OpenVPN Routing problems

gr0mit · 14 February 2020 10:34

Hi,

I use IPFIRE for some years now and had a working OpenVPN Roadwarrior connection. After generating a new certificate I couldn’t get it to work again. I tried to set up the server completly new which also didn’t work.

The client connects sucessfull to the server but I just cannot get any access to the remote company network.

Company network: 192.168.0.0
OpenVPN Static Pool: 192.168.133.0

This is the routing of the client:

IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.43.174 192.168.43.76 50
10.158.188.1 255.255.255.255 192.168.133.1 192.168.133.2 291
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 331
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 331
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
192.168.0.0 255.255.255.0 192.168.133.1 192.168.133.2 291
192.168.43.0 255.255.255.0 Auf Verbindung 192.168.43.76 306
192.168.43.76 255.255.255.255 Auf Verbindung 192.168.43.76 306
192.168.43.255 255.255.255.255 Auf Verbindung 192.168.43.76 306
192.168.133.0 255.255.255.252 Auf Verbindung 192.168.133.2 291
192.168.133.2 255.255.255.255 Auf Verbindung 192.168.133.2 291
192.168.133.3 255.255.255.255 Auf Verbindung 192.168.133.2 291
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 331
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.133.2 291
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.43.76 306
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.133.2 291
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.43.76 306
===========================================================================
Ständige Routen:
Keine

OpenVPN Client Protocoll (Company Name and IP removed)
(had to remove some links as the ipfire site wouldn’t allow me to post otherwise)

Fri Feb 14 11:18:04 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Fri Feb 14 11:18:04 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Feb 14 11:18:04 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Fri Feb 14 11:18:04 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1 :25340](http:// 127.0.0.1:25340/)
Fri Feb 14 11:18:04 2020 Need hold release from management interface, waiting…
Fri Feb 14 11:18:05 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340](http:// 127.0.0.1:25340/)
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘state on’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘log all on’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘echo all on’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘bytecount 5’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘hold off’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘hold release’
Fri Feb 14 11:18:05 2020 MANAGEMENT: CMD ‘password […]’
Fri Feb 14 11:18:05 2020 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Fri Feb 14 11:18:05 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Fri Feb 14 11:18:05 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]company.ip:1194](http:// company.ip:1194/)
Fri Feb 14 11:18:05 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 14 11:18:05 2020 UDP link local: (not bound)
Fri Feb 14 11:18:05 2020 UDP link remote: [AF_INET]company.ip:1194](http:// companyip:1194/)
Fri Feb 14 11:18:05 2020 MANAGEMENT: >STATE:1581675485,WAIT,
Fri Feb 14 11:18:05 2020 MANAGEMENT: >STATE:1581675485,AUTH,
Fri Feb 14 11:18:05 2020 TLS: Initial packet from [AF_INET]company.ip:1194](http:// company.ip/), sid=b9775af7 639e0875
Fri Feb 14 11:18:05 2020 VERIFY OK: depth=1, C=DE, O=Company, CN=CompanyCA
Fri Feb 14 11:18:05 2020 VERIFY KU OK
Fri Feb 14 11:18:05 2020 Validating certificate extended key usage
Fri Feb 14 11:18:05 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Feb 14 11:18:05 2020 VERIFY EKU OK
Fri Feb 14 11:18:05 2020 VERIFY X509NAME OK: C=DE, O=Company, CN=ipfire.company.local
Fri Feb 14 11:18:05 2020 VERIFY OK: depth=0, C=DE, O=Company, CN=ipfire.company.local
Fri Feb 14 11:18:06 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Feb 14 11:18:06 2020 [ipfire.company.local] Peer Connection Initiated with [AF_INET]company.ip:1194](http:// company.ip:1194/)
Fri Feb 14 11:18:07 2020 MANAGEMENT: >STATE:1581675487,GET_CONFIG,
Fri Feb 14 11:18:07 2020 SENT CONTROL [ipfire.company.local]: ‘PUSH_REQUEST’ (status=1)
Fri Feb 14 11:18:07 2020 PUSH: Received control message: ‘PUSH_REPLY,route 10.158.188.1,topology net30,route 192.168.0.0 255.255.255.0,ifconfig 192.168.133.2 192.168.133.1,peer-id 0’
Fri Feb 14 11:18:07 2020 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 14 11:18:07 2020 OPTIONS IMPORT: route options modified
Fri Feb 14 11:18:07 2020 OPTIONS IMPORT: peer-id set
Fri Feb 14 11:18:07 2020 OPTIONS IMPORT: adjusting link_mtu to 1524
Fri Feb 14 11:18:07 2020 Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Fri Feb 14 11:18:07 2020 Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Fri Feb 14 11:18:07 2020 Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Fri Feb 14 11:18:07 2020 Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Fri Feb 14 11:18:07 2020 interactive service msg_channel=744
Fri Feb 14 11:18:07 2020 ROUTE_GATEWAY 192.168.43.174/255.255.255.0](http:// 192.168.43.174/255.255.255.0) I=9 HWADDR=28:16:a8:48:99:85
Fri Feb 14 11:18:07 2020 open_tun
Fri Feb 14 11:18:07 2020 TAP-WIN32 device [Ethernet] opened: \.\Global{1B9E87DF-64FB-439B-98A5-25687898F61F}.tap
Fri Feb 14 11:18:07 2020 TAP-Windows Driver Version 9.21
Fri Feb 14 11:18:07 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.133.2/255.255.255.252](http:// 192.168.133.2/255.255.255.252) on interface {1B9E87DF-64FB-439B-98A5-25687898F61F} [DHCP-serv: 192.168.133.1, lease-time: 31536000]
Fri Feb 14 11:18:07 2020 Successful ARP Flush on interface [5] {1B9E87DF-64FB-439B-98A5-25687898F61F}
Fri Feb 14 11:18:07 2020 MANAGEMENT: >STATE:1581675487,ASSIGN_IP,192.168.133.2,

Any further information needed?

Can anyone help me?

Greetings
Arne

cfusco · 14 February 2020 13:20

did you put in “advanced options” the route push options 192.168.0.0/16?

gr0mit · 14 February 2020 14:36

No, just tried adding it to the Advanced server setting but it still doesn’t work.

ummeegge · 14 February 2020 15:50

Hi gr0mit,
is it possible that you FORWARD chain (Firewall policy) is “Blocked” ? In that case you would need a rule which accepts the traffic to you LAN.

As another idea.

Best,

Erik

gr0mit · 14 February 2020 16:37

OK I’m an idiot … had such a rule in my old Firewall configuration, changed the OpenVPN user name and than the trouble started. Added a rule and it works

Thanks Erik!

ummeegge · 14 February 2020 20:50

Your welcome,
glad that it works. Sometimes sieht man den Wald vor lauter Bäumen nicht .

Best,

Erik