WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT240 OpenVPN routing problem

0 votes
806 views 5 comments
by anonymous
Hello,

i have created an OpenVPN setup.
Server1, ip 10.0.3.1/24, gw 10.0.3.10
RUT240a, ip 10.0.3.10/24, openvpn server, tunnel 10.10.0.1/24

RUT240b, ip 10.0.2.78/29, open vpn client, tunnel 10.10.0.28/24
PC1, ip 10.0.2.77/24, gw 10.0.2.78

i can ping RUT240b and PC1 from Server1 and RUT240a
i can ping RUT240a from PC1 and RUT240b
i cannot ping Server1 from PC1 and RUT240b

traceroute from RUT240b to ip 10.0.3.1 (Server1)
traceroute to 10.0.3.1 (10.0.3.1), 30 hops max, 38 byte packets
 1  10.10.0.1 (10.10.0.1)  132.318 ms  157.154 ms  150.965 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
it is stopping on RUT240a

RUT240a ip route list
default via 10.64.64.64 dev 3g-ppp proto static
10.0.2.72/29 via 10.10.0.28 dev tun_s_1
10.0.3.0/24 dev br-lan proto kernel scope link src 10.0.3.10
10.10.0.0/24 dev tun_s_1 proto kernel scope link src 10.10.0.1
10.64.64.64 dev 3g-ppp proto kernel scope link src 10.21.4.10

RUT240a /etc/config/openvpn
config webui 'webui'
  option _auth 'tls'
config teltonika_auth_service 'teltonika_auth_service'
  option enable '0'
  option remote 'rms.teltonika.lt'
config openvpn 'server_1'
  option _role 'server'
  option keepalive '10 120'
  option verb '5'
  option dev 'tun_s_1'
  option persist_key '1'
  option enable '1'
  option proto 'tcp-server'
  option port '11940'
  option comp_lzo 'yes'
  option _auth 'tls'
  option _tls_cipher 'all'
  option client_to_client '1'
  option server '10.10.0.0 255.255.255.0'
  option auth 'sha1'
  option _tls_auth 'none'
  option ca '/lib/uci/upload/cbid.openvpn.server_1.ca'
  option cert '/lib/uci/upload/cbid.openvpn.server_1.cert'
  option key '/lib/uci/upload/cbid.openvpn.server_1.key'
  option dh '/lib/uci/upload/cbid.openvpn.server_1.dh'
  option client_config_dir '/etc/openvpn/ccf'
  option cipher 'BF-CBC'
  option topology 'subnet'
  option push 'route 10.0.3.0 255.255.255.0'
  option route '10.0.2.72 255.255.255.248 10.10.0.28'

What am i missing here?
by anonymous

@jamess the final solution in my case was to disable the firewall. I have 1 rut240 on my server and 12 rut240 in the field. This is not recommended if you do not secure your connection. I am using a VPN from my ISP so the 13 sim card i have only talk to eachother (no internet connection). 

I disabled the firewall permanetly with "/etc/init.d/firewall disable"

If this doesn't work, try puting the following in the startup script of the firewall (use vi from command line to change the file /etc/firewall.user and insert the following commands)

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Hope this helps you

1 Answer

0 votes
by anonymous

Hi,

Have you set your firewall to allow pings to the server? In zone forwarding please select "Allow" in OpenVPN zone.

Also, check if you pushed routes from both sides and nothing else in your firewall blocking ICMP packets.

EB.

by anonymous
Hello,
i have changed the firewall to accept but still no ping.
RUT240a can ping 10.0.3.1 (it is on the lan side)
RUT240b cannot ping 10.0.3.1 (through the VPN)

RUT240a route table
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.64.64.64         0.0.0.0             UG      0       0        0 3g-ppp
10.0.2.72       10.10.0.28      255.255.255.248 UG    0      0        0 tun_s_1
10.0.3.0               *               255.255.255.0      U     0      0        0 br-lan
10.10.0.0             *               255.255.255.0      U     0      0        0 tun_s_1
10.64.64.64         *               255.255.255.255 UH    0      0        0 3g-ppp

RUT240b route table
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.64.64.64          0.0.0.0             UG    0      0        0  3g-ppp
10.0.2.72              *               255.255.255.248 U     0      0        0 br-lan
10.0.3.0        10.10.0.1         255.255.255.0   UG    0      0        0 tun_c_2
10.10.0.0              *               255.255.255.0   U     0      0        0 tun_c_2
10.64.64.64          *               255.255.255.255 UH    0      0        0 3g-ppp

Server1 has
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       10.0.2.72            255.255.255.248        10.0.3.10         10.0.3.1      6
===========================================================================

It is like RUT240a does't know how to route packet from 10.10.0.28 to lan
by anonymous

Try executing this on your client-side:

ip route add default 10.0.3.0/24 via 10.10.0.28 dev tun_c_2

And this on your server-side:

ip route add default 10.0.2.0/24 via 10.10.0.1 dev tun_s_1

by anonymous

Hello ErnestasB, thank you for your support.

When i try to run the command i get the following messages 

RUT240a (OpenVPN server)

root@RUT240a:/# ip route add default 10.0.2.0/24 via 10.10.0.1 dev tun_s_1
Error: either "to" is duplicate, or "10.0.2.0/24" is a garbage.

RUT240b (OpenVPN client)

root@RUT240b:~# ip route add default 10.0.3.0/24 via 10.10.0.28 dev tun_c_2
Error: either "to" is duplicate, or "10.0.3.0/24" is a garbage.

Those routes already exits, should i delete them and then test this?

Here are some test from this morning, maybe they help. PCs from Server side can ping PCs on client side so there shouldn't be a routing problem because the packets return. I also tried /etc/init.d/firewall stop but nothing changed so it shouldn't be a firewall problem.

RUT240a

root@RUT240a:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default        10.64.64.64     0.0.0.0           UG    0      0        0 3g-ppp
10.0.2.72      10.10.0.28     255.255.255.248    UG    0      0        0 tun_s_1
10.0.3.0           *          255.255.255.0      U     0      0        0 br-lan
10.10.0.0          *          255.255.255.0      U     0      0        0 tun_s_1
10.64.64.64        *          255.255.255.255    UH    0      0        0 3g-ppp

root@RUT240a:/# ping 10.0.2.78
PING 10.0.2.78 (10.0.2.78): 56 data bytes
64 bytes from 10.0.2.78: seq=0 ttl=64 time=112.445 ms
64 bytes from 10.0.2.78: seq=1 ttl=64 time=378.169 ms
^C
--- 10.0.2.78 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 112.445/245.307/378.169 ms

root@RUT240a:/# ping 10.0.2.77
PING 10.0.2.77 (10.0.2.77): 56 data bytes
64 bytes from 10.0.2.77: seq=0 ttl=127 time=685.800 ms
64 bytes from 10.0.2.77: seq=1 ttl=127 time=72.746 ms
64 bytes from 10.0.2.77: seq=2 ttl=127 time=278.531 ms
^C
--- 10.0.2.77 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 72.746/345.692/685.800 ms

root@RUT240a:/# traceroute 10.0.2.78
traceroute to 10.0.2.78 (10.0.2.78), 30 hops max, 38 byte packets
 1  10.0.2.78 (10.0.2.78)  126.365 ms  61.841 ms  53.638 ms

root@RUT240a:/# traceroute 10.0.2.77
traceroute to 10.0.2.77 (10.0.2.77), 30 hops max, 38 byte packets
 1  10.10.0.28 (10.10.0.28)  552.809 ms  70.038 ms  63.120 ms
 2  10.0.2.77 (10.0.2.77)  63.181 ms  62.228 ms  52.530 ms

root@RUT240a:/#

RUT240b

root@RUT240b:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.64.64.64     0.0.0.0         UG    0      0        0 3g-ppp
10.0.2.72       *               255.255.255.248 U     0      0        0 br-lan
10.0.3.0        10.10.0.1       255.255.255.0   UG    0      0        0 tun_c_2
10.10.0.0       *               255.255.255.0   U     0      0        0 tun_c_2
10.64.64.64     *               255.255.255.255 UH    0      0        0 3g-ppp

