routespinggatewayopenvpn

Openvpn: Server cannot ping a client which ignore redirect-gateway


I'm having a problem pinging from my vpn server to a client (and not the other way).

I have an openvpn server: 10.8.0.1/16.

I have a client 1 where all traffic is routed through the VPN: 10.8.1.9/16. No problem with this client 1: everything works.

I have a client 2 (10.8.1.3/16)where I would like traffic not to be routed through the VPN but the machines to be accessible. This client 2, 10.8.1.3, can ping the server -> 10.8.0.1 ping ok. But, the server cannot ping client 2... :(

I've been looking for 2 days and despite reading documentation and other posts, I can't find it.

Anyone have an idea?

Here my configuration. Server:

    server 10.8.0.0 255.255.0.0
    dev tun
    topology subnet
    cipher AES-256-GCM
    auth SHA256
    verb 3
    # keys here
    # ...
    ###
    key-direction 0
    keepalive 10 60
    persist-key
    persist-tun
    proto udp
    # Rely on Docker to do port mapping, internally always 1194
    port 1194
    dev tun0
    status /etc/openvpn/openvpn-status.log
    user nobody
    group nogroup
    #comp-lzo no
    ### Route Configurations Below
    ### Push Configurations Below
    push "block-outside-dns"
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 172.8.0.1"
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    # Pour indiquer le chemin des fichiers config des clients
    client-config-dir /etc/openvpn/ccd
    # Pour interdire la connexion de client sans fichier config
    ccd-exclusive
    # Pour autoriser openvpn-monitor
    management 0.0.0.0 5555
    ifconfig-pool-persist ipp.txt
    explicit-exit-notify 1

Route table:

default via 10.255.255.1 dev ens192
10.8.0.0/16 via 172.8.0.2 dev br-2222222222
10.255.255.1 dev ens192 scope link
172.8.0.0/24 dev br-2222222222 proto kernel scope link src 172.8.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

As you can see in this route table, the VPN traffic (10.8.0.0/16) is routed via 172.8.0.2. In fact, my openvpn run on docker.

My client 2 (10.8.1.3) VPN config:

    client
    nobind
    dev tun
    remote-cert-tls server
    cipher AES-256-GCM
    auth SHA256
    remote my-server-vpn.com 1194 udp
    key-direction 1
    # To not consider the server redirect-gateway in order to avoid all traffic through VPN Gateway
    pull-filter ignore "redirect-gateway"

Route table client 2 (10.8.1.3) (when client vpn is running) :

default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.3 metric 100
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.1.3
<my-server-vpn-ip> via 192.168.1.1 dev eth0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-1111111111 proto kernel scope link src 172.18.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 metric 100
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.3 metric 100

Ping from 10.8.1.3 to 10.8.0.1 OK Ping from 10.8.0.1 to 10.8.1.3 KO

I hope someone could help me

Thank you very much !


Solution

  • I have found the solution:

    # From my client2, to see the ping request
    tcpdump icmp
    # From my server, exec the ping
    ping 10.8.1.3
    

    On my client2, this command tells me that the ping arrives with the address 172.8.0.1. So, I have added the following line in the client2 config file:

    route 172.8.0.1 255.255.255.0
    

    This solve my problem and now I can ping the client2 from the server.