Answer the question
In order to leave comments, you need to log in
V
V
Vladimir2016-12-14 10:10:24
Vladimir, 2016-12-14 10:10:24
Pings do not pass between the OpenVPN server (Ubuntu) and the client (MikroTik), where can the trouble be buried?
On Ubuntu, a vpn server is deployed on Mikrotik, respectively, the client.
vpn :
proto tcp
dev tun
server 10.190.0.0 255.255.255.0
client-to-client
compression off
tun-mtu 1500
mssfix 1450
route 10.190.0.0 255.255.255.0
push "route 10.190.0.0
255.255.25ust.0 push "route
10.190.0.0 255.255.25ust.0"
Flags MSS Window irtt Iface
0.0.0.0 185.146.171.1 0.0.0.0 UG 0 0 0 eth0
10.190.0.0 10.190.0.2 255.255.255.0 UG 0 0 0 tun0
10.190.0.2 0.0.0.0 tun0 255.225.
185.146.171.0 0.0.0.0 255.255.255.0 U 0 0 0 Eth0 Forvarding
included
Mikrotik (Client):
Destination Gateway Genmask Flags MSS Window IRTT IFACE
0.0.0.0 185.146.171.1 0.0.0.0 UG 0 0 0
ETH0 10.190.0.0 10.190.0.2 255.255 .255.0 UG 0 0 0.0 0.0.0.0 0.0 0.0 0.0.0.0.0 0.0
0.0.0.0 255.255.255.0 U 0 0 0
Eth0
Destination Gateway Genmask Flags MSS Window IRTT IFACE
0.0.0.0 185.146.171.1 0.0 .0.0 UG 0 0 0 eth0
10.190.0.0 10.190.0.2 255.255.255.0 UG 0 0 0
0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0
0.0.0.0 255.255.0.0 U 0 0 0 0 ETH0 MIKROTIK
(Client)
D 10.190.0.6 /32 10.190.0.5 ovpn-out1
route
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 AS 0.0.0.0/0 ovpn-out1 1
1 DS 0.0.0.0/0 192.168.82.254 1
2 ADS 10.190.0.0/24 10.190.0.5 0
3 DS 10.190.0.0/24 10.190.0.5 1
4 ADC 10.190.0.5/32 10.190.0.6 ovpn-out1 0
dump from ubuntu (tun0) client ping (no response), server ping is also running on the client at this moment, the
first two packets: during client reconnect by timeout (120 sec. in openvpn server settings)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
08:40:36.559625 IP 10.190.0.6.5678 > 255.255.255.255.5678: UDP, length 93
08:42:50.740908 IP 10.190.0.6.5678 > 255.255.255.255.5678: UDP, length 93
08:42:56.896600 IP 10.190.0.10 > 10.19 echo id 10190, seq 1, length 64
08:42:57.904309 IP 10.190.0.1 > 10.190.0.6: ICMP echo request, id 10190, seq 2, length 64
08:42:58.912261 IP 10.190.0.1
> 10.190.0.6: ICMP echo request, id 10190, seq 3, length 64 length 64
Client (mikrotik) on server started ping client at this moment, on client ping server
# TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU
0 0.155 ovpn-out1 10.190.0.6 10.190.0.1 icmp 56 0
1 1.159 ovpn -out1 10.190.0.6 10.190.0.1 icmp 56 0
2 2.162 ovpn-out1 10.190.0.6 10.190.0.1 icmp 56 0
3 3.165 ovpn-out1 10.190.0.6 10.190.0.1 icmp 56 0
4 4.169 ovpn-out1 10.190.0.6 10.190.0.1 icmp 56 0
5 5.173 ovpn-out1 10.190.0.6 10.190.0.1 icmp 56 0
ubuntu (iptables) allowed everything for this mesh
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.190.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.70.0.0/24 anywhere
ACCEPT all -- anywhere 10.70.0.0/24
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere
ACCEPT all -- 10.190.0.0/24 anywhere
ACCEPT all -- 10.190.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 10.190. 0.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.190.0.0/24
ACCEPT all -- anywhere 10.190.0.0/24
ACCEPT icmp -- anywhere anywhere
Please tell me which way to dig
2 answer(s)
@ifaustrue
C
Cool Admin, 2016-12-14 @ifaustrue
IMHO
DROP all -- anywhere anywhere
in the Forward branch is superfluous or not enough in the same
place ACCEPT all -- 10.190.0.0/24 anywhere
Similar questions
W
R
Z
O
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question