openvpn: connection established, can't ping server tun interface (debian server, windows & os x clients)
This might not be the desired solution, but I could track the problem down to only one key/certificate pair properly working the solution for me was to switch from a Linux-vServer virtualization technique to a KVM based technique which solved all problems since I can control by myself what tun devices I want to use and now every client (WIndows, OS X..) can connect without problems and access services on the server.
Related videos on Youtube
hreimer
Loopback | node.js | Node-RED | Angular | ngrx | Ionic | Cordova | Express.js | Keystone.js | jQuery | D3.js | Obj-C | Swift | PHP | Wordpress | MySQL | mongoDB | Apache | nginx | REDIS | Docker | AWS
Updated on September 18, 2022Comments
-
hreimer over 1 year
My goal:
I want to set up openVPN on a vServer from the company netcup, running Debian squeeze. I only want a VPN connection from client to server; clients should not be able to see each other, also the server doesn't need to serve as a gateway to other services.
My setup:
1 Debian squeeze vServer, 3 Windows 7 clients, 2 OS X Lion clients, the clients are all in my 192.168.x.x home subnet, firewall on the server has no restrictions set yet, firewalls on the client do not block outgoing connection, I even added ICMPv4 protocol as exception according to this post: OpenVPN server cannot ping clients. In the subnet there is a WLAN router and the fritz.box Router which is the gateway to my internet provider. the WLAN router has a firewall but there are also no restrictions set.
My restrictions:
since this is a virtual server the openVPN server is running on there are limitations: 1) The tun device "tun1" had to be unlocked first and got assigned a fixed address (10.240.43.1) which I cannot change because 2) modifications to ifconfig are not permitted, as well as IP-tables (I understood this is because the virtual technology is using one kernel for multiple customers therefore not allowing one customer modifying their setup), meaning 3) I can not enable/disable IPv4 forwarding (yes I am logged in as root), just saying this because I have already found 50+ posts with nearly the same but slightly different problem.
What works so far:
Clients can connect via openVPN GUI client from Windows 7 and OS X Lion to the openVPN server on the debian machine, clients get assigned IP-Adresses in the desired subnet (10.240.43.x), the logs don't indicate any error. I will post an example at the end.
What has worked ONCE (and this is driving me crazy):
When setting up openVPN on the second Windows 7 client a connection was established, an IP-Address assigned AND the client could ping the server on the address of the tun interface. I was so happy I booted OS X on the same macbook to set it up there, which didn't work, and when I booted into Windows 7 the following day, having changed nothing in the server.conf or client configuration of openvpn, I had the same misery that was on the other Windows 7 and OS X clients. This means to me that at least the configuration must have been ok at least this one time and since then I am trying to figure out what happened and would appreciate it very much if someone could point me to where I am doing something wrong (I am still new to this, also English is not my first language)
What should work, based on what I read about correct configured openVPN connections:
ping. I want to ping 10.240.43.1 (the servers tun interface IP) from a client or 10.240.43.xx (<-- client IP) from the server. I get a Timeout when server pings client(s) or client(s) ping server, also when I try tracert (in Windows) I don't even get to the first node, which would be my fritz.box router if I understood that correctly. I also read that I should have a different public IP-Adress, when I am connected to openVPN, but I don't get one, it stays the same dynamic one I got from the provider. Note I added a custom configuration in the Windows' clients config files to prevent Windows from treating it as an unidentified network and this actually worked. However this does not solve my problem..I have really tried every related post that I could find, so please don't redirect me to another "similar" question..
edit: especially this one: OpenVPN Configuration - Windows 7 client & debian server, the poor guy didn't even get a single reply, just comments..but he has a very similar, if not the same problem..
Thanks in advance!
