VPN up but no GREEN connectivity

ras27 · 16 July 2021 20:33

Hi,

Have just done a clean install of IPFire 157 with R,G,B,O interfaces and am a long time user.

I have configured a roadwarrior Openvpn client with the RED interface and although the VPN connects fine and I can ping the GREEN interface, log into IPFIRE web interface on GREEN and ssh into GREEN interface, I cannot ping or ssh into any other machine on the GREEN network, using host name or IP address.

I don’t believe I’ve made a configuration error and have had no problem in the past doing this with other IPFire boxes. GREEN is on the 192.168.X.X network and I can see no obvious issues in the openvpn system logs. No modifications to any firewall rules have been made and there are no add-ons.

Any help much appreciated

cfusco · 17 July 2021 13:41

did you select the green interface in the advanced client options, where it says: “Client has access to these networks on IPFire’s site”?

ras27 · 17 July 2021 18:03

Thanks for the reply. Yes, I have GREEN selected in those options and I see that route appear as setup when I initiate the remote connection, just before the “Initialization Sequence Completed” line.

cfusco · 18 July 2021 08:05

I am trying to understand what is the problem you are facing. As a reference, I am connected with my laptop to my ipfire router by OpenVPN. I have a tunnel established from my laptop to my ipfire router:

Hasbeen-MBP:~ cfusco$ ifconfig
[...]
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::6f01:63af:785c:fc8e%utun0 prefixlen 64 scopeid 0xc 
	nd6 options=201<PERFORMNUD,DAD>
utun10: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 10.1.4.38 --> 10.1.4.37 netmask 0xffffffff

Next, I ssh to my router, I gain superuser privilege and I ping my nas in the green network. This shows that the router can ping the nas machine sitting behind. Here is the log:

Hasbeen-MBP:~ cfusco$ ssh -p222 ipfire.localdomain
Enter passphrase for key '/Users/cfusco/.ssh/id_rsa': 
Last login: Sat Jul 17 15:28:04 2021 from 10.1.4.38
-bash-5.1$ su
Password: 
[root@ipfire cfusco]# ping nas.localdomain
PING nas.localdomain (10.1.1.101) 56(84) bytes of data.
64 bytes from nas.localdomain (10.1.1.101): icmp_seq=1 ttl=64 time=0.522 ms
64 bytes from nas.localdomain (10.1.1.101): icmp_seq=2 ttl=64 time=0.543 ms
64 bytes from nas.localdomain (10.1.1.101): icmp_seq=3 ttl=64 time=0.506 ms
^C
--- nas.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 0.506/0.523/0.543/0.030 ms

Now I log off my router and I directly ping my nas, basically from the OpenVPN IP address of my laptop tunnel (10.1.4.38) directly to the IP address of my nas in the green interface (10.1.1.101).

[root@ipfire cfusco]# 
exit
-bash-5.1$ 
logout
Connection to ipfire.localdomain closed.
Hasbeen-MBP:~ cfusco$ ping nas.localdomain
PING nas.localdomain (10.1.1.101): 56 data bytes
64 bytes from 10.1.1.101: icmp_seq=0 ttl=63 time=63.511 ms
64 bytes from 10.1.1.101: icmp_seq=1 ttl=63 time=53.024 ms
64 bytes from 10.1.1.101: icmp_seq=2 ttl=63 time=70.077 ms
^C
--- nas.localdomain ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 53.024/62.204/70.077/7.023 ms

Could you repeat the same steps and show the logs?

ras27 · 18 July 2021 08:34

Hi,

So, I open my VPN connection and ssh into my IPFire router:

[rs@i7 ~]$ ssh -p 222 root@192.168.4.1
root@192.168.4.1’s password:
Last login: Sun Jul 18 20:25:44 2021 from 10.250.75.6
[root@ipfire ~]# ping 192.168.4.11
PING 192.168.4.11 (192.168.4.11) 56(84) bytes of data.
64 bytes from 192.168.4.11: icmp_seq=1 ttl=64 time=0.204 ms
64 bytes from 192.168.4.11: icmp_seq=2 ttl=64 time=0.260 ms
64 bytes from 192.168.4.11: icmp_seq=3 ttl=64 time=0.275 ms

I close the ssh connection:

Bye bye.
Connection to 192.168.4.1 closed.

