24 via vtun0

 

All is now like wanted with that, maybe not most beatyfull way to do it, but works.

That, what for original configuration at "ouluGW" is working without any changes is still huge mystery, but like they say, don't change working setup Man Happy

 

 

Reply