root@RUT240b:~# ping 10.0.3.10
PING 10.0.3.10 (10.0.3.10): 56 data bytes
64 bytes from 10.0.3.10: seq=0 ttl=64 time=93.143 ms
64 bytes from 10.0.3.10: seq=1 ttl=64 time=619.488 ms
^C
--- 10.0.3.10 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 93.143/356.315/619.488 ms

root@RUT240b:~# ping 10.0.3.1
PING 10.0.3.1 (10.0.3.1): 56 data bytes
^C
--- 10.0.3.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@RUT240b:~# traceroute 10.0.3.10
traceroute to 10.0.3.10 (10.0.3.10), 30 hops max, 38 byte packets
 1  10.0.3.10 (10.0.3.10)  104.171 ms  48.944 ms  58.505 ms

root@RUT240b:~# traceroute 10.0.3.1
traceroute to 10.0.3.1 (10.0.3.1), 30 hops max, 38 byte packets
 1  10.10.0.1 (10.10.0.1)  248.971 ms  58.270 ms  57.983 ms
 2  *  *  *
 3^C

root@RUT240b:~#

PC1 (connected to RUT240b)

C:\Windows\system32>ping 10.0.3.10
Pinging 10.0.3.10 with 32 bytes of data:
Reply from 10.0.3.10: bytes=32 time=241ms TTL=63
Reply from 10.0.3.10: bytes=32 time=184ms TTL=63
Reply from 10.0.3.10: bytes=32 time=142ms TTL=63
Reply from 10.0.3.10: bytes=32 time=102ms TTL=63
Ping statistics for 10.0.3.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 102ms, Maximum = 241ms, Average = 167ms

C:\Windows\system32>ping 10.0.3.1
Pinging 10.0.3.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.3.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>tracert 10.0.3.10
Tracing route to 10.0.3.10 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.0.2.78
  2   382 ms    70 ms    68 ms  10.0.3.10
Trace complete.

C:\Windows\system32>tracert 10.0.3.1
Tracing route to 10.0.3.1 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.0.2.78
  2   395 ms    70 ms    58 ms  10.10.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5  ^C

C:\Windows\system32>

Server1 (connected to RUT240a)

C:\Windows\system32>ping 10.0.2.78
Pinging 10.0.2.78 with 32 bytes of data:
Reply from 10.0.2.78: bytes=32 time=77ms TTL=63
Reply from 10.0.2.78: bytes=32 time=328ms TTL=63
Reply from 10.0.2.78: bytes=32 time=291ms TTL=63
Reply from 10.0.2.78: bytes=32 time=247ms TTL=63
Ping statistics for 10.0.2.78:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 77ms, Maximum = 328ms, Average = 235ms

C:\Windows\system32>ping 10.0.2.77
Pinging 10.0.2.77 with 32 bytes of data:
Reply from 10.0.2.77: bytes=32 time=238ms TTL=126
Reply from 10.0.2.77: bytes=32 time=200ms TTL=126
Reply from 10.0.2.77: bytes=32 time=149ms TTL=126
Reply from 10.0.2.77: bytes=32 time=106ms TTL=126
Ping statistics for 10.0.2.77:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 106ms, Maximum = 238ms, Average = 173ms

C:\Windows\system32>tracert 10.0.2.78
Tracing route to 10.0.2.78 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.0.3.10
  2   656 ms    70 ms    76 ms  10.0.2.78
Trace complete.

C:\Windows\system32>tracert 10.0.2.77
Tracing route to 10.0.2.77 over a maximum of 30 hops
  1     1 ms    <1 ms    <1 ms  10.0.3.10
  2   568 ms    69 ms    62 ms  10.10.0.28
  3    79 ms    84 ms    87 ms  10.0.2.77
Trace complete.

C:\Windows\system32>
by anonymous
Hi,

Please send me your server-side troubleshoot file via private message.

EB.