OpenVPN Issue

[Greenbird]

I have a Redhat linux box set up as a OpenVPN server. It has 2 NICs and
the tunnel interface. One NIC is for the internal subnet and the second
for the public interenet. I have an Ubuntu client that connects via
OpenVPN. The connection comes up but the client cannot connect to any IP
addresses on the server or on the internal subnet. I fired up wireshark.
The OpenVPN server is seeing the packets from the client but it's
sending ARP whois packets for the clients IP address. Only problem being
that it's sending them on the internal subnet NIC rather than the tunnel
interface so it's not getting any replies. The server's default route
goes to a separate firewall router on the internal subnet that also
accesses the public internet. Not sure if thats part of the problem but
I don't see how it would be.

The ultimate goal is for the client to have complete access to the
server internal subnet. Currently I have the firewall pretty much shut
off on both the internal and tunnel interfaces. Below is all the
configuration info I think is pertinent.

The big question is why the ARP packets are being broadcast on the
internal subnet NIC when there is a route going over the tunnel
interface for the IP address of the client.

Not sure what the hell I've got screwed up. Any hints would be greatly
appreciated.

**********************************************************************
OpenVPN server
--------------
Internal subnet:
eth0 Link encap:Ethernet HWaddr 00:22:15:7F:76:95
inet addr:10.91.91.10 Bcast:10.91.91.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe7f:7695/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4565330 errors:0 dropped:0 overruns:0 frame:0
TX packets:3888446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:521713805 (497.5 MiB) TX bytes:7145436968 (6.6 GiB)
------------------------------------------------------------------------

Public subnet (Public IP redacted):
eth1 Link encap:Ethernet HWaddr 00:22:15:7F:76:C9
inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0
inet6 addr: 1::2:3:4:5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:187173 errors:0 dropped:0 overruns:0 frame:0
TX packets:19175 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12531332 (11.9 MiB) TX bytes:2582328 (2.4 MiB)
------------------------------------------------------------------------
Interrupt:248 Base address:0xc000

Tunnel interface:
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.91.92.1 P-t-P:10.91.92.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6679 errors:0 dropped:0 overruns:0 frame:0
TX packets:3597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:750902 (733.3 KiB) TX bytes:1602243 (1.5 MiB)
------------------------------------------------------------------------

netstat -r (Public IP redacted):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.91.92.2 * 255.255.255.255 UH 0 0 0
tun0
1.2.3.0 * 255.255.255.0 U 0 0 0
eth1
10.91.91.0 * 255.255.255.0 U 0 0 0
eth0
10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0 0
eth0
10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0 0
tun0
192.168.122.0 * 255.255.255.0 U 0 0 0
virbr0
169.254.0.0 * 255.255.0.0 U 0 0 0
eth1
default 10.91.91.1 0.0.0.0 UG 0 0 0
eth0
------------------------------------------------------------------------

IP Forwarding:
sysctl -a|egrep 'ipv4.*forward'
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

**********************************************************************
Client System
-------------
Internal subnet:
eth1 Link encap:Ethernet HWaddr 00:1d:7d:95:b5:a9
inet addr:192.168.91.201 Bcast:192.168.91.255
Mask:255.255.255.0
inet6 addr: fe80::21d:7dff:fe95:b5a9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45639 errors:0 dropped:0 overruns:0 frame:0
TX packets:39144 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33860135 (33.8 MB) TX bytes:15047149 (15.0 MB)
Interrupt:24 Base address:0xe000
------------------------------------------------------------------------

Tunnel interface:
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.91.92.10 P-t-P:10.91.92.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:5976 (5.9 KB)
------------------------------------------------------------------------

netstat -r:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.91.92.9 * 255.255.255.255 UH 0 0 0
tun0
10.91.91.0 10.91.92.9 255.255.255.0 UG 0 0 0
tun0
10.91.92.0 10.91.92.9 255.255.255.0 UG 0 0 0
tun0
192.168.91.0 * 255.255.255.0 U 0 0 0
eth1
link-local * 255.255.0.0 U 0 0 0
eth1
default usr8200a.anywhe 0.0.0.0 UG 0 0 0
eth1
------------------------------------------------------------------------

**********************************************************************
OpenVPN conf
------------
Server:
cat server.conf|egrep -v '^#'

;local a.b.c.d

port 11194

;proto tcp
proto udp

;dev tap
dev tun

;dev-node MyTap

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/elephant.crt
key /etc/openvpn/keys/elephant.key # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

server 10.91.92.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

push "route 10.91.91.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

push "dhcp-option WINS 10.91.91.10"

client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

max-clients 10

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

;log openvpn.log
log-append /var/log/openvpn.log

verb 4

;mute 20

------------------------------------------------------------------------
Client (server domain redacted):
cat client.conf|egrep -v '^#'

client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote openvpn.nowhere.com 11194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/snowman.crt
key /etc/openvpn/keys/snowman.key

ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

log-append /var/log/openvpn.log

verb 6

;mute 20

[Pascal Hambourg]

Hello,

Greenbird a ï¿œcrit :

> The OpenVPN server is seeing the packets from the client but it's
> sending ARP whois packets for the clients IP address. Only problem being
> that it's sending them on the internal subnet NIC rather than the tunnel
> interface so it's not getting any replies.

Usually ARP requests on the wrong interface indicates a routing problem.
You can check the routing decision for a destination address with the
command "ip route get <address>".

> OpenVPN server
> --------------
[...]

> Public subnet (Public IP redacted):
> eth1 Link encap:Ethernet HWaddr 00:22:15:7F:76:C9
> inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0

Note : When you make up an IPv4 address, you could use the address range
192.0.2.0/24 which is reserved for the purpose of examples and
documentation. 1.2.3.4 is allocated, and probably not to you.

> inet6 addr: 1::2:3:4:5/64 Scope:Link

Note : Making up a link local IPv6 address is pointless, it is derived
from the MAC address so it can be recalculated easily.

> Tunnel interface:
> tun0 Link encap:UNSPEC HWaddr

> inet addr:10.91.92.1 P-t-P:10.91.92.2 Mask:255.255.255.255

[...]

> netstat -r (Public IP redacted):

Note : Please use -n so addresses are not translated into names, which
is confusing.

> Destination Gateway Genmask Flags MSS Window irtt Iface

[...]

> 10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0 0 eth0
> 10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0 0 tun0

These are two conflicting routes. One must be wrong.

> Client System
> -------------
[...]

> Tunnel interface:
> tun0 Link encap:UNSPEC HWaddr

> inet addr:10.91.92.10 P-t-P:10.91.92.9 Mask:255.255.255.255

The addresses don't match the addresses of the tunnel interface on the
server.

[Greenbird]

On Wed, 04 Nov 2009 23:17:15 +0100, Pascal Hambourg wrote:

> Usually ARP requests on the wrong interface indicates a routing problem.
> You can check the routing decision for a destination address with the
> command "ip route get <address>".
>
>

>> Destination Gateway Genmask Flags MSS Window
>> irtt Iface
> [...]
>> 10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0
>> 0 eth0 10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0
>> 0 tun0
>
> These are two conflicting routes. One must be wrong.

Yup, that was it. Thanks for all the input.