[re-send with proper sender address - sorry]
On 11/02/16 00:05, John Hayden wrote:
I have an openvpn server set up on a Centos 7 box running firewallD. It seems to be working well except for one problem.
Some scenarios:
Client (etho 192.168.1.x, tun0 10.201.0.6) ———————————>VpnServer (enp4s0 faces internet, enp3s0 internal with 10.200.0.1/16 and tun0 internal with 10.201.0.1/16)
Connection from Client -> VpnServer — Good Client ping —> both 10.200.0.1 and 10.200.0.10 — Good Client ssh —> 10.200.0.1 — Good Client ssh —> to another server on the 10.200.0.0/16 network — connection refused
This can be a routing issue just as much as a firewall issue, and it may be on both your openvpn server as well as the other box in you 10.200.0.0/16 net. So we need to eliminate a few things first.
0) I presume IPv4 forwarding is enabled ('sysctl net.ipv4.ip_forward' should return 1)
1) Have a look at both the tun0 and enp3s0 interfaces using tcpdump. See if the traffic stops somewhere when you're doing ping. You should see both ICMP echo request and replies on both interfaces.
# tcpdump -ni enp3s0 icmp
If you have much traffic going on, you can reduce it further:
# tcpdump -ni enp3s0 icmp and net 10.200.0.0/24
This should provide only ICMP packets coming from/going to the VPN interface.
2) If you see ICMP echo requests entering enp3s0 but no ICMP echo replies, it may indicate either a firewall issue on the VPN server or the destination computer - or, just as likely, issues with a return route on your destination computer. Return routes are important if your VPN server is not on your default gateway, or before your gateway.
In the OpenVPN community we also often point people to this troubleshoot helper: http://pekster.sdf.org/misc/serverlan.png When using this one it usually helps to have temporarily turned off the firewall, to get the basic networking working before protecting it with iptables.
I hope this can help you in the right direction of debugging. If everything works without firewalls enabled, then it would be useful to see the output of iptables-save (pastebin or attachment) with your ruleset loaded.