OpenVPN: Cannot ping or access internal VLAN’s
Seeing timed out accessing external and internal VLAN's after connecting to the OpenVPN server?
Reply from 98.136.103.23: bytes=32 time=673ms TTL=47
Request timed out.
Request timed out.
Reply from 10.3.0.100: bytes=32 time=673ms TTL=47
Request timed out.
Request timed out.
Moreover, also seeing timeout on accessing local VLAN's?
root@DD-WRT-INTERNET-ASUS:~# tail -f /var/log/messages|grep -Ei "DROP"|grep -Ei "10.3.0.100"
Nov 4 00:06:16 DD-WRT-INTERNET-ASUS kern.warn kernel: DROP IN=tun2 OUT=br0 MAC= SRC=10.1.1.2 DST=10.3.0.101 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=54730 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6098
Nov 4 00:06:30 DD-WRT-INTERNET-ASUS kern.warn kernel: DROP IN=tun2 OUT=br0 MAC= SRC=10.1.1.2 DST=10.3.0.1001 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=54733 DF PROTO=TCP SPT=56718 DPT=22 SEQ=2130463582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (0204054B0103030801010402)
Chances are you're missing the following rules:
# VPN: Required to be able to ping local on-prem or Azure VLAN's
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -I INPUT -i tun2 -j LOGREJECT
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j LOGREJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j LOGREJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Rules such as these, do not work:
# Allow TCP from tun2 (VPN)
iptables -A OUTPUT -s 10.1.1.0/24 -p tcp -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp -j ACCEPT
# Allow UDP from tun2 (VPN)
iptables -A OUTPUT -s 10.1.1.0/24 -p udp -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p udp -j ACCEPT
# Allow ICMP from tun2 (VPN)
iptables -A OUTPUT -s 10.1.1.0/24 -p icmp -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p icmp -j ACCEPT
Enjoy your new, shiny reponsive network! 🙂
Cheers,
Admin