Have spent a few hours here trying things, but no luck.
Adding "Redirect-Gateway def1” did nothing and when I added 192.168.4.0/255.255.255.0 to the “Route Push Options”, I got an error message saying the GREEN interface is already added.
Below are the routing tables once the VPN is established:
IPFIRE end:
default via 125.236.192.9 dev ppp0
10.146.232.0/24 via 10.146.232.2 dev tun0
10.146.232.2 dev tun0 proto kernel scope link src 10.146.232.1
125.XXX.XXX.XXX dev ppp0 proto kernel scope link src 125.XXX.XXX.XXX
192.168.2.0/24 dev blue0 proto kernel scope link src 192.168.2.1 linkdown
192.168.3.0/24 dev orange0 proto kernel scope link src 192.168.3.1 linkdown
192.168.4.0/24 dev green0 proto kernel scope link src 192.168.4.1
Sorry for the delay in feedback of my results, something came up yesterday, so I have just been able to try it out with my Core Update 156 to 157 upgraded system.
I was able to make my OpenVPN connection with no problem. I could ssh in to my servers on my green network.
I then also tried ping from the command line on my client. I was able to successfully ping all my machines on my Green network, and a server I have on my Orange network and my IPFire system.
So I am not having any problems with VPN Green connectivity on a Core Update 157 system upgraded from 156.
That leaves us with either there is a problem with OpenVPN with a freshly installed Core Update 157 or there is something not set up right on your system.
When you installed your Core Update 157 system did you then restore a backup from some other system or did you set it up from scratch.
One test that could be done, but it will depend on the criticality of your IPFire availability, would be to install
Core Update 156 and then upgrade it to 157 and then see if your OpenVPN clients can get a ping response.
I will make some screenshots up of my OpenVPN screens so you can compare your settings with my functioning system and see if there are any differences.
When your ping fails to work on the client command line does the client log say anything for the ping communication.
Could you try the ping command again but use
ping -c 4 green-pc-ip
This will try ping 4 times and then will exit and give you the 4 lines of ping attempt together with the error message for the failure. It’s not very detailed but it might give us some hint as to how far the ping communication is getting.
When you have your openvpn connection created and can ping ipfire do you also see that your client was logged in on the Logs - OpenVPN roadwarrior connections log page and get a traffic result in the Status - OpenVPN Road Warrior Statistics graph
No, it was a clean reinstall and full configuration from scratch. The previous IPfire box was probably 5 versions behind and I thought it safest to start from scratch. As far as installing 156 and upgrading, that is exactly what I did yesterday, to no effect.
Looking at your OpenVpn setup, mine is the same except an MTU of 1400, which Idid not change and the Encryption is set to AES-CBC 256, which again is the default.
I am pretty baffled, as I have done all this a number of times over the years and never had a problem and I will retieve the old IPfire box today and try to see what is different.
One thing I have just noticed is there are two differences in the .ovpn client file, that I download to install at home, compared to my previous working setup. The current file has the line “nobind” and the line “mssfix0”, neither present before. I will need to do some reading to see what they mean.
EDIT: the current client config also has the entries “auth SHA512” and “verify-x509-name XXXXXXXXX” and “remote-cert-tls server” vs the old “ns-cert-type server”, but I suspect if the if all these differences were significant, the whole VPN would not be working, not just access to GREEN.
So this indicates that there was no problem with resolution of the ip address and directing it to the correct place, just that there was no response back.
I also have those and the nobind and mssfix0. Here is my client config file slightly redacted but I suspect it will not have any surprises in it.
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1500
remote "fqdn" 1194
pkcs12 client.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name hostname.fqdn name
mssfix 0
Your situation is definitely puzzling. Everything suggests it should be working but it isn’t.
If the ping is going in to your green network successfully but not giving a response is there anything in the logs of the Green computer that you are trying to contact. Does it record the ping arriving or is there no evidence of a ping coming in at all.
I don’t think the pinged server will be logging pings received. I did go looking in the log after attempting to ssh in and could find no record of a connection attempt.
Yes, I get full accounting for the logins and traffic used. All the open vpn logs seem quite normal - just some warnings about cipher usge that my be deprecated in future versions, which I think are harmless.
Then I have run out of ideas for the moment of what to look at.
If I think of anything further I will come back but hopefully there are other more experienced people with better ideas of what to look for.
Yes those warnings are not a problem. It is just flagging up that some ciphers are a bit old and weak and will be removed in the future so you should move to newer stronger ciphers if you are using any of those weaker ones but you are already on a strong cipher.
Thanks, I do appreciate the help. Of all the parts of the job that this move has entailed, the VPN was not something I thought was going to cause a problem.
A rather red faced apology. The linux server I was pinging, 192.168.4.11 had an incorrectly configured gateway address. In my defence for not having checked it earlier, the only other machine on the network, a Windows one that is DHCP-ing address info from IPFire, was not and still is not returning pings, but I’m not so concerned about that at this point.
Thanks again to everyone who took time and effort to look into this.
Thank you for this thread! I’ve just set up openVpn and I embarrassingly admit, that I forgot to switch on my NAS after holiday and wasn’t able to figure out, why I couldn’t connect to it as a roadwarrior. What a shame!
