openvpn: connection established, can't ping server tun interface (debian server, windows & os x clients)

openvpn ping tun

11,147

This might not be the desired solution, but I could track the problem down to only one key/certificate pair properly working the solution for me was to switch from a Linux-vServer virtualization technique to a KVM based technique which solved all problems since I can control by myself what tun devices I want to use and now every client (WIndows, OS X..) can connect without problems and access services on the server.

11,147

hreimer

Updated on September 18, 2022

Comments

hreimer over 1 year

My goal:

I want to set up openVPN on a vServer from the company netcup, running Debian squeeze. I only want a VPN connection from client to server; clients should not be able to see each other, also the server doesn't need to serve as a gateway to other services.

My setup:

1 Debian squeeze vServer, 3 Windows 7 clients, 2 OS X Lion clients, the clients are all in my 192.168.x.x home subnet, firewall on the server has no restrictions set yet, firewalls on the client do not block outgoing connection, I even added ICMPv4 protocol as exception according to this post: OpenVPN server cannot ping clients. In the subnet there is a WLAN router and the fritz.box Router which is the gateway to my internet provider. the WLAN router has a firewall but there are also no restrictions set.

My restrictions:

since this is a virtual server the openVPN server is running on there are limitations: 1) The tun device "tun1" had to be unlocked first and got assigned a fixed address (10.240.43.1) which I cannot change because 2) modifications to ifconfig are not permitted, as well as IP-tables (I understood this is because the virtual technology is using one kernel for multiple customers therefore not allowing one customer modifying their setup), meaning 3) I can not enable/disable IPv4 forwarding (yes I am logged in as root), just saying this because I have already found 50+ posts with nearly the same but slightly different problem.

What works so far:

Clients can connect via openVPN GUI client from Windows 7 and OS X Lion to the openVPN server on the debian machine, clients get assigned IP-Adresses in the desired subnet (10.240.43.x), the logs don't indicate any error. I will post an example at the end.

What has worked ONCE (and this is driving me crazy):

When setting up openVPN on the second Windows 7 client a connection was established, an IP-Address assigned AND the client could ping the server on the address of the tun interface. I was so happy I booted OS X on the same macbook to set it up there, which didn't work, and when I booted into Windows 7 the following day, having changed nothing in the server.conf or client configuration of openvpn, I had the same misery that was on the other Windows 7 and OS X clients. This means to me that at least the configuration must have been ok at least this one time and since then I am trying to figure out what happened and would appreciate it very much if someone could point me to where I am doing something wrong (I am still new to this, also English is not my first language)

What should work, based on what I read about correct configured openVPN connections:

ping. I want to ping 10.240.43.1 (the servers tun interface IP) from a client or 10.240.43.xx (<-- client IP) from the server. I get a Timeout when server pings client(s) or client(s) ping server, also when I try tracert (in Windows) I don't even get to the first node, which would be my fritz.box router if I understood that correctly. I also read that I should have a different public IP-Adress, when I am connected to openVPN, but I don't get one, it stays the same dynamic one I got from the provider. Note I added a custom configuration in the Windows' clients config files to prevent Windows from treating it as an unidentified network and this actually worked. However this does not solve my problem..I have really tried every related post that I could find, so please don't redirect me to another "similar" question..

edit: especially this one: OpenVPN Configuration - Windows 7 client & debian server, the poor guy didn't even get a single reply, just comments..but he has a very similar, if not the same problem..

Thanks in advance!

server.conf on Debian Squeeze

port 1194 proto udp

-10.x.x.x addresses ascending:

topology subnet

dev tun1

-prevent ifconfig manipulation or else there will be errors when restarting openvpn daemon on server - routes cannot be added anyway on my server:

ifconfig-noexec route-noexec

ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.240.43.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 10.240.43.1" ;push "route 10.240.43.0 255.255.255.0" ;push "redirect-gateway def1"

keepalive 10 120

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 comp-lzo

user nobody group nobody

persist-key persist-tun status openvpn-status.log verb 3

One example Windows client configuration: client1.opvn

client

dev tun1

dev-node openVPN

proto udp

remote public-ip-address-of-my-server 1194

Dummy default gateway to work around Windows 'unidentified network'/'unknown network':

route-metric 50 route 0.0.0.0 0.0.0.0 10.240.43.1

resolv-retry infinite

nobind

persist-key persist-tun

ca "C:\Program Files (x86)\OpenVPN\config\ca.crt" cert "C:\Program Files (x86)\OpenVPN\config\client1.crt" key "C:\Program Files (x86)\OpenVPN\config\client1.key"

ns-cert-type server

tls-auth "C:\Program Files (x86)\OpenVPN\config\ta.key" 1

comp-lzo verb 3

output of route print -4 on Windows client when openVPN connected and IP-Address assigned:

