Hello community members,
I'm posting here because I have run out of ideas ...
Context: OpenVPN Server runs on a Linux machine. I already have a mix of Windows and other Linux clients, all working just fine. All OpenVPN clients have dedicated ccd/[client_config] files on the server side. The only two options inserted here (but not for all clients) are (1) an "ifconfig-push" for the client's IP address and (2) in some cases, for select clients, a "push route" statement with a metric of 2. Works perfect for all other OpenVPN clients, btw.
RUT955's ccd/[client_config] file looks like this:
ifconfig-push 10.8.0.13 255.255.255.0
#push route "10.0.0.0 255.255.255.0 10.8.0.13 2" (<- I tried with this disabled as well ... )
My RUT955 connects to the OpenVPN server and picks up the ccd/[rut955_config] options just fine. However, after that happens, from the RUT955 I cannot get ping replies from the OpenVPN server, other OpenVPN clients etc.
None of the other OpenVPN clients can ping the RUT955 and not even from the OpenVPN server side I do not get ping replies from RUT955.
I tried playing with the FW rules, disabling the FW completly, adding routes manually, factory reset and start over a few times ... tracing packets with tcpdump etc. .... as I wrote above, running out of ideas ...
- some troubleshooting help:
root@rut955:~# traceroute 10.8.0.1 (<- this is the OpenVPN server's IP)
traceroute to 10.8.0.1 (10.8.0.1), 30 hops max, 38 byte packets
1 10.8.0.13 (10.8.0.13) 2551.933 ms !H 2997.448 ms !H 2999.749 ms !H
- OpenVPN server IP is 10.8.0.0/24; behind the OpenVPN server there is a 10.0.0.0/24 subnet that other (select) OpenVPN clients get access to via the push route option from their respective ccd/[client_config] files.
root@rut955:~# arping -I tap0 10.8.0.1
ARPING 10.8.0.1 from 10.8.0.13 tap0
^CSent 8 probe(s) (8 broadcast(s))
Received 0 response(s) (0 request(s), 0 broadcast(s))
- tcpdump output on RUT955 for the above arping command
root@rut955:~# tcpdump -vv -n -i tap0 host 10.8.0.1
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:47:00.024091 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:00.027095 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 582, length 64
07:47:00.087840 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28
07:47:01.024080 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:01.026067 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 583, length 64
07:47:01.088620 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28
07:47:02.025926 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 584, length 64
07:47:02.026151 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:02.091826 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28
- then I try to arping RUT955 client from the OpenVPN server
-07:51:20-www.xxxxxxx.xxx-(root):~#arping -I tap0 10.8.0.13
ARPING 10.8.0.13 from 10.8.0.1 tap0
^CSent 6 probes (6 broadcast(s))
Received 0 response(s)
- and the tcpdump from the RUT955 OpenVPN client side looks like this:
root@rut955:~# tcpdump -vv -n -i tap0 host 10.8.0.1
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:52:34.011454 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
07:52:35.011651 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
^C
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.78.56.192 0.0.0.0 UG 0 0 0 wwan0
10.0.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tap0
10.8.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tap0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
10.78.56.128 0.0.0.0 255.255.255.128 U 0 0 0 wwan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
and
root@rut955:~# ip r
default via 10.78.56.192 dev wwan0 proto static src 10.78.56.191
10.0.0.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.13
10.78.56.128/25 dev wwan0 proto kernel scope link src 10.78.56.191
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
I did all this with the last production release FW and the latest beta (RUT9XX_R_00.06.07.7) as well ... this doesn't seem to influence any of the above behavior.
..... any hint or suggestion would be highly appreciated.