server.conf on Debian Squeeze
port 1194 proto udp
-10.x.x.x addresses ascending:
topology subnet
dev tun1
-prevent ifconfig manipulation or else there will be errors when restarting openvpn daemon on server - routes cannot be added anyway on my server:
ifconfig-noexec route-noexec
ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.240.43.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.240.43.1" ;push "route 10.240.43.0 255.255.255.0" ;push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 comp-lzo
user nobody group nobody
persist-key persist-tun status openvpn-status.log verb 3
One example Windows client configuration: client1.opvn
client
dev tun1
dev-node openVPN
proto udp
remote public-ip-address-of-my-server 1194
Dummy default gateway to work around Windows 'unidentified network'/'unknown network':
route-metric 50 route 0.0.0.0 0.0.0.0 10.240.43.1
resolv-retry infinite
nobind
persist-key persist-tun
ca "C:\Program Files (x86)\OpenVPN\config\ca.crt" cert "C:\Program Files (x86)\OpenVPN\config\client1.crt" key "C:\Program Files (x86)\OpenVPN\config\client1.key"
ns-cert-type server
tls-auth "C:\Program Files (x86)\OpenVPN\config\ta.key" 1
comp-lzo verb 3
output of route print -4 on Windows client when openVPN connected and IP-Address assigned:
=========================================================================== Schnittstellenliste 22...00 ff 14 5f fc a5 ......TAP-Windows Adapter V9 21...00 ff 8a b4 4f 15 ......TeamViewer VPN Adapter 16...00 18 de 68 09 6c ......Intel(R) PRO/Wireless 3945ABG-Netzwerkverbindug 11...00 15 c5 b7 7d 12 ......Broadcom 440x 10/100-integrierter Controller 1...........................Software Loopback Interface 1 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter 19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 15...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4 =========================================================================== IPv4-Routentabelle =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.72 20 0.0.0.0 0.0.0.0 10.240.43.1 10.240.43.8 50 10.240.43.0 255.255.255.0 Auf Verbindung 10.240.43.8 286 10.240.43.8 255.255.255.255 Auf Verbindung 10.240.43.8 286 10.240.43.255 255.255.255.255 Auf Verbindung 10.240.43.8 286 127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306 127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306 127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 192.168.1.0 255.255.255.0 Auf Verbindung 192.168.1.72 276 192.168.1.72 255.255.255.255 Auf Verbindung 192.168.1.72 276 192.168.1.255 255.255.255.255 Auf Verbindung 192.168.1.72 276 224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306 224.0.0.0 240.0.0.0 Auf Verbindung 192.168.1.72 276 224.0.0.0 240.0.0.0 Auf Verbindung 10.240.43.8 286 255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 255.255.255.255 255.255.255.255 Auf Verbindung 192.168.1.72 276 255.255.255.255 255.255.255.255 Auf Verbindung 10.240.43.8 286 =========================================================================== Ständige Routen: Keine
Output of the openVPN status log when connected to the server:
Sat Jan 19 23:21:17 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan 8 2013 Sat Jan 19 23:21:17 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sat Jan 19 23:21:17 2013 Need hold release from management interface, waiting... Sat Jan 19 23:21:17 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sat Jan 19 23:21:17 2013 MANAGEMENT: CMD 'state on' Sat Jan 19 23:21:17 2013 MANAGEMENT: CMD 'log all on' Sat Jan 19 23:21:18 2013 MANAGEMENT: CMD 'hold off' Sat Jan 19 23:21:18 2013 MANAGEMENT: CMD 'hold release' Sat Jan 19 23:21:18 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Jan 19 23:21:18 2013 Control Channel Authentication: using 'C:\Program Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file Sat Jan 19 23:21:18 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 19 23:21:18 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 19 23:21:18 2013 Socket Buffers: R=[8192->8192] S=[8192->8192] Sat Jan 19 23:21:18 2013 UDPv4 link local: [undef] Sat Jan 19 23:21:18 2013 UDPv4 link remote: [AF_INET][[public server ip]]:1194 Sat Jan 19 23:21:18 2013 MANAGEMENT: >STATE:1358634078,WAIT,,, Sat Jan 19 23:21:18 2013 MANAGEMENT: >STATE:1358634078,AUTH,,, Sat Jan 19 23:21:18 2013 TLS: Initial packet from [AF_INET][[public server ip]]:1194, sid=473dff0c 89fc085c Sat Jan 19 23:21:18 2013 VERIFY OK: depth=1, C=AT, ST=Tyrol, L=Innsbruck, O=[[custom company name]], OU=General, CN=openvpn-eq, name=openvpn-[[custom name]], emailAddress=[[custom