===========================================================================
Schnittstellenliste
 22...00 ff 14 5f fc a5 ......TAP-Windows Adapter V9
 21...00 ff 8a b4 4f 15 ......TeamViewer VPN Adapter
 16...00 18 de 68 09 6c ......Intel(R) PRO/Wireless 3945ABG-Netzwerkverbindug
 11...00 15 c5 b7 7d 12 ......Broadcom 440x 10/100-integrierter Controller
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 15...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.72     20
          0.0.0.0          0.0.0.0      10.240.43.1      10.240.43.8     50
      10.240.43.0    255.255.255.0   Auf Verbindung       10.240.43.8    286
      10.240.43.8  255.255.255.255   Auf Verbindung       10.240.43.8    286
    10.240.43.255  255.255.255.255   Auf Verbindung       10.240.43.8    286
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      192.168.1.0    255.255.255.0   Auf Verbindung      192.168.1.72    276
     192.168.1.72  255.255.255.255   Auf Verbindung      192.168.1.72    276
    192.168.1.255  255.255.255.255   Auf Verbindung      192.168.1.72    276
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung      192.168.1.72    276
        224.0.0.0        240.0.0.0   Auf Verbindung       10.240.43.8    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306    
  255.255.255.255  255.255.255.255   Auf Verbindung      192.168.1.72    276
  255.255.255.255  255.255.255.255   Auf Verbindung       10.240.43.8    286
===========================================================================
Ständige Routen:
  Keine

Output of the openVPN status log when connected to the server:

