fix server client ping

Installing and Using OpenWrt
42

I repeat you n-th time, perform configuration of ccd. Sorry, I can't repeat 10 times the same thing, so good luck!

43

I don't see the point of masquerading at the client side either. You are trying to connect 2 LANs so you want the server side LAN and the client side LAN to be open for connections.

Here are the instructions how to advertise the routes from server to client and vice versa.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#site-to-site

44

so if i assume this case

Site-to-site

Implement plain routing between server side LAN and client side LAN assuming that:

192.168.1.0/24 - server side LAN
192.168.2.0/24 - client side LAN
192.168.8.0/24 - VPN network
192.168.8.2/24 - VPN client
Enable CCD on VPN server, add route to client side LAN, push route to server side LAN, selectively disable gateway redirect.

mkdir -p /etc/openvpn/ccd
cat << EOF > /etc/openvpn/ccd/client
ifconfig-push 192.168.8.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0
push-remove redirect-gateway
EOF
cat << EOF >> /etc/openvpn/server.conf
client-config-dir /etc/openvpn/ccd
route 192.168.2.0 255.255.255.0 192.168.8.2
push "route 192.168.1.0 255.255.255.0"
EOF
/etc/init.d/openvpn restart

and i have server lan 192.168.8.1 and client lan 192.168.5.1 and at least 10.8.0.1 vpn server link between both which is the correct scheme to adapt in my case?

45

ok i understood that your idea is to do a teacher here and not to help to fix a problem that a simple end-user have, thanks anyway i hope that someone could help me i've tried to explain my issue in the best way possible also with diagram and everything possible

46

I gave you recommendation, you've ignored it. What did you expect from me?

47

if i said that i'm a simple end-user and you're suggested something so hard to understand i don't say to have a guide step by step with screenshot but i start from my situation and i said how to ping from server to client lan? i don't think that i need a degree... the help maybe is something like: open this do this and apply that's all ... i'm not interested in theory i need to fix it asap for my business... we're not at school.

48

You don't understand some basic concepts of networking, so it is hard to follow what we say.
But that shouldn't be a problem because there is documentation showing step by step how to setup the vpn server and clients. If you really cannot make the assumption that the server client side LAN in the example is the 192.168.8.0/24 in your case, and you need me to link them for you, then you should leave it aside.

Then I suggest to hire someone who knows, since it is your business and it better work properly and not accidentally.

3 Likes
49

i'm trying to fix by myself, i don't think it's so hard, maybe i must wait someone that understood what happens and easily can answer, open wrt it's a free project and the idea is to share the knowledge, thanks anyway.

50

Every time someone helps you, you tell them they don't know or are giving you an unwanted lesson; but you think it's easy...yet you admit that you're the n00b.

  • Your VPN interface on the client side doesn't seem assigned to a firewall zone (setting zones has already been mentioned to you)
  • No client firewall zone includes the VPN interface; and therefore doesn't appear you've allowed to receive ICMP Echo-Requests
  • You'll need to add that rule once you configure the zones properly; or make sure the existing one applies
  • Once you check into that fixing that, be certain you've fixed masquerade configs properly on both ends

I'm afraid that I've already listed terms you noted that you don't understand. You've also had difficulty understanding OpenWrt Interfaces and Firewall Zones; so I hope this is enough information to help fix your configs.

It may be you.

3 Likes
51

@stook84

If you're not aware (and you should take the time to become aware about VPN and routing, in general), the GUI-driven configuration of VPN in both the OpenWrt and the GL.iNet firmware is around the common, end-user application of connecting a single device or set of devices on a private network to the Internet through a "public" VPN server.

You are asking for an "enterprise" connection, which is a different thing. It is not a common-enough application, nor one that has a single topology or solution, to warrant development of a generic, turn-key GUI-driven solution. Most people that are working at that level of sophistication have at least basic understanding of networking, including routing tables and firewalls, along with basic diagnostic tools, such as tcpdump and Wireshark.

If truly a business-critical application, a rational approach, already given, would be to hire a consultant or, if a commercial product, to purchase a support contract.

If you wish to try to avoid "dollar costs" by substituting your time for paid support, then it is incumbent on you to gain the basic knowledge to be able to understand the guidance you've been given and to be able to respond clearly and accurately to requests for more information for those willing to provide guidance in the resolution of your issues. Remember that such guidance is a gift -- nobody here is being paid to fix your problems.

3 Likes
52

yes i know it, if someone in pvt have the solution i can pay via paypal no problem, i haven't found someone how really know how to fix it thanks

53

The problem is that in the basic non-enterprise case, the server doesn't know that there is a 192.168.5.1 network on the other side of the tunnel-- nor does it need to since all traffic starts from the client. If you don't have special routes installed on the server, attempting to ping 192.168.5.1 will simply go out as ordinary Internet traffic and be dropped at the ISP modem since it's not a public IP.

Setting up the server to know how to get back to private networks on the client is what the client config directory file with route and iroute does. The example you posted the client's LAN is 192.168.2, you need to change that to 192.168.5 for your case.

Also since you have posted your private keys to the forum you need to replace those before deploying on the Internet.

5 Likes
54

Wow!

I had a feeling not to respond - after the other poster was ignored too...yet my post was liked!

If I copy and paste my posting above; and the one about the 192.168.5.x issue in your PM, will you send to paypal.me/lleachii (closed mouths don't get fed)?

55

I've written it some times above.

1 Like
56

I'm also not sure the OP clearly understands English. I was asked for my Skype in a PM in order to "fix" his problem.

I told the OP before we proceed that I request:

  • to be told exactly how everyone above didn't solve the issue
  • the exact deliverable needed to satisfy the request for help (e.g. create a PDF, make a website, picture step-by-step, direct remote controlled support assistance, etc).

I'm close to declaring this one a troll.

1 Like
57

The question which hasn't been asked yet: Is there any special reason why you want to ping from server to client side? Or do you just assume that "if I have openvpn server and client, I should be able to ping in both directions, and if it doesn't work, then there must be something wrong that needs to be fixed!"?

1 Like
58

Yes, he demonstrates interesting approach: "I have problem, fix it for me". I participated in conversation many times, nothing similar happenned. People wrote description, got clarifying questions, answered them. They tried to do something. Our client didn't even try to do what I suggested, but continues to insist getting some street magic from David Blane to solve problem.

1 Like
59

It is a site to site vpn, so my suspicion goes to NAT from one side leveraging the lack of static routes.

1 Like
60

These are common "bad noob" tactics:

  • Complain that nobody's helping (unfamiliar with concepts discussed)
  • Complain that all respondents up-to-date are incapable of helping (form of insult to others when the individual is un-knowledgeable of the topic; and for ego purposes - convinces themselves that everyone must be just as clueless)
  • Complain that the help provided is too low-level (i.e. too much like teaching them)
  • Then upon simplification, there's complaints that the high-level information is too vague (i.e. not helpful/useful; the exact opposite of the low-level complaint)
  • Ask for pictures, instructions or commands in response to posts - when no recommendations or suggestions requiring such were given (indication of lack of needed skill)
  • Then state that they're willing to pay to speed up the answer (i.e. try to get more attention for their problem)
  • Posts worded as if there's an unidentified person on the Internet hiding the solution - until they see that they could get paid by the OP in a Private Message (i.e. "they'll wait for a better person to come along"). :thinking:
  • Usually seeks private messages for: chat, A/V and remote control (in attempts to get some "exclusive support from someone knowledgeable")

Up until this point (in PM), the OP has:

  • not yet explained the if the above steps to remediate were actually completed (given the OP doesn't believe any posters were capable of helping, I cannot be certain if their advice was ever followed/attempted)
  • Was the client firewall reconfigured as noted
  • not yet explained what deliverable of help they desire to see for satisfaction

Also @tmomas make a good point...the OP could simply be assuming that a server's attempts to ping the client - should simply work upon setup without needing to add to the config.

The OP hasn't clarified the NAT/masquerade thing yet.

1 Like
61

yes because I have two voip Yeastar devices that they need the same network that's why I'm trying this vpn