One device not accessible via routed OpenVPN connection


#1

I have an OpenVPN server running on my OpenWrt router. I can access most devices on the LAN subnet (192.168.0.0/24) when I'm not at home, via the VPN from it's subnet (192.168.10.0/24) with forwarding rules in the firewall.

$ ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=54.3 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=63 time=82.4 ms
$ traceroute 192.168.0.10
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 60 byte packets
 1  192.168.10.1 (192.168.10.1)  98.760 ms  98.281 ms  98.268 ms
 2  192.168.0.10 (192.168.0.10)  98.267 ms  101.425 ms  101.502 ms

My main computer, however, can't be accessed. Ping and traceroute requests timeout.

$ ping 192.168.0.20
PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
^C
--- 192.168.0.20 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7175ms
$ traceroute 192.168.0.20
traceroute to 192.168.0.20 (192.168.0.20), 30 hops max, 60 byte packets
 1  192.168.10.1 (192.168.10.1)  136.147 ms  243.007 ms  400.680 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

Both these machines are configured in the same way with DHCP, and are running Debian-based operating systems.

What can I do to troubleshoot this issue?

Firewall config
Network config
OpenVPN server config
The client is configured using network-manager-openvpn, with the option Use this connection only for resources on its network checked.


#2

Is the main computer Windows based? I believe that the windows firewall, by default, blocks communication with RFC1918 addresses that are outside the windows network environment (so a windows machine on the 192.168.0.0/24 network would not be able to communicate with a device on any other network in the RFC1918 defined scopes). I don't know how to change it, but I know that it this can be overridden.


#3

Run tcpdump or wireshark on 192.168.0.20 to see if the traceroute and ping probes arrive.
Maybe a personal firewall is active on the target machine?


#4

Yes, tcpdump shows that the ping packets do in fact arrive at the problem computer. Any idea what might need to change if the firewall is blocking it? I'm running Debian Buster with basically an out-of-the-box configuration.

Interestingly, pings from the problem computer to VPN clients on the 192.168.10.0/42 subnet also fail, but I haven't yet checked to see if the packets arrive or not.


#5

After a little more investigation, I can see that the problem computer is in fact receiving and replying to the pings, but the response doesn't make it back to the pinging computer on the VPN subnet.

Pings from the problem computer never reach clients on the VPN subnet either, and traceroute ends up on the WAN by the looks of it, so I'm pretty sure it's a routing problem.

 1  router.lan (192.168.0.1)  0.347 ms  0.479 ms  0.553 ms
 2  static.belong.com.au (xxx.xxx.xxx.xxx)  17.200 ms  18.940 ms  19.540 ms
 3  static.belong.com.au (141.168.8.37)  23.524 ms  24.219 ms  26.149 ms
 4  Bundle-Ether21.cha-edge901.brisbane.telstra.net (110.145.218.177)  25.420 ms  26.355 ms  27.326 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *

What's going wrong here, and how can I fix it? Why isn't this a problem for other computers on the network?


#6

Add route to VPN-network via VPN-gateway either on default gateway or on that PC.


#7

I tried adding the route to the problem computer using ip, but it returns an error:

$ sudo ip route add 192.168.10.0/24 via 192.168.10.1 dev eth0
Error: Nexthop has invalid gateway.

Is there a problem with the command I'm using?


#8

@openwrt-router:

ip -4 a; ip -4 r; ip -4 ru

@192.168.0.20:

ip -4 a; ip -4 r