OpenVPN server, can't ping LAN

tomaz · March 15, 2020, 2:38pm

Hello,

I have set up OpenVPN server as described in this user guide on our office router. I can connect from home, but I can only ping server address, any address on LAN is unavailable.

I have googled a lot and searched this forum, wihout any success.
below are relevant configs.

LP, Tomaž

/etc/openvpn/server.conf

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 10.0.10.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 10.0.10.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        list device 'tun0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option forward 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding 'lan_wan'
        option dest 'wan'
        option src 'lan'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix  ** Removed **

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr  '192.168.110.222'
        option netmask '255.255.0.0.'
        option ip6prefix  ** Removed **
        list ip6addr  ** Removed **
        option ifname 'eth0'

config interface 'wan'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr  ** Removed **
        option netmask  ** Removed **
        option gateway  ** Removed **
        option dns ** Removed **
        option broadcast  ** Removed **

config interface 'wan6'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'static'
        option ip6gw ' ** Removed **
        option ip6addr ** Removed **

stendahl · March 15, 2020, 3:20pm

Just some stupid question (I'm very noob about vpn but...) when you issue ifconfig virtual vpn interface is listed? And if the answer is yes why didn't you bridged it inside br-lan (assuming you want to ping each ip in lan network)?
I think those questions should be your answer...

psherman · March 15, 2020, 4:14pm

You don’t need to redact the addresses and netmasks and such for the lan in your network file (assuming it is a private address space in rfc1918). We can’t help you without those details.

tomaz · March 15, 2020, 4:26pm

@ stendahl
tun0 interface is up as soon vpn server starts, but bridge is not in instructions I followd, so I didn't experiment with it yet...

@psherman
You are right, sorry. Will correct post.

stendahl · March 15, 2020, 4:36pm

I use zerotier as vpn, assuming that is obviously different from your vpn, if I need to reach every ip in my lan my vpn if should be without any ip released and bridged with eth0 in br-lan, if isn't so configured the only host reachable is that vpn if...

tomaz · March 15, 2020, 4:41pm

Main problem solved...
I am unable to ping our servers, but I can RDP to them and connect to databaes, which is what we need at the moment.

My problem seems to be with ping on some (not all) devices.

LP, Tomaž