[Fixed] OpenVPN tunnel works one way (Shorewall issues)

vpn
v7
openvpn
firewall

(Adam Blunt) #1

NethServer Version: NethServer release 7.3.1611
Module: OpenVPN Tunnel

So I have been working on setting up a VPN tunnel between 2 networks.

Network A is the client
Network B is the server

My problem is that Network A can communicate with Network B no issues. I can even log in to the other NethServer from Network A.

But Network B can not communicate with Network A. no ping or anything. Cant even ping the VPN network address. I looked in the firewall.log and the are some drops but they seem to be from local devices to the NethServer nothing with a source of Network B

So am I dealing with a Shorewall issue or is this a larger issue because at the moment this VPN works great in one direction but I need it to work both ways (is that even possible with an OpenVPN tunnel as it don’t seem to work)

If it helps I have an OpenVPN Tunnel in Subnet mode with routed networking.

Both NethServers are not directly wan facing. they are basicly VPN terminators on both sides. but so far only the client can talk to the server network and not the other way


(Markus Neuberger) #2

Hi @adamxp12,

Did you port forward from your router to your NethServer on server side? Is ping allowed on your router?

I tried it now and had to forward the UDP port, that I defined during configuration, from my router to my NethServer on the server side. Then I could ping my Nethserver via lan IP from the vpn client Nethserver directly.

Configuration Docs:
http://docs.nethserver.org/en/v7/vpn.html#tunnel-net2net


(Adam Blunt) #3

The problem is that the server can not ping the client. and this on a tunnel so should be bi-directional in my mind.

I have it forwarded on server side just fine as clients can connect and ping stuff on the server side network just not the other way around (do you need to forward on client too?)

Note that I can also not ping servers on the client side which do allow ping and cant access other resources either which is a huge stumbling block as we need these 2 networks to communicate well for a project I am working on


(Markus Neuberger) #4

I think you’ll need bridged VPN or some routes/rules on your Nethserver if you want to reach the clients from VPN to the LAN. I’ll test it…

EDIT:

Sorry my test scenario is not exactly the same as I have one real server/LAN side and one VPS, so I can’t test it because I don’t know if the VPS provider blocks something and I don’t have LAN on both sides…


(Markus Neuberger) #5

What about trying ipsec instead of openvpn? Just an idea…

http://docs.nethserver.org/en/v7/vpn.html#ipsec


(Markus Neuberger) #6

I tried it with OpenVPN again and to let the lan clients ping each other you have to set 2 static routes on your routers to let them know that Nethserver is the gateway for remote and vpn network or you use the Nethservers as gateway for your lan clients:

Example of my lede TP Link router static routes config:

192.168.122.1/255.255.255.255 is a virtual pseudo remote network on my VPS host just that the example works.

10.42.223.0/255.255.255.0 is my VPN network.

192.168.1.11 is my Nethserver making the OpenVPN Server.

On the other router:

10.42.223.0/255.255.255.0 route vpn to client vpn NS

192.168.1.0/255.255.255.0 route remote to client vpn NS


(Adam Blunt) #7

Nethserver is the gateway.

What we have is a Nethserver as a VM with a WAN interface going to a network which we do not care about. and then a host only network on a LAN interface which is where the servers are. Those servers connect to the internet through that Nethserver.

Problem is those same servers cant ping the servers on the other side of the VPN (or even the tunnel IP) nor can Nethserver. so a weird issue on the server side as I have the following

10.255.6.0/24 on the server side LAN
10.0.6.0/24 on the client side LAN
172.16.16.0/24 as the tunnel network

From my client side I can ping the tunnel IP of the nethserver. access those servers and even log into nethserver GUI and stuff. but on the other side I can not ping my client nethserver at all or even the servers. so how is the VPN only working one way

I have allow all source to allow all destination on both nethservers as neither are setup as the main router in either network.

I have created a static route on the cisco router on the client side network but seeing as the nethserver cant ping my client network from the server side I don’t think that will help. and the server side is all self contained with the nethserver as a default gateway for the servers

I cant set a static route on the main server side router as its not a flashy unit (temporary off the shelf netgear) but I cant see how that would help as I cant do the pings inside the nethserver GUI to my client nethserver


(Markus Neuberger) #8

Summary:

  • ping from client side LAN to server side LAN works
  • ping from server side LAN to client side LAN doesn’t work
  • no static routes on router on server side

The router on server side does not know the VPN and does not know the LAN behind the Nethserver on server side and may drop packets to LAN or VPN. That may be the problem.

https://kb.netgear.com/24322/How-do-I-set-or-edit-static-routes-on-a-NETGEAR-router

I did not need any firewall rule.

You may need one for VPN and one for remote network:
Server router:
10.0.6.0/24 to server Nethserver
172.16.16.0/24 to server Nethserver

Client router:
10.255.6.0/24 to client Nethserver
172.16.16.0/24 to client Nethserver

Are the routers public IPs pingable? This may also be a typical VPN problem…


(Adam Blunt) #9

Surely the main router on the server side don’t matter as my NethServer has 2 interfaces

WAN is going to the netgear
and the LAN is a virtual interface to some VM’s which connect through the NethServer. the NethServer ofc has static routes to the client network which is created during the VPN setup.

The devices on the netgear/wan side of neth do not need to have VPN communication.

So to the server side Nethserver it just looks like it has a WAN interface in the 192.168 range.

Same setup on the client side but it does not have an isolated LAN network but have setup static routes in the main Cisco router and I can ping just fine with that setup so inclined to think its either a firewall issue or something server side.

The Netgear router is set to not respond to pings. but I can ping the Cisco from the Nethserver on its public IP so Neth->Netgear->Cisco through public IP works but Neth->VPN->Netgear->VPN->Neth->Cisco does not

Would it help if the Netgear was set to respond to pings? is that something nethserver/openvpn does to connect.


(Markus Neuberger) #10

Yes, that really may help with VPNs

EDIT:

You also may check the routes on your Nethservers on command line with

Feel free to post the output…


(Adam Blunt) #11

I have good news. we enabled ping on the netgear (stupid default setting imo) and the VPN can now ping servers on client side from the server side.

Not entirely sure why technically that fixed it. but it fixed it. so I will not complain.

Thank you for the help and hopefully this forum thread might help someone else in the future as I know many of my issues are normally solved by threads exactly like this one :slight_smile:


(Markus Neuberger) #12

You’re welcome!

There is another way to mark a topic as solved. It will help other people to find the solution very fast because you can mark the best answer as solution and it is then shown in the first post.

https://community.nethserver.org/t/howto-mark-a-topic-as-solved/1750

Because the outer router drops the ping before it can be routed. I don’t know about OpenVPN but some VPNs also check if the remote public IP is online with ping.

Sorry, too bad, it took that long although this was in my first post, I may have expressed in a better way:


(Adam Blunt) #13

I assumed you meant ping on the nethserver. my bad

Thanks for your guidance on this. I have marked it as solved the proper way now too. :smiley: