Forums

Eli
Eli
Offline
Resolved
0 votes
Hi all,

I recently set up an openvpn site to site configuration between two COS 7.2 machines. The connections is up, both 7.2 machines can ping each other via local LAN ip addresses and now that the routes are correct both OpenVPN machine can ping other network devices such as side B can ping the printer at side A. However the ultimate goal is for everything on Side A & B to be able to ping each other. That seems to be the one part of this that I can't quite get figured out just yet.

I'm not sure if this something obvious and really no information about my set up is necessary or if a lot of information about my set up is necessary to be able to provide a solution. Nevertheless please let me know your thoughts and what needs to be done, I feel like it's something simple but I haven't been able to figure that out just yet.

Thank you!
In OpenVPN
Tuesday, October 04 2016, 02:45 AM
Share this post:
Responses (9)
  • Accepted Answer

    Faucon
    Faucon
    Offline
    Sunday, December 11 2016, 05:39 AM - #Permalink
    Resolved
    0 votes
    is this problem fixed ? i was dealing with the same problem last week. you have to enter a new entry on both side for MASQUERADE.

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno33557248 -j MASQUERADE

    i used custom firewall app within the Marketplace, to be able to easily add rules to my iptables



    Also, you have to make sure that both side have packet forwarding enabled. You can check with this command: cat /proc/sys/net/ipv4/ip_forward It will return 0 or 1.
    If it's currently 0, you have to add these line in /etc/sysctl.conf and reboot:

    # Packet forwarding
    net.ipv4.ip_forward = 1
    net.inet.ip.fastforwarding = 1
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 17 2016, 11:39 AM - #Permalink
    Resolved
    0 votes
    Is ClearOS on Site B really the Site B LAN's gateway?

    For both site A and B, can you post the routing table of a LAN device? Similarly please the output from both ClearOS's of "iptables -nvL -t nat".
    The reply is currently minimized Show
  • Accepted Answer

    Eli
    Eli
    Offline
    Sunday, October 16 2016, 10:13 PM - #Permalink
    Resolved
    0 votes
    When pinging from a LAN device on Side A (Windoze Surface using cmd, 192.168.2.184) behind the gateway 192.168.2.10 (which can ping both the remote devices tested below) are the results.


    ping 192.168.1.3

    Pinging 192.168.1.3 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.1.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



    ping 192.168.1.181

    Pinging 192.168.1.181 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.1.181:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    Device 192.168.1.3 on the remote side (side B) is their ClearOS machine hosting the configuration that connects to side A. 192.168.1.181 is a tablet device behind side B's ClearOS router (192.168.1.3)

    The above ping results are the same from a LAN device on Side B's network pinging 192.168.2.10 (Side A's gateway/OpenVPN server) and 192.168.2.184 (Windoze Surface with firewall set to respond to pings from outside its own LAN subnet).
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 16 2016, 09:02 PM - #Permalink
    Resolved
    0 votes
    You should not need the implicit set up. Is should work by IP address (but not name). What happens when you ping from a LAN device to the remote LAN gateway and a remote LAN device. If your remote LAN device you are pinging is a Windoze box can you make sure its firewall is set to respond to pings from outside its own LAN subnet?
    The reply is currently minimized Show
  • Accepted Answer

    Eli
    Eli
    Offline
    Sunday, October 16 2016, 08:21 PM - #Permalink
    Resolved
    0 votes
    That is the guide that I've followed and derived the config files below from. I've since edited the config files again to match the sections of "Create the Headquarters Configuration" & "Create the Remote Office Configuration"

    The ClearOS 7 router for side A (192.168.2.10) can ping across the tunnel to side B, anything and everything on side B can be reached by the router at side A (192.168.2.10). The same goes for side B's router, it can ping across the tunnel and reach all network devices on Side A.

    I'm reading further into that guide and am not sure it talks about what I'm looking to do. The next thing I'm looking for is a device on side A (i.e. laptop, surface, desktop) to be able to ping and reach shares on side B on a server past the router on side B. (192.168.2.184 should be able to access shares from 192.168.1.120). I'm not sure the "Appendix: Alternate implicit site to site" configs are what I'm looking for, for that configuration I described above.

    Hopefully that all makes sense. Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 16 2016, 07:33 PM - #Permalink
    Resolved
    0 votes
    I hope you now see the effects of your code tags. They all worked well. Compare one of your routing tables you've just posted to what you posted this morning/last night. It also makes firewall listings much easier to read.

    Have you seen this doc for configuring OpenVPN to connect networks together? Can you have a look at it then remove all your push lines from your configs? I'm pretty certain you don't need the additional firewall rules.

    Also in the example config they only have one side configured with a "remote" line, but I an not sure that matters.
    The reply is currently minimized Show
  • Accepted Answer

    Eli
    Eli
    Offline
    Sunday, October 16 2016, 07:08 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I've never been asked (outside of you) to use code tags before. Had no idea they existed and even how to use them. So hopefully as I use them now it will display correctly for you. I apologize if it doesn't.

    Side A config file

    dev tun
    port 1195
    remote fqdn.wan.ip.address 1195
    ifconfig 10.8.222.40 10.8.222.41
    route 192.168.1.0 255.255.255.0
    push "route 192.168.2.0 225.255.255.0"
    push "route 192.168.1.0 255.255.255.0"
    comp-lzo
    keepalive 10 60
    persist-key
    persist-tun
    user nobody
    group nobody
    secret blinkinglights.key


    Side A routing table

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default c-73-35-184-1.h 0.0.0.0 UG 0 0 0 eno50336512
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
    10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
    10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
    10.8.222.41 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    wan.ip.address.0 0.0.0.0 255.255.252.0 U 0 0 0 eno50336512
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno33557248


    Side A iptables -nvL

    Chain INPUT (policy DROP 9572 packets, 1210K bytes)
    pkts bytes target prot opt in out source destination
    593 30713 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    69 7008 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- eno50336512 * 127.0.0.0/8 0.0.0.0/0
    0 0 DROP all -- eno50336512 * 169.254.0.0/16 0.0.0.0/0
    401 33541 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    25 2212 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    48496 5775K ACCEPT all -- eno33557248 * 0.0.0.0/0 0.0.0.0/0
    1140 33060 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    9 4680 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    14 610 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    0 0 ACCEPT icmp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    326 109K ACCEPT udp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:4500
    0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1194
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:8443
    136 13696 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1195
    240K 21M ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:81
    9094 1331K ACCEPT udp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    13404 23M ACCEPT tcp -- eno50336512 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1 40 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.191 tcp dpt:9000
    7 360 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.9 tcp dpt:81
    0 0 ACCEPT udp -- * eno33557248 0.0.0.0/0 192.168.2.9 udp dpt:1194
    70 9506 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.157 tcp dpt:8443
    9 360 ACCEPT tcp -- * eno33557248 0.0.0.0/0 192.168.2.9 tcp dpt:80
    4730K 4596M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    30964 3006K ACCEPT all -- eno33557248 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    451 36141 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    46 3864 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    16591 5683K ACCEPT all -- * eno33557248 0.0.0.0/0 0.0.0.0/0
    5124 541K ACCEPT icmp -- * eno50336512 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * eno50336512 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * eno50336512 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    0 0 ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:4500
    0 0 ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:1194
    0 0 ACCEPT tcp -- * eno50336512 wan.ip.address 0.0.0.0/0 tcp spt:8443
    12054 1063K ACCEPT udp -- * eno50336512 wan.ip.address 0.0.0.0/0 udp spt:1195
    171K 69M ACCEPT tcp -- * eno50336512 wan.ip.address 0.0.0.0/0 tcp spt:81
    18046 1146K ACCEPT all -- * eno50336512 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


    Side B config file

    dev tun
    port 1195
    remote fqdn.of.my.wan.ip 1195
    ifconfig 10.8.222.41 10.8.222.40
    route 192.168.2.0 255.255.255.0
    comp-lzo
    keepalive 10 60
    persist-key
    persist-tun
    user nobody
    group nobody
    secret blinkinglights.key
    push "dhcp-option DNS 192.168.1.3"
    push "dhcp-option WINS 192.168.1.3"
    push "route 192.168.1.0 255.255.255.0"


