OpenVPN unable to access LAN

adv · June 3, 2019, 4:31pm

NethServer Version: 7.6.1810 (final)
Module: OpenVPN

Hello,

I have an OpenVPN roadwarrior configured in bridged mode. OpenVPN client connects successfully.
The problem is that I’m able to access only the gateway/nethserver. Other servers from the LAN are not accessible.

I found this in the logs, but I can’t tell if is related to the problem or not:
Jun 3 19:29:53 router kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=00:0c:29:ed:2f:cb:00:ff:3d:82:ae:96:08:00 SRC=192.168.2.201 DST=192.168.2.254 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=23368 PROTO=UDP SPT=137 DPT=137 LEN=76

192.168.2.201 is the VPN client IP.
192.168.2.254 is the gateway IP.

I have in identical setup at different place and there OpenVPN roadwarrior is working fine without any problems.

Any suggestions?

Istvan

pike · June 3, 2019, 5:44pm

Routed?
Do one of your remote clients use the same subnet for local network?

adv · June 3, 2019, 7:25pm

I tried from two networks with different subnets, both different from the LAN subnet and it doesn’t work.
At this point I don’t even know where to look for the problem. Which logs should I check.

flatspin · June 4, 2019, 6:01am

Standard OpenVPN-port is 1194, so I don’t think this is related to vpn. Port 137 is normally related to NetBIOS.

Please show output of

config show openvpn@host-to-net 
db networks show

adv · June 4, 2019, 6:20am

Here you go:
[root@router log]# config show openvpn@host-to-net
openvpn@host-to-net=service
AuthMode=certificate
BridgeEndIP=192.168.2.205
BridgeName=br0
BridgeStartIP=192.168.2.201
Cipher=
ClientToClient=disabled
Compression=enabled
Digest=
Mode=bridged
Netmask=
Network=
PushDns=192.168.2.254
PushDomain=
PushExtraRoutes=enabled
PushNbdd=
PushWins=
Remote=46.97.29.42
RouteToVPN=disabled
TapInterface=tap0
TlsVersionMin=
UDPPort=1194
access=green,red
status=enabled

[root@router log]# db networks show
br0=bridge
bootproto=none
gateway=
ipaddr=192.168.2.254
netmask=255.255.255.0
role=green
ens192=ethernet
FwInBandwidth=
FwOutBandwidth=
bootproto=none
bridge=br0
role=bridged
ens224=ethernet
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=46.97.29.41
ipaddr=46.97.29.42
netmask=255.255.255.252
role=red
ppp0=xdsl-disabled
AuthType=auto
FwInBandwidth=
FwOutBandwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=
vdf=provider
interface=ens224
weight=100

flatspin · June 4, 2019, 8:18am

I can see nothing wrong so far.
You have enabled compression. There were some difficulties with it in the past.
You can try to disable it.

Please check if this fw-rule exists:

grafik

adv · June 4, 2019, 8:37am

I checked the rule and is there.
I tried without compression but it didn’t solve the problem.

flatspin · June 4, 2019, 10:21am

Did you check /var/log/openvpn/openvpn.log for relevant messages about the session initialisation?

adv · June 4, 2019, 11:06am

The OpenVPN client connects successfully. I’m able to access the gateway, the Nethserver GUI.

flatspin · June 4, 2019, 11:46am

What client OS do you use?
Did you try to ping other machines from ns-cli and from client-cli?

adv · June 4, 2019, 12:12pm

The client OS is Windows 10 Pro.
I tried to ping from both sides. The ping works only between the client and the gateway on both directions.
Nothing else is accessible from the LAN.
I tried to disable the firewall at both ends but no change. I can’t tell if is a firewall issue or else.

pike · June 4, 2019, 12:15pm

Would you please consider the option to change OpenVPN setup from bridged to routed?
And consequently edit your firewall rules?

flatspin · June 4, 2019, 1:26pm

Sorry, but ATM I’m out of ideas (and time) with bridged mode…

Has anybody else an idea @support_team ?

m.traeumner · June 5, 2019, 7:28am

What is your network configuration of the gateway, a red interface for WAN and green for LAN?
Can you ping other network devices from your gateway?

flatspin · June 5, 2019, 12:55pm

Just to be clear and that I understand you correctly:

if you open a ssh session from a LAN-machine to this NS you can ping other machines and
if you open a ssh session from a vpn-machine to this NS you can not ping other machines??

I don’t think this is possible at all.

Are you sure you green interface (br0) is up and working and your tap-interface and ens192 are joined to br0? Please control with:

ifconfig
brctl show

adv · June 7, 2019, 6:44pm

The red interface is WAN the green is LAN. I can ping anything from the gateway from LAN and from WAN.

There is no restriction in the LAN, everybody can ping anybody except the machine connected with VPN client.
From the VPN client I can ping only the Nethserver gateway(green interface) from the LAN.

adv · June 7, 2019, 6:44pm

ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::20c:29ff:feed:2fcb prefixlen 64 scopeid 0x20
ether 00:0c:29:ed:2f:cb txqueuelen 1000 (Ethernet)
RX packets 21200870 bytes 2529521116 (2.3 GiB)
RX errors 0 dropped 372 overruns 0 frame 0
TX packets 45399997 bytes 59397012038 (55.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feed:2fcb prefixlen 64 scopeid 0x20
ether 00:0c:29:ed:2f:cb txqueuelen 1000 (Ethernet)
RX packets 21323511 bytes 2832572322 (2.6 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45400722 bytes 59397256058 (55.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 46.97.29.42 netmask 255.255.255.252 broadcast 46.97.29.43
inet6 fe80::20c:29ff:feed:2fd5 prefixlen 64 scopeid 0x20
ether 00:0c:29:ed:2f:d5 txqueuelen 1000 (Ethernet)
RX packets 45586021 bytes 59527774682 (55.4 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19668633 bytes 2556044811 (2.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 10072 bytes 883938 (863.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10072 bytes 883938 (863.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::9d:63ff:fefe:a842 prefixlen 64 scopeid 0x20
ether 02:9d:63:fe:a8:42 txqueuelen 100 (Ethernet)
RX packets 154 bytes 48154 (47.0 KiB)
RX errors 0 dropped 4 overruns 0 frame 0
TX packets 1562290 bytes 193713018 (184.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@router ~]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c29ed2fcb no ens192
tap0

adv · June 7, 2019, 7:17pm

It works in routed mode.

Should I go like this? Or should I investigate why it doesn’t work in bridged mode?

pike · June 7, 2019, 8:19pm

I used most of time routed mode for OpenVPN…

flatspin · June 8, 2019, 6:41am

If routed mode satisfy your needs, I’d go with routed mode, also it is the recommended way.
Every thing seems o.k. on your machine. All interfaces are up, ens192 and tap0 are joined to br0.
ATM can’t see anything wrong.
Good luck.