I then ping a server in the office:

[rs@i7 ~]$ ping 192.168.4.11
PING 192.168.4.11 (192.168.4.11) 56(84) bytes of data.
^C
— 192.168.4.11 ping statistics —
7 packets transmitted, 0 received, 100% packet loss, time 6168ms

So it seems return traffic from anything on the GREEN network is not being routed back through the VPN.

cfusco · 18 July 2021 08:38

could you show the logs of ifconfig from the remote machine, like I did with my laptop? I would like to see you have the utun interface.

ras27 · 18 July 2021 08:44

Here you go, I have obfuscated the ppp0 addresses:

[root@ipfire ~]# ifconfig
blue0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:ed:0b:a9:bf txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 28

green0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:ed:0b:a9:bc txqueuelen 1000 (Ethernet)
RX packets 3192989 bytes 4116498564 (3.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1541708 bytes 1348771022 (1.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 25

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 8263 bytes 460945 (450.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8263 bytes 460945 (450.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

orange0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.3.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:ed:0b:a9:be txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 27

ppp0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1492
inet XXX.XXX.XXX.XXX netmask 255.255.255.255 destination YYY.YYY.YYY.YYY
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 1592802 bytes 1324277547 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3154834 bytes 4054827371 (3.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

red0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:e0:ed:0b:a9:bd txqueuelen 1000 (Ethernet)
RX packets 1613743 bytes 1373400945 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3175776 bytes 4150811919 (3.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 26

red0.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:e0:ed:0b:a9:bd txqueuelen 1000 (Ethernet)
RX packets 1613748 bytes 1337899809 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3175780 bytes 4124862161 (3.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet 10.250.75.1 netmask 255.255.255.255 destination 10.250.75.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 9903 bytes 1453085 (1.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8747 bytes 5059281 (4.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

cfusco · 18 July 2021 08:50

from the other end of the tunnel (like my laptop in the example)?

ras27 · 18 July 2021 08:52

Sorry, my mistake. From this PC:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet 10.250.75.6 netmask 255.255.255.255 destination 10.250.75.5
inet6 fe80::9d1d:ea54:366:a18c prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 2322 bytes 891376 (870.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3213 bytes 539280 (526.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

cfusco · 18 July 2021 08:59

If I understand correctly, you have a tunnel but your traffic is not routed beyond the gateway. Is “Redirect-Gateway def1” selected in the advanced server options?

ras27 · 18 July 2021 09:02

No, that box is not selected. It’s not something I knowing had to enable in the past.

cfusco · 18 July 2021 09:02

Try and see if now it works.

ras27 · 18 July 2021 09:04

I can’t change that setting with the openvpn server running, so will have to wait until I go into the office tomorrow. Thanks for your assistence.

cfusco · 18 July 2021 09:06

Good luck. That options routes all the traffic to the VPN tunnel. Without it, I think you have to instruct the firewall to route the traffic with specific rules.

EDIT, I think the above statement is wrong. Reading more carefully the documentation, redirect-gateway is a client side directive. I think what happens is that your PC by default sends packets toward the tun interface only when addressed to the gateway. Probably you could instruct directly your client PC to route trough the utun iface, but if you select the def flag on the server side, the client will be instructed to do so by the server.

ras27 · 18 July 2021 09:10

OK thanks. As I say, this is a pretty vanilla setup and every time I have set up Openvpn in the past, on previous versions of IPFire, I have not had to set this. Perhaps it should be enabled by default.

I guess another option is to add 192.168.4.0/24 to the “Route push options”, in the advanced server settings.

cfusco · 18 July 2021 09:37

Yes, but in your case should not be 192.168.4.0 but 10.250.75.0/24

bonnietwin · 18 July 2021 09:43

I have never had the redirect-gateway def1 checked. You check this so that your client connection is set up to route everything through the vpn without a choice.
Without it checked you have to set up your client to direct things where you want to. So on your phone you can set it up to connect to your mail server through the vpn but browse the internet via the local connection.

I am on Core Update 157 (via upgrade from 156) and will try out a vpn connection later from a wifi hotspot and see if it still works with my existing setup since the upgrade.

cfusco · 18 July 2021 09:55

@bonnietwin
Yes, this is also my understanding. This means that in the case of OP, when he was doing an ssh to his OpenVPN gateway, his PC on the client side would route the traffic trough the tunnel interface, however when he was trying to ping the machine in the green interface, the traffic was never sent to the tunnel interface and therefore never went to the gateway. This is a client side configuration problem, I think. The redirect-gateway def set in the server is a way to instruct the client, but it remains a client setting problem. This is how I understand the issue. Please correct me if I am wrong.

bonnietwin · 18 July 2021 10:14

@cfusco
I see what you are saying. It makes sense to me but I am definitely not an expert with regard to Openvpn
When I am accessing my machines on green via the vpn I am always doing it via ssh so I would not have that problem then.

When I try my vpn connection later then I should also try a ping from the laptops command line and see if that works or not.

ras27 · 18 July 2021 19:41

Thing is, if I open the VPN connection from my home PC, I can ping the GREEN interface on IPFire from here:

[rs@i7 ~]$ ping 192.168.4.1
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=64 time=24.1 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=64 time=24.1 ms
64 bytes from 192.168.4.1: icmp_seq=3 ttl=64 time=24.3 ms
64 bytes from 192.168.4.1: icmp_seq=4 ttl=64 time=23.8 ms

I just cannot get any return pings from any other machine on the GREEN network, so to me it looks like traffic from GREEN is not being routed back through the VPN.

Edit: Later. The above sentence doesn’t make a lot of sense, as 192.168.4.1 is on the GREEN network…

I will be on site in a couple of hours, so will be able to check more fully then. Thanks again for the help.