centOS 7 as openvpn client in a split tunnel, ping -I tun0 not working.

Issues related to configuring your network
Post Reply
dada216
Posts: 1
Joined: 2019/08/25 12:19:32

centOS 7 as openvpn client in a split tunnel, ping -I tun0 not working.

Post by dada216 » 2019/08/25 12:59:37

hi all.
Been using centOS for years as a hobbyist, absolutely great distro, I love it.

so this is on a minimal centos 7 install on a VPS.

this VPS is a storage server and a video streaming server, it's connected to an openvpn server on another VPS and some service on this storage server (the video streaming server) need to bind to the VPN ip, but other services on the box and it's connectivity (updates, etc.) should NOT be routed through the VPN, because of this redirecting the default gateway on this machine to the VPN server with an OpenVPN directive is out of the question.

furthermore I need this service that needs to bind to the VPN to make all outgoing connection on the VPN and reach the internet (and be reached from the internet) through the VPN gateway, there are internal DNS mappings, so this machine should also use a DNS server on the VPN.

I have a working VPN where this clients connects to the openvpn server, authenticates and reaches, and can be reached, by other VPN clients, problem is I can't seem to be able to reach the internet through the VPN server, only other VPN clients.

I know that the OpenVPN server is working, it's a pfsense box (so it's also a firewall) and I have correctly configured outbound NAT and firewall rules to allow anything on the VPN IPs to go from anywhere to anywhere and I have configured on the same pfsense machine another OpenVPN server that does redirect the traffic from the client, and those machines do navigate on the internet, so the problem is not there, it's on the storage server centos 7.

as a matter of fact on this client I can't even do this

Code: Select all

$ ping -I tun0 www.google.com

Code: Select all

mtr -a 10.0.3.2 www.google.com
they both hang, but it should work, so I don't know where to go from here, I am fairly certain the issue is in the client configuration, either the vpn client conf file or something about the networking settings that I'm missing.

here's the relevant files.

OPENVPN SERVER CONFIG

Code: Select all

dev ovpns2
verb 5
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-GCM
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh dada-cloud.vpn"
local PUBLIC IP OF THE OPENVPN SERVER
engine rdrand
tls-server
server 10.0.3.0 255.255.255.0
server-ipv6 fe80:1::/64
client-config-dir /var/etc/openvpn-csc/server2
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user HIDDEN= false server2 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsense-openvpn-server-cert' 1"
lport 1195
management /var/etc/openvpn/server2.sock unix
max-clients 5
push "route 10.0.2.0 255.255.255.0"
push "route-ipv6 fe80::/64"
push "dhcp-option DOMAIN dada-cloud.vpn"
push "dhcp-option DNS 10.0.3.1"
push "register-dns"
push "dhcp-option NTP 10.0.3.1"
client-to-client
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
ncp-ciphers AES-128-GCM:AES-128-CBC
persist-remote-ip
float
topology subnet
fast-io
sndbuf 2097152
rcvbuf 2097152
OPENVPN CLIENT CONFIG

Code: Select all

dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote OPENVPN.SERVER.IP.ADDRESS 1195 udp
verify-x509-name "pfsense-openvpn-server-cert" name
auth-user-pass vpnlogin.conf
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
HIDDEN
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HIDDEN
-----END OpenVPN Static key V1-----
</tls-auth>
verb 5
fast-io
sndbuf 2097152
rcvbuf 2097152
OPENVPN CLIENT SHELLS

Code: Select all

# ip route show
default via VPS.PUBLIC.GATEWAY.ADDRESS dev eth0 
10.0.2.0/24 via 10.0.3.1 dev tun0 
10.0.3.0/24 dev tun0 proto kernel scope link src 10.0.3.2 
VPS.GATEWAY.ADDRESS/26 dev eth0 proto kernel scope link src VPS.PUBLIC.IP 
169.254.0.0/16 dev eth0 scope link metric 1002 

Code: Select all

# cat /etc/resolv.conf
nameserver 10.0.3.1
nameserver 8.8.8.8
nameserver 8.8.4.4
I've edited this manually, nslookup shows it is using my DNS server for queries first.

and this is what I really don't get:

Code: Select all

ping www.google.com 
works, but it reaches out from the public IP, not from the VPN IP, as expected.

Code: Select all

ping -I tun0 www.google.com 
doesn't work, it hangs.

Code: Select all

ping 10.0.3.1 
works and so does pinging other private subnets (10.0.2.0/24), but I can't reach out.


why?

I can do this from the clients connected to the OpenVPN server that redirects all of their traffics, i can bind ping to -tun0 or any other network devices and it will use origin IP, I can't even do this so there must be something wrong in my network settings on this client, and I can't see what.

Post Reply