Additional openvpn client

Hi !
I have an working openvpn server setup.
In Addition i setup ipfire also as a client to my vps/rootserver.
I wanted to access the net behind the ipfire also from vps server.
Connection is ok and ips from vps-vpn are pingable.
FYI is use the subnet mode on vps server…
server ip
tun0 inet 192.168.99.1 netmask 255.255.255.0 destination 192.168.99.1
ipfire client tun0 inet addr:192.168.65.1 P-t-P:192.168.65.2 Mask:255.255.255.255
(green net on ipfire 192.168.63.0/24
clientx 192.168.99.3
routing on vps
default gateway0.0.0.0 UG 0 0 0 eth0
XX.YYY.zz.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
192.168.63.0 192.168.99.2 255.255.255.0 UG 0 0 0 tun0
192.168.99.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
route on ipfire
Destination Gateway Genmask Flags Metric Ref Use Iface
default p.dip0. 0.0.0.0 UG 0 0 0 ppp0
p.dip0. * 255.255.255.255 UH 0 0 0 ppp0
192.168.63.0 * 255.255.255.0 U 0 0 0 green0
192.168.99.0 * 255.255.255.0 U 0 0 0 tun0

So i want to ping/reach 192.168.99.x (except 192.168.99.2) from 192.168.63.1 i get nothing…
Does it relay to subnet mode ?
Any Hints ?

Ciao Gerd

Hi Gerd,
did you checked iroute --> https://backreference.org/2009/11/15/openvpn-and-iroute/ for your intend ?

Best,

Erik

Hi !
Yes and no
IMHoO the routes are correct set… also ther is no fw between…
Before in net30 mode it workes
vserver route (ovpn-server)
(192.168.99.0 is the vpn net)
192.168.63.0 192.168.99.4 255.255.255.0 UG 0 0 0 tun0
192.168.99.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
ipfire (client ovpn) vpn ip 192.168.99.4
192.168.63.0/24 dev green0 proto kernel scope link src 192.168.63.254
192.168.99.0/24 dev tun0 proto kernel scope link src 192.168.99.4
PC in green netwrok behind ipfire
default ipfire 0.0.0.0 UG 0 0 0 enp3s0
192.168.63.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0

e.g from ipfire (192.168.63.254) i can ping 192.168.99.1 (vpn server ip)
from any client (192.168.63.X i can’t
Client CCD
ifconfig-push 192.168.99.4 255.255.255.0
iroute “192.168.63.0 255.255.255.0”
OVPN Server Config
route 192.168.63.0 255.255.255.0 192.168.99.4

Ciao Gerd

Her some additional information:
root@vserver:/etc/openvpn/server# ip route get 192.168.63.1
192.168.63.1 via 192.168.99.4 dev tun0 src 192.168.99.1 uid 0

[root@ipfire ~]# ip route get 192.168.99.1
192.168.99.1 dev tun0 src 192.168.99.4 uid 0
ip route get 192.168.63.1
192.168.63.1 dev green0 src 192.168.63.254 uid 0
gerd@capricorn:~$ ip route get 192.168.99.1
192.168.99.1 via 192.168.63.254 dev enp3s0 src 192.168.63.1 uid 1000

on ipfire i can ping 192.168.99.1 and 192.168.63.1
but i cant ping 192.168.99.1 from 192.168.63.1 and vice versa…
So it seens ipfire has a problem… but this is the only machin where nothing changed during “upgrading” the net from net30 to subnet

Ciao Gerd

Hi,
probably your route on server side is not correctly set ? Did you try
route 192.168.63.0 255.255.255.0
? As an example --> https://serverfault.com/questions/662500/openvpn-access-to-lan-behind-client-and-vice-versa .

Best,

Erik

Hi !

Its still in
192.168.63.0 192.168.99.4 255.255.255.0 UG 0 0 0 tun0

192.168.99.4 is ipfire and pingable…

Ciao Gerd

Hi ,
like this

?

yes… i tried with and without the gateway address at the end…

Ciao gerd

OK,
since IPFire do not provide OpenVPN as a client officially and the informations you gave are not that much for me to help you in specific out also it seems to me that you know what you are doing i would suggest, tcpdump your connection from both sides and check the FW logs. Some ideas/examples regarding to the routing has been already said/given.

Best,

Erik

Hi !
I’m sorry thats mayne not enough for you, but i’m a littel bit for now…
when i provide
" route add -net 192.168.99.0 netmask 255.255.255.0 gw 192.168.99.1" at the ipfire everything works…
So the point is where i have to manage that ipfire is setting this route when the client comes up

Ciao Gerd