Sat Jan 19 23:21:17 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan  8 2013
Sat Jan 19 23:21:17 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jan 19 23:21:17 2013 Need hold release from management interface, waiting...
Sat Jan 19 23:21:17 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jan 19 23:21:17 2013 MANAGEMENT: CMD 'state on'
Sat Jan 19 23:21:17 2013 MANAGEMENT: CMD 'log all on'
Sat Jan 19 23:21:18 2013 MANAGEMENT: CMD 'hold off'
Sat Jan 19 23:21:18 2013 MANAGEMENT: CMD 'hold release'
Sat Jan 19 23:21:18 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 19 23:21:18 2013 Control Channel Authentication: using 'C:\Program Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file
Sat Jan 19 23:21:18 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 19 23:21:18 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 19 23:21:18 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jan 19 23:21:18 2013 UDPv4 link local: [undef]
Sat Jan 19 23:21:18 2013 UDPv4 link remote: [AF_INET][[public server ip]]:1194
Sat Jan 19 23:21:18 2013 MANAGEMENT: >STATE:1358634078,WAIT,,,
Sat Jan 19 23:21:18 2013 MANAGEMENT: >STATE:1358634078,AUTH,,,
Sat Jan 19 23:21:18 2013 TLS: Initial packet from [AF_INET][[public server ip]]:1194, sid=473dff0c 89fc085c
Sat Jan 19 23:21:18 2013 VERIFY OK: depth=1, C=AT, ST=Tyrol, L=Innsbruck, O=[[custom company name]], OU=General, CN=openvpn-eq, name=openvpn-[[custom name]], emailAddress=[[custom mail address]]
Sat Jan 19 23:21:18 2013 VERIFY OK: nsCertType=SERVER
Sat Jan 19 23:21:18 2013 VERIFY OK: depth=0, C=AT, ST=Tyrol, L=Innsbruck, O=[[custom company name]], OU=General, CN=openvpn-eq, name=openvpn-[[custom name]], emailAddress=[[custom mail address]]
Sat Jan 19 23:21:19 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 19 23:21:19 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 19 23:21:19 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 19 23:21:19 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 19 23:21:19 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jan 19 23:21:19 2013 [openvpn-eq] Peer Connection Initiated with [AF_INET][[public server ip]]3:1194
Sat Jan 19 23:21:20 2013 MANAGEMENT: >STATE:1358634080,GET_CONFIG,,,
Sat Jan 19 23:21:22 2013 SENT CONTROL [openvpn-eq]: 'PUSH_REQUEST' (status=1)
Sat Jan 19 23:21:22 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.240.43.1,route-gateway 10.240.43.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.240.43.8 255.255.255.0'
Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: route-related options modified
Sat Jan 19 23:21:22 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jan 19 23:21:22 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan 19 23:21:22 2013 MANAGEMENT: >STATE:1358634082,ASSIGN_IP,,10.240.43.8,
Sat Jan 19 23:21:22 2013 open_tun, tt->ipv6=0
Sat Jan 19 23:21:22 2013 TAP-WIN32 device [openVPN] opened: \\.\Global\{145FFCA5-1EBD-49E6-9CA2-42B832968EFE}.tap
Sat Jan 19 23:21:22 2013 TAP-Windows Driver Version 9.9 
Sat Jan 19 23:21:22 2013 Set TAP-Windows TUN subnet mode network/local/netmask = 10.240.43.0/10.240.43.8/255.255.255.0 [SUCCEEDED]
Sat Jan 19 23:21:22 2013 Notified TAP-Windows dºÀRr
Sat Jan 19 23:21:22 2013 Successful ARP Flush on interface [22] {145FFCA5-1EBD-49E6-9CA2-42B832968EFE}
Sat Jan 19 23:21:27 2013 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sat Jan 19 23:21:27 2013 MANAGEMENT: >STATE:1358634087,ADD_ROUTES,,,
Sat Jan 19 23:21:27 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.240.43.1 METRIC 50
Sat Jan 19 23:21:27 2013 Route addition via IPAPI succeeded [adaptive]
Sat Jan 19 23:21:27 2013 Initialization Sequence Completed
Sat Jan 19 23:21:27 2013 MANAGEMENT: >STATE:1358634087,CONNECTED,SUCCESS,10.240.43.8,[[public server ip]]

Server routes:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.233.133.2    *               255.255.255.255 UH    0      0        0 tun1
10.241.162.2    *               255.255.255.255 UH    0      0        0 *
static.88-198-1 gw.netcup.net   255.255.255.255 UGH   0      0        0 eth0
10.240.43.2     *               255.255.255.255 UH    0      0        0 tun1
xx.xx.xx.xx     *               255.255.255.192 U     0      0        0 eth0
10.233.133.0    10.233.133.2    255.255.255.0   UG    0      0        0 tun1
xx.xx.228.0     *               255.255.254.0   U     0      0        0 eth0
xx.xx.240.0     *               255.255.252.0   U     0      0        0 eth0
xx.xx.232.0     *               255.255.248.0   U     0      0        0 eth0
10.20.0.0       *               255.255.0.0     U     0      0        0 *
default         gw.netcup.net   0.0.0.0         UG    0      0        0 eth0

slm over 11 years

Nice first question!
hreimer over 11 years

Update: after setting up openVPN on another, OS X Mountain Lion, client ping to the server and back from the server to this client are possible. To me this means the server.conf is fine, as well as that the two routers in the network don't make any problems. On a fresh install of Win 8 on that same machine however the "connected but ping not possible"-problem still persists..NOTE: I excluded the "openVPN" adapter in the Windows' clients config from the frewall with no success.
hreimer over 11 years

UPDATE: I could track the error down to some kind of corrupt key/certificate files for the clients..the only one working is the one I initially used on the working OS X Mountain Lion client - the remaining question is what caused or still causes them to be incompatible..even when I generate the latest key/crt pairs the same way as the working ones (via source vars and build-key <clientname> - then I can connect but not ping the server. does anybody know a solution to this or how i could check what's the difference between them?
fboaventura over 11 years

How are you getting the keys into your client? Windows firewall is allowing ping? Have you checked the logs from client and server?
Danny about 11 years

can you post and accept answer to this - and possibly use it to point to your new question? That way this won't show up as unanswered any more when part of the problem was corruption.