David,

   Thanks for the information.  Pinging works fine. The trouble I am having is with ssh. After making my vpn connection, I can ssh into the vpn server but I cannot ssh directly to any other server behind the vpn server. I am not using iptables but firewalld. I would like to get this to work with firewalld but can’t quite figure out what is going on

John Hayden

On Feb 11, 2016, at 5:07 AM, David Sommerseth <dsommers@fedoraproject.org> wrote:

[re-send with proper sender address - sorry]

On 11/02/16 00:05, John Hayden wrote:
I have an openvpn server set up on a Centos 7 box running
firewallD. It seems to be working well except for one problem.

Some scenarios:

Client (etho 192.168.1.x, tun0 10.201.0.6) ———————————>VpnServer
(enp4s0 faces internet, enp3s0 internal with 10.200.0.1/16 and tun0
internal with 10.201.0.1/16)

Connection from Client -> VpnServer  —  Good Client ping —> both
10.200.0.1 and 10.200.0.10   — Good Client ssh —> 10.200.0.1  —
Good Client ssh —> to another server on the 10.200.0.0/16 network —
connection refused

This can be a routing issue just as much as a firewall issue, and it
may be on both your openvpn server as well as the other box in you
10.200.0.0/16 net.  So we need to eliminate a few things first.

0) I presume IPv4 forwarding is enabled ('sysctl net.ipv4.ip_forward'
should return 1)

1) Have a look at both the tun0 and enp3s0 interfaces using tcpdump.
See if the traffic stops somewhere when you're doing ping.  You should
see both ICMP echo request and replies on both interfaces.

  # tcpdump -ni enp3s0 icmp

 If you have much traffic going on, you can reduce it further:

  # tcpdump -ni enp3s0 icmp and net 10.200.0.0/24

 This should provide only ICMP packets coming from/going to the VPN
 interface.

2) If you see ICMP echo requests entering enp3s0 but no ICMP echo
replies, it may indicate either a firewall issue on the VPN server or
the destination computer - or, just as likely, issues with a return
route on your destination computer.  Return routes are important if
your VPN server is not on your default gateway, or before your gateway.

In the OpenVPN community we also often point people to this
troubleshoot helper: <http://pekster.sdf.org/misc/serverlan.png>
When using this one it usually helps to have temporarily turned off
the firewall, to get the basic networking working before protecting it
with iptables.

I hope this can help you in the right direction of debugging.  If
everything works without firewalls enabled, then it would be useful to
see the output of iptables-save (pastebin or attachment) with your
ruleset loaded.


-- 
kind regards,

David Sommerseth



On the VpnServer I have enp4s0 in the external zone enp3s0 and tun0
in the internal zone along with ssh turned on on the internal zone

Here is my routing table on the VpnServer (public ip obscured)

netstat -r Kernel IP routing table Destination     Gateway
Genmask         Flags   MSS Window  irtt Iface default
207-xxx-xxx-169 0.0.0.0         UG        0 0          0 enp4s0
default         10.200.0.1      0.0.0.0         UG        0 0
0 enp3s0 10.200.0.0      0.0.0.0         255.255.0.0     U
0 0          0 enp3s0 10.201.0.0      10.201.0.2      255.255.255.0
UG        0 0          0 tun0 10.201.0.2      0.0.0.0
255.255.255.255 UH        0 0          0 tun0 207.xxx.xxx.168
0.0.0.0         255.255.255.248 U         0 0          0 enp4s0

I’m not sure if its a routing issue or a firewall issue (I’m
leaning towards the latter) but when I turn off firewalld,
everything seems to work ok.

Anybody have any clues or insight?

Thanks in advance

John Hayden


-- 
kind regards,

David Sommerseth
_______________________________________________
firewalld-users mailing list
firewalld-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahosted.org