VPN shows connected but client can't access local or internet

drmacro · 29 June 2020 21:46

I have open VPN set up and IPfire shows it as running.

OpenVPN tab in ipfire admin says the client is connected.

BUt, the client can’t ping anything on the green network or anything on the internet.

This was working before I upgraded to ipfire core 145. I had to redo all the VPN stuff because the previous ipfire core was too old to just upgrade.

I’m not even sure where to start to trouble shoot since OpenVPN says the client is connected.

Edit: subnet scan on the client shows computers on the green network. And I can access servers (for example, I can connect to my home automation system. But, ping to an address on green or the internet fails.

anon42188109 · 29 June 2020 22:06

In Services>OpenVPN it shows you as connected (green box).

Assuming your local network is 10.0.0.*, can you ping any host by ip (eg. ping 10.0.0.10 where you know there is a system connected to .10) ? In the advanced server options page, domain and dns should be provided, to ping by name. Can you post a screenshot (blur/mask the public ip) ?

drmacro · 29 June 2020 22:14

By local do you mean the green network of the IPFire box?

I’ve only used the IP, never the name since that has never worked, only IP’s.

This is what the Advanced looks like:

anon42188109 · 29 June 2020 22:35

I do not have the Client-to-Client check. Yes, “local” is your local network (home, office, lab).

In my case I filled up domain as lan and dns as 10.0.0.1, then I can ping xps (10.0.0.10) from my vpn connection. You need to stop vpn, make changes in the advanced section, save, and restart it.

Can you post the screenshot of the previous page ?

anon42188109 · 29 June 2020 22:41

See this page https://wiki.ipfire.org/configuration/services/openvpn/config/advanced_set which explains the Client-To-Client option. You need to provide route push options as shown.

drmacro · 29 June 2020 23:00

I’ll look at this further tomorrow, gotta crash now.

I had added the Client-to-client check as a guess.

I’ve added the domain name and dns IP address.

drmacro · 30 June 2020 13:05

I guess I don’t understand all I need to about the minimum requirements.

What I think I know or have configured:

a working connection between an Android phone (I’m calling this the client) and the OpenVPN on my IPFire PC
The IPFire PC knows about the devices on my green network and they can all ping each other and get to the internet.
the green network has it’s own ip address range starting with 192…
the vpn and client are on another ip range starting with 10…
a subnet scan on the client shows all the 192… devices, but not show their hostname.domain
ping (client to green) appears to work to ip addresses, but not when host.domain is used
(I assume the client OpenVPN setup or the OpenVPN server on the IPFire box doesn’t have the DNS settings right…???)
the client can connect with, ip address, to hosts, in the 192… range, running applications. like my home control
I can’t ping from 192… to client on 10…

This is new territory for me and I’m not sure what should and shouldn’t work. And thus what settings I’m missing, if any.

Edit: I also just attempted to add an ip address to the Route Push options, but it doesn’t appear to save what I enter.

drmacro · 1 July 2020 15:38

So, I seem to have a connection from client (a smartphone) to the VPN, through to the green network.

UDP to IP addresses on the green network work.

But, names are not resolved.

And, basic ping to a green IP fails.

I’ve read so much of the wiki at this point I’m just confused.

anon42188109 · 1 July 2020 16:09

can you post your client’s ovpn file redacting the public info? compare

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote x.x.x.x 1194
pkcs12 pavlos.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name x.x.x.x name

drmacro · 1 July 2020 17:18

never mind I see where it is now on the client.

The x.x.x.x in mine is some long url ending in .com though.

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote x.x.x.x 1194
pkcs12 Mac.p12
cipher AES-256-CBC
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name x.x.x.x name

anon42188109 · 1 July 2020 17:26

The client’s ovpn, that is the zip file (which has a .ovpn and a .p12 file) which you d/l into your android phone. The server configuration can be found in /var/ipfire/ovpn/server.conf

If you defined domain and DNS as I wrote before, you would see those 2 lines in the server.conf (and that would allow you to resolve local hosts by name)
…
auth SHA512
push “dhcp-option DOMAIN lan”
push “dhcp-option DNS 10.0.0.1”
max-clients 100
…

drmacro · 1 July 2020 17:36

Mine looks like:
…
push “dhcp-option DOMAIN mydomainname”
push “dhcp-option DNS x.x.x.x”

Where x.x.x.x is my x.x.x.1

drmacro · 3 July 2020 13:05

I have temporarily switched to wifi connection of the device in question.

Basically, it works. It’s now on my green LAN essentially. And, it’s pretty much the same situation, internet access, local server access, etc. works.

I’ve done a bunch of wireshark monitoring now.

Wireshark shows the icmp (ping) from the android device and reply. But, the reply is not seen by the device.

I see no activity in the ipfire logs about the addresses in question.

(though I did notice a lot of dropped inputs from russia…I’m assuming they are always probing. )