N2n routing problems - can't find the culprit

Hi there,
I have a problem with setting up the n2n network. Roadwarrior works.

When I activate the n2n, the picture says “Add Routes”. I am surprised as when I do ip routes, it sees the route. Later it states “Connected”.

BUT, I cannot ping the other side.

LOG Server:
Jun 26 12:25:45 central ToOfficen2n[14550]: disabling NCP mode (–ncp-disable) because not in P2MP client or server mode
Jun 26 12:25:45 central ToOfficen2n[14550]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jun 26 12:25:45 central ToOfficen2n[14550]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Jun 26 12:25:45 central ToOfficen2n[14550]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Jun 26 12:25:45 central ToOfficen2n[14551]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:4242
Jun 26 12:25:45 central ToOfficen2n[14551]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 26 12:25:45 central ToOfficen2n[14551]: Diffie-Hellman initialized with 4096 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Jun 26 12:25:45 central ToOfficen2n[14551]: ECDH curve secp384r1 added
Jun 26 12:25:45 central ToOfficen2n[14551]: ROUTE_GATEWAY 192.168.254.254/255.255.255.0 IFACE=red0 HWADDR=xx:xx:xx:xx:xx:xx
Jun 26 12:25:45 central ToOfficen2n[14551]: TUN/TAP device tun1 opened
Jun 26 12:25:45 central ToOfficen2n[14551]: TUN/TAP TX queue length set to 100
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip link set dev tun1 up mtu 1500
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip addr add dev tun1 local 10.42.142.1 peer 10.42.142.2
Jun 26 12:25:45 central ToOfficen2n[14551]: /etc/init.d/static-routes start tun1 1500 1605 10.42.142.1 10.42.142.2 init
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip route add 10.42.42.0/24 via 10.42.142.2
Jun 26 12:25:45 central ToOfficen2n[14551]: ERROR: Linux route add command failed: external program exited with error status: 2
Jun 26 12:25:45 central ToOfficen2n[14551]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jun 26 12:25:45 central ToOfficen2n[14551]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 26 12:25:45 central ToOfficen2n[14551]: UDPv4 link local (bound): [AF_INET]192.168.254.253:4242
Jun 26 12:25:45 central ToOfficen2n[14551]: UDPv4 link remote: [AF_UNSPEC]
Jun 26 12:25:45 central ToOfficen2n[14551]: GID set to nobody
Jun 26 12:25:45 central ToOfficen2n[14551]: UID set to nobody
Jun 26 12:25:45 central ToOfficen2n[14551]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:xx, sid=f874c9bc 96253aa8
Jun 26 12:25:45 central ToOfficen2n[14551]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=BOMJ, OU=HQ, CN=xx CA, emailAddress=xx@xx.xx
Jun 26 12:25:45 central ToOfficen2n[14551]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=Office, CN=xx-xx.xx.xx
Jun 26 12:25:45 central ToOfficen2n[14551]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:25:45 central ToOfficen2n[14551]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:25:45 central ToOfficen2n[14551]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jun 26 12:25:45 central ToOfficen2n[14551]: [xx.xx.xx] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:xx
Jun 26 12:25:46 central ToOfficen2n[14551]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jun 26 12:25:46 central ToOfficen2n[14551]: Initialization Sequence Completed
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:4242
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: CMD ‘state’
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: Client disconnected
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: new session incoming connection from [AF_INET]xx.xx.xx.xx:xx
Jun 26 12:26:54 central ToOfficen2n[14551]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=xx, OU=HQ, CN=xx CA, emailAddress=xx@xx.xx
Jun 26 12:26:54 central ToOfficen2n[14551]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=xx, CN=xx-xx.xx.xx
Jun 26 12:26:54 central ToOfficen2n[14551]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:26:54 central ToOfficen2n[14551]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:26:54 central ToOfficen2n[14551]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:26:54 central ToOfficen2n[14551]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: tls_multi_process: untrusted session promoted to semi-trusted
Jun 26 12:26:55 central ToOfficen2n[14551]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

ip route

default via 192.168.254.254 dev red0
10.0.0.0/24 dev orange0 proto kernel scope link src 10.0.0.254
10.42.42.0/24 via 10.42.242.2 dev tun0 (road warriors)
10.42.142.2 dev tun1 proto kernel scope link src 10.42.142.1 (n2n network)
10.42.242.0/24 via 10.42.242.2 dev tun0 (road warriors)
10.42.242.2 dev tun0 proto kernel scope link src 10.42.242.1 (road warriors)
10.142.142.0/24 dev green0 proto kernel scope link src 10.142.142.254
192.168.254.0/24 dev red0 proto kernel scope link src 192.168.254.253
192.168.254.254 dev red0 scope link