    Side B routing table

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default 71.227.132.1 0.0.0.0 UG 0 0 0 enp64s0
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
    10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
    10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
    10.8.222.40 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    wan.ip.address.0 0.0.0.0 255.255.252.0 U 0 0 0 enp64s0
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp5s9
    192.168.2.0 10.8.222.40 255.255.255.0 UG 0 0 0 tun0


    Side B iptables -nvL

    Chain INPUT (policy DROP 16 packets, 692 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    4 168 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- enp64s0 * 127.0.0.0/8 0.0.0.0/0
    0 0 DROP all -- enp64s0 * 169.254.0.0/16 0.0.0.0/0
    36 3448 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    7 588 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    352 30559 ACCEPT all -- enp5s9 * 0.0.0.0/0 0.0.0.0/0
    8 232 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    0 0 ACCEPT icmp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    4 1492 ACCEPT udp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    54 4888 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1195
    0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:4500
    341 26107 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:22
    0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp dpt:1194
    12 480 ACCEPT tcp -- * * 0.0.0.0/0 wan.ip.address tcp dpt:81
    0 0 ACCEPT udp -- * * 0.0.0.0/0 wan.ip.address udp spt:500 dpt:500
    0 0 ACCEPT esp -- * * 0.0.0.0/0 wan.ip.address
    0 0 ACCEPT ah -- * * 0.0.0.0/0 wan.ip.address
    0 0 ACCEPT all -- * * 0.0.0.0/0 wan.ip.address mark match 0x64
    0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.3 mark match 0x64
    7 609 ACCEPT udp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- enp64s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x64
    207K 208M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    320 17215 ACCEPT all -- enp5s9 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    36 3448 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    7 588 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    286 29343 ACCEPT all -- * enp5s9 0.0.0.0/0 0.0.0.0/0
    8 232 ACCEPT icmp -- * enp64s0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * enp64s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * enp64s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    61 8264 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:1195
    0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:4500
    193 22819 ACCEPT tcp -- * enp64s0 wan.ip.address 0.0.0.0/0 tcp spt:22
    0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:1194
    12 480 ACCEPT tcp -- * enp64s0 wan.ip.address 0.0.0.0/0 tcp spt:81
    0 0 ACCEPT udp -- * enp64s0 wan.ip.address 0.0.0.0/0 udp spt:500 dpt:500
    0 0 ACCEPT esp -- * enp64s0 wan.ip.address 0.0.0.0/0
    0 0 ACCEPT ah -- * enp64s0 wan.ip.address 0.0.0.0/0
    7 498 ACCEPT all -- * enp64s0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


    As I said, I hope all of this turns out properly, if not I apologize this is my first time trying to use code tags as you described. I did not see your latest update in my IPSec post until you said something in your last post. Basically if either IPSEC or OpenVPN work I am just looking for one or another solution it doesn't matter which.

    Thank you for your help Nick.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 16 2016, 06:49 AM - #Permalink
    Resolved
    0 votes
    It could be routes or the firewall, but you have to look at both ends at the same time. I'd love you to start using code tags, and I'd appreciate it if you would do what I requested in my last post to your IPsec thread.

    For this issue, please post the configs, routing tables and output to "iptables -nvL" from both ends, indicating which is which and putting the results between code tags.
    The reply is currently minimized Show
  • Accepted Answer

    Eli
    Eli
    Offline
    Sunday, October 16 2016, 12:23 AM - #Permalink
    Resolved
    0 votes
    Still no luck on getting Side A & B to completely ping each other. Played around with routes but still am only able to ping the other network from my router. Can ping other devices from my router but not able to ping a server at side B with my surface. The lans do not overlap Side A - 192.168.2.x Side B - 192.168.1.x

    Output of the command route below, the only thing I can think of is that routes are wrong somehow even though it allows me to connect across the tunnel.

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default c-73-35-184-1.h 0.0.0.0 UG 0 0 0 eno50336512
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
    10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
    10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
    10.8.222.41 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    wan.ip.address 0.0.0.0 255.255.252.0 U 0 0 0 eno50336512
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno33557248
    The reply is currently minimized Show
Your Reply