mail address]] Sat Jan 19 23:21:18 2013 VERIFY OK: nsCertType=SERVER Sat Jan 19 23:21:18 2013 VERIFY OK: depth=0, C=AT, ST=Tyrol, L=Innsbruck, O=[[custom company name]], OU=General, CN=openvpn-eq, name=openvpn-[[custom name]], emailAddress=[[custom mail address]] Sat Jan 19 23:21:19 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 19 23:21:19 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 19 23:21:19 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 19 23:21:19 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 19 23:21:19 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Sat Jan 19 23:21:19 2013 [openvpn-eq] Peer Connection Initiated with [AF_INET][[public server ip]]3:1194 Sat Jan 19 23:21:20 2013 MANAGEMENT: >STATE:1358634080,GET_CONFIG,,, Sat Jan 19 23:21:22 2013 SENT CONTROL [openvpn-eq]: 'PUSH_REQUEST' (status=1) Sat Jan 19 23:21:22 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.240.43.1,route-gateway 10.240.43.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.240.43.8 255.255.255.0' Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: timers and/or timeouts modified Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: --ifconfig/up options modified Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: route-related options modified Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Jan 19 23:21:22 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sat Jan 19 23:21:22 2013 MANAGEMENT: >STATE:1358634082,ASSIGN_IP,,10.240.43.8, Sat Jan 19 23:21:22 2013 open_tun, tt->ipv6=0 Sat Jan 19 23:21:22 2013 TAP-WIN32 device [openVPN] opened: \\.\Global\{145FFCA5-1EBD-49E6-9CA2-42B832968EFE}.tap Sat Jan 19 23:21:22 2013 TAP-Windows Driver Version 9.9 Sat Jan 19 23:21:22 2013 Set TAP-Windows TUN subnet mode network/local/netmask = 10.240.43.0/10.240.43.8/255.255.255.0 [SUCCEEDED] Sat Jan 19 23:21:22 2013 Notified TAP-Windows dºÀRr Sat Jan 19 23:21:22 2013 Successful ARP Flush on interface [22] {145FFCA5-1EBD-49E6-9CA2-42B832968EFE} Sat Jan 19 23:21:27 2013 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up Sat Jan 19 23:21:27 2013 MANAGEMENT: >STATE:1358634087,ADD_ROUTES,,, Sat Jan 19 23:21:27 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.240.43.1 METRIC 50 Sat Jan 19 23:21:27 2013 Route addition via IPAPI succeeded [adaptive] Sat Jan 19 23:21:27 2013 Initialization Sequence Completed Sat Jan 19 23:21:27 2013 MANAGEMENT: >STATE:1358634087,CONNECTED,SUCCESS,10.240.43.8,[[public server ip]]
Server routes:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.233.133.2 * 255.255.255.255 UH 0 0 0 tun1 10.241.162.2 * 255.255.255.255 UH 0 0 0 * static.88-198-1 gw.netcup.net 255.255.255.255 UGH 0 0 0 eth0 10.240.43.2 * 255.255.255.255 UH 0 0 0 tun1 xx.xx.xx.xx * 255.255.255.192 U 0 0 0 eth0 10.233.133.0 10.233.133.2 255.255.255.0 UG 0 0 0 tun1 xx.xx.228.0 * 255.255.254.0 U 0 0 0 eth0 xx.xx.240.0 * 255.255.252.0 U 0 0 0 eth0 xx.xx.232.0 * 255.255.248.0 U 0 0 0 eth0 10.20.0.0 * 255.255.0.0 U 0 0 0 * default gw.netcup.net 0.0.0.0 UG 0 0 0 eth0
-
slm over 11 yearsNice first question!
-
hreimer over 11 yearsUpdate: after setting up openVPN on another, OS X Mountain Lion, client ping to the server and back from the server to this client are possible. To me this means the server.conf is fine, as well as that the two routers in the network don't make any problems. On a fresh install of Win 8 on that same machine however the "connected but ping not possible"-problem still persists..NOTE: I excluded the "openVPN" adapter in the Windows' clients config from the frewall with no success.
-
hreimer over 11 yearsUPDATE: I could track the error down to some kind of corrupt key/certificate files for the clients..the only one working is the one I initially used on the working OS X Mountain Lion client - the remaining question is what caused or still causes them to be incompatible..even when I generate the latest key/crt pairs the same way as the working ones (via
source vars
andbuild-key <clientname>
- then I can connect but not ping the server. does anybody know a solution to this or how i could check what's the difference between them? -
fboaventura over 11 yearsHow are you getting the keys into your client? Windows firewall is allowing ping? Have you checked the logs from client and server?
-
Danny about 11 yearscan you post and accept answer to this - and possibly use it to point to your new question? That way this won't show up as unanswered any more when part of the problem was corruption.
-
-
hreimer about 11 yearsyes I ran it as administrator, this wasn't the problem..