I'm having a problem pinging from my vpn server to a client (and not the other way).
I have an openvpn server: 10.8.0.1/16.
I have a client 1 where all traffic is routed through the VPN: 10.8.1.9/16. No problem with this client 1: everything works.
I have a client 2 (10.8.1.3/16)where I would like traffic not to be routed through the VPN but the machines to be accessible. This client 2, 10.8.1.3, can ping the server -> 10.8.0.1 ping ok. But, the server cannot ping client 2... :(
I've been looking for 2 days and despite reading documentation and other posts, I can't find it.
Anyone have an idea?
Here my configuration. Server:
server 10.8.0.0 255.255.0.0
dev tun
topology subnet
cipher AES-256-GCM
auth SHA256
verb 3
# keys here
# ...
###
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /etc/openvpn/openvpn-status.log
user nobody
group nogroup
#comp-lzo no
### Route Configurations Below
### Push Configurations Below
push "block-outside-dns"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.8.0.1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Pour indiquer le chemin des fichiers config des clients
client-config-dir /etc/openvpn/ccd
# Pour interdire la connexion de client sans fichier config
ccd-exclusive
# Pour autoriser openvpn-monitor
management 0.0.0.0 5555
ifconfig-pool-persist ipp.txt
explicit-exit-notify 1
Route table:
default via 10.255.255.1 dev ens192
10.8.0.0/16 via 172.8.0.2 dev br-2222222222
10.255.255.1 dev ens192 scope link
172.8.0.0/24 dev br-2222222222 proto kernel scope link src 172.8.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
As you can see in this route table, the VPN traffic (10.8.0.0/16) is routed via 172.8.0.2. In fact, my openvpn run on docker.
My client 2 (10.8.1.3) VPN config:
client
nobind
dev tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
remote my-server-vpn.com 1194 udp
key-direction 1
# To not consider the server redirect-gateway in order to avoid all traffic through VPN Gateway
pull-filter ignore "redirect-gateway"
Route table client 2 (10.8.1.3) (when client vpn is running) :
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.3 metric 100
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.1.3
<my-server-vpn-ip> via 192.168.1.1 dev eth0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-1111111111 proto kernel scope link src 172.18.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 metric 100
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.3 metric 100
Ping from 10.8.1.3 to 10.8.0.1 OK Ping from 10.8.0.1 to 10.8.1.3 KO
I hope someone could help me
Thank you very much !
I have found the solution:
# From my client2, to see the ping request
tcpdump icmp
# From my server, exec the ping
ping 10.8.1.3
On my client2, this command tells me that the ping arrives with the address 172.8.0.1. So, I have added the following line in the client2 config file:
route 172.8.0.1 255.255.255.0
This solve my problem and now I can ping the client2 from the server.