Times are different because of time zones.
LOG Client:
Jun 26 17:26:54 labs ToCentraln2n[3911]: disabling NCP mode (–ncp-disable) because not in P2MP client or server mode
Jun 26 17:26:54 labs ToCentraln2n[3911]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jun 26 17:26:54 labs ToCentraln2n[3911]: WARNING: file ‘/var/ipfire/ovpn/certs/ToCentral.p12’ is group or others accessible
Jun 26 17:26:54 labs ToCentraln2n[3911]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 14 2019
Jun 26 17:26:54 labs ToCentraln2n[3911]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Jun 26 17:26:54 labs ToCentraln2n[3912]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:4242
Jun 26 17:26:54 labs ToCentraln2n[3912]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=red0 HWADDR=x:x:x:x:x
Jun 26 17:26:54 labs ToCentraln2n[3912]: TUN/TAP device tun0 opened
Jun 26 17:26:54 labs ToCentraln2n[3912]: TUN/TAP TX queue length set to 100
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip link set dev tun0 up mtu 1500
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip addr add dev tun0 local 10.42.142.2 peer 10.42.142.1
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip route add 10.142.142.0/24 via 10.42.142.1
Jun 26 17:26:54 labs ToCentraln2n[3912]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:xx
Jun 26 17:26:54 labs ToCentraln2n[3912]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 26 17:26:54 labs ToCentraln2n[3912]: UDP link local (bound): [AF_INET]192.168.1.254:4242
Jun 26 17:26:54 labs ToCentraln2n[3912]: UDP link remote: [AF_INET]public_IP:Port
Jun 26 17:26:54 labs ToCentraln2n[3912]: GID set to nobody
Jun 26 17:26:54 labs ToCentraln2n[3912]: UID set to nobody
Jun 26 17:26:54 labs ToCentraln2n[3912]: TLS: Initial packet from [AF_INET]public_IP:Port, sid=d9d9521f f9ed1231
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY OK: depth=1, C=x, ST=x, L=x, O=x, OU=HQ, CN=x CA, emailAddress=xx@xx.xx
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY KU OK
Jun 26 17:26:55 labs ToCentraln2n[3912]: Validating certificate extended key usage
Jun 26 17:26:55 labs ToCentraln2n[3912]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY EKU OK
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=HQ, CN=xx.xx.xx
Jun 26 17:26:55 labs ToCentraln2n[3912]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 17:26:55 labs ToCentraln2n[3912]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 17:26:55 labs ToCentraln2n[3912]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jun 26 17:26:55 labs ToCentraln2n[3912]: [xx.xx.xx] Peer Connection Initiated with [AF_INET]public_IP:Port
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:4242
Jun 26 17:26:56 labs ToCentraln2n[3912]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jun 26 17:26:56 labs ToCentraln2n[3912]: Initialization Sequence Completed
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: CMD ‘state’
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: Client disconnected

ip route

default via 192.168.1.1 dev red0
10.42.42.0/24 dev green0 proto kernel scope link src 10.42.42.254
10.42.142.1 dev tun0 proto kernel scope link src 10.42.142.2 (n2n network)
10.142.142.0/24 via 10.42.142.1 dev tun0
192.168.1.0/24 dev red0 proto kernel scope link src 192.168.1.254
192.168.1.1 dev red0 scope link

Any ideas, please?
Much appreciated.
Slarti

Hi,
it looks like the OpenVPN server and OpenVPN N2N operates in the same transfer net address which it should not ? Can you check and change this if so ?

Best,

Erik