FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
474 views 3 comments
by anonymous

Hello community members,

I'm posting here because I have run out of ideas ...

Context: OpenVPN Server runs on a Linux machine. I already have a mix of Windows and other Linux clients, all working just fine. All  OpenVPN clients have dedicated ccd/[client_config] files on the server side. The only two options inserted here (but not for all clients) are (1) an "ifconfig-push" for the client's IP address and (2) in some cases, for select clients, a "push route" statement with a metric of 2. Works perfect for all other OpenVPN clients, btw.

RUT955's ccd/[client_config] file looks like this:

ifconfig-push 10.8.0.13 255.255.255.0
#push route "10.0.0.0 255.255.255.0 10.8.0.13 2" 
(<- I tried with this disabled as well ... )

My RUT955 connects to the OpenVPN server and picks up the ccd/[rut955_config] options just fine. However, after that happens, from the RUT955 I cannot get ping replies from the OpenVPN server, other OpenVPN clients etc.

None of the other OpenVPN clients can ping the RUT955 and not even from the OpenVPN server side I do not get ping replies from RUT955.

I tried playing with the FW rules, disabling the FW completly, adding routes manually, factory reset and start over a few times ... tracing packets with tcpdump etc. .... as I wrote above, running out of ideas ...

  • some troubleshooting help:

root@rut955:~# traceroute 10.8.0.1 (<- this is the OpenVPN server's IP)
traceroute to 10.8.0.1 (10.8.0.1), 30 hops max, 38 byte packets
 1  10.8.0.13 (10.8.0.13)  2551.933 ms !H  2997.448 ms !H  2999.749 ms !H

  • OpenVPN server IP is 10.8.0.0/24; behind the OpenVPN server there is a 10.0.0.0/24 subnet that other (select) OpenVPN clients get access to via the push route option from their respective ccd/[client_config] files.

root@rut955:~# arping -I tap0 10.8.0.1
ARPING 10.8.0.1 from 10.8.0.13 tap0
^CSent 8 probe(s) (8 broadcast(s))
Received 0 response(s) (0 request(s), 0 broadcast(s))

  • tcpdump output on RUT955 for the above arping command

root@rut955:~# tcpdump -vv -n -i tap0 host 10.8.0.1
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:47:00.024091 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:00.027095 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 582, length 64
07:47:00.087840 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28
07:47:01.024080 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:01.026067 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 583, length 64
07:47:01.088620 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28
07:47:02.025926 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.1 > 10.8.0.13: ICMP echo request, id 63264, seq 584, length 64
07:47:02.026151 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.1 tell 10.8.0.13, length 28
07:47:02.091826 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.8.0.1 is-at 00:ff:a4:2b:b3:59, length 28

  • then I try to arping RUT955 client from the OpenVPN server

-07:51:20-www.xxxxxxx.xxx-(root):~#arping -I tap0 10.8.0.13
ARPING 10.8.0.13 from 10.8.0.1 tap0
^CSent 6 probes (6 broadcast(s))
Received 0 response(s)

  • and the tcpdump from the RUT955 OpenVPN client side looks like this:

root@rut955:~# tcpdump -vv -n -i tap0 host 10.8.0.1
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:52:34.011454 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
07:52:35.011651 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
^C

  • routing table on RUT955

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.78.56.192    0.0.0.0         UG    0      0        0 wwan0
10.0.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tap0
10.8.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tap0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
10.78.56.128    0.0.0.0         255.255.255.128 U     0      0        0 wwan0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

and

root@rut955:~# ip r
default via 10.78.56.192 dev wwan0  proto static  src 10.78.56.191
10.0.0.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0  proto kernel  scope link  src 10.8.0.13
10.78.56.128/25 dev wwan0  proto kernel  scope link  src 10.78.56.191
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1

I did all this with the last production release FW and the latest beta (RUT9XX_R_00.06.07.7) as well ... this doesn't seem to influence any of the above behavior.

..... any hint or suggestion would be highly appreciated.

2 Answers

0 votes
by anonymous
Hi,

Did you push the subnets you want to reach into your openVPN configuration?

Please take a look to this file --> https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples#Additional_configuration

Regards.
by anonymous

Hi there,

Yes, routes to subnets are pushed.

But the issue that I face is lower .... let me explain:

After the RUT955 client connects to my OpenVPN server, I start a tcpdump session on the RUT955 and arping from the OpenVPN server (10.8.0.1).

I'm trying to "decode" if there's anything relevant in the tcpdump output below, but while arping requests are seen, arping replies are totally missing ... that's the intriguing part ...

13:32:12.851783 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
13:32:13.814506 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.8.0.13 (ff:ff:ff:ff:ff:ff) tell 10.8.0.1, length 28
13:32:14.230068 IP (tos 0x0, ttl 64, id 14920, offset 0, flags [DF], proto UDP (17), length 49)
    10.8.0.11.52287 > 10.8.0.255.32412: [udp sum ok] UDP, length 21
13:32:14.276014 IP (tos 0x0, ttl 64, id 14921, offset 0, flags [DF], proto UDP (17), length 49)
    10.8.0.11.36421 > 10.8.0.255.32414: [udp sum ok] UDP, length 21
13:32:14.334137 IP (tos 0x0, ttl 1, id 28697, offset 0, flags [DF], proto UDP (17), length 122) 

then I do the reverse: I run tcpdump on the OpenVPN server interface and arping from RUT955. Incoming arping requests are seen AND replies are sent out .... but they are NOT " seen"  by the RUT955.

-13:41:35--(root):~#tcpdump -i tap0 -vv -n host 10.8.0.13
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
13:42:23.419219 arp who-has 10.8.0.1 (Broadcast) tell 10.8.0.13
13:42:23.419251 arp reply 10.8.0.1 is-at 00:ff:f9:34:bf:c0
13:42:24.410279 arp who-has 10.8.0.1 (Broadcast) tell 10.8.0.13
13:42:24.410290 arp reply 10.8.0.1 is-at 00:ff:f9:34:bf:c0
13:42:25.409511 arp who-has 10.8.0.1 (Broadcast) tell 10.8.0.13
13:42:25.409527 arp reply 10.8.0.1 is-at 00:ff:f9:34:bf:c0
13:42:26.436721 arp who-has 10.8.0.1 (Broadcast) tell 10.8.0.13

by anonymous
Hello,

Can you please confirm what is your server openVPN version? I'm already working in another case and seems the issue is they're using a deprecated openVPN server version, can you please confirm it?

Also, if you want to send me your certificates, your troubleshoot file and the topology of your network via DM, I can test from my own if it's having the same behavior.

Regards.
0 votes
by anonymous
I am also looking for a solution for this problem. OpenVPN 2.5.2 is running on the RUT955 - version 2.4.0 on external servers (based on Debian 9). There seem to be problems communicating with each other.
by anonymous

I hope you both got this working. I have it working on multiple vendors routers and I have also encountered a particular vendor it isn't allowed to work on. I'd like to hear your results. 

Server OpenVPN config needs this; 

# Push routes to connecting clients, they need to know how to route to other LANs

push "route {lan IP and subnet 1st router client}"

push "route {lan IP and subnet 2nd router client}"

# Allow LAN routing between clients

client-to-client

# Allow the server to route traffic to client LANs

route {lan IP and subnet 1st router client}

route {lan IP and subnet 2nd router client}

CCD file in server for each connecting client completes it; 

iroute {lan IP and subnet 1st router client}

ifconfig-push 10.8.0.{different per client} 255.255.255.0