Ping a Specific Port

Question

BigKuma

Asked: 2024-09-20 11:12:10 +0800 CST2024-09-20 11:12:10 +0800 CST 2024-09-20 11:12:10 +0800 CST

VPN Server to VPN Client route

772

My goal is to setup a site-to-site bidirectional VPN. I want to be able to access the server side from the client side, and client side from the server side.

I am not doing anything advanced, and I tried to follow the instructions on the OpenVPN site-to-site connection guide. But, I think because I am using two DD-WRT routers as my server and client VPN's, I am having a problem corresponding the guide to my situation.

From the client side, I am able to connect to the server side network hosts. From the server side, I can't connect to the client side hosts.

Network map:

CG-NAT Network LAN 192.168.0.0/22 OpenVPN Client on DD-WRT 192.168.0.2

Regular Network LAN 192.168.4.0/22 OpenVPN Server on DD-WRT 192.168.4.2

Tunnel: 10.10.28.1 <-> 10.10.28.2 (I can see it setup correctly in the logs)

I control both sides, so I was trying to setup the routes to fix the issue. I suspect the routes (or the settings on the OpenVPN server) are wrong.

This is the routing table on the OpenVPN Client side:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 br0
10.10.28.0      *               255.255.255.0   U     0      0        0 tun1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.252.0   U     0      0        0 br0
192.168.4.0     10.10.28.1      255.255.252.0   UG    200    0        0 tun1

I can ping from anywhere in client network into 192.168.4.0 network:

# ping 192.168.4.222
PING 192.168.4.222 (192.168.4.222): 56 data bytes
64 bytes from 192.168.4.222: seq=0 ttl=63 time=42.244 ms
64 bytes from 192.168.4.222: seq=1 ttl=63 time=32.047 ms

This the the routing table on the OpenVPN Server host when I first bring it up:

default via 192.168.4.1 dev br0
10.10.28.0/24 dev tun2 scope link  src 10.10.28.1
127.0.0.0/8 dev lo scope link
192.168.4.0/22 dev br0 scope link  src 192.168.4.2

Observations: I can't ping from server network into 192.168.0.0 network. HOWEVER, while logged into the OpenVPN Server host (192.168.4.2), I can ping the other side of the tunnel (10.10.28.2)

# ping 10.10.28.2
PING 10.10.28.2 (10.10.28.2): 56 data bytes
64 bytes from 10.10.28.2: seq=0 ttl=64 time=40.287 ms
64 bytes from 10.10.28.2: seq=1 ttl=64 time=35.791 ms


# traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 46 byte packets
 1  192.168.4.1 (192.168.4.1)  5.108 ms  4.927 ms  3.953 ms
 2  *  *

So, my first guess was to add this route to match the Client's route for the Server subnet:

route add -net 192.168.0.0 netmask 255.255.252.0 gw 10.10.28.2 metric 200 tun2

This created an additional entry:

192.168.0.0     10.10.28.2      255.255.252.0   UG    200    0        0 tun2

That made some difference, but traceroute or pings don't come back.

# traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 46 byte packets
 1  *  *  *

Obviously I am a beginner, so let me know what more info is needed to help me.

1 Answers

Voted

user3450564 · Answer 1 · 2024-10-10T20:00:39+08:00

OpenVPN Access to LAN behind client (and vice versa)

https://community.openvpn.net/openvpn/wiki/RoutedLans

That should be a pretty standard concern with site-to-site openvpn. If I understand correctly, on you server side, you added:

a route to 192.168.0.0/22 through the vpn, which is the network behind your client,
that route goes via gateway 10.10.28.2 which is the inside-VPN address of your server, Correct ?

Since you added a route to the VPN, your server should direct a packet to 192.168.0.2 (or any last byte number in the /22 subnet) through the vpn. However, openvpn does not know to which VPN termination point to direct this.

NB: it likely works from client subnet TO server subnet because the client must add a default route through the VPN so anything will be sent through to the server.

Hence openvpn has a concept of internal route "iroute", so that it knows which VPN termination point the packet for a particular ip range.

in the server config file you need to add:

route 192.168.0.0 255.255.255.0
client-config-dir ccd

This will tell that packets for this subnet need to be sent to the vpn interface.

And enable the client specific folder ccd in the config file on the server:

ifconfig-push 10.10.28.1 255.255.255.0 (this will set the ip address, if all is static I guess that can be omitted if your client has a fixed ip in its config).

iroute 192.168.0.0 255.255.255.0

This is what will make openvpn understand that packets entering the vpn with that subnet as destination need to be sent to that particular client.

With these 2, you do not need to manually add any route to the client, openvpn will add the VPN internal routes (unrelated to the kernel routing table btw), as well as the correct kernel routing table entry.

The client should have the necessary to route to its own subnet machines.

VPN Server to VPN Client route

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?