Pings from VPN network to VPN client work; pings into from VPN client to VPN network fail - why?

ping tcpdump openvpn ip-forwarding

Solution 1:

The root cause of this problem were some implicit default routes that were not visible in the tables displayed by /sbin/route but were visible in tables displayed by /sbin/ip route and /sbin/ip rule.

Then these tables were displayed it became apparent that a rule of this kind:

default table route_eth0 via 10.11.11.1  dev eth0

was overriding this rule:

10.8.0.0        10.11.11.2      255.255.255.0   UG    0      0        0 eth0

By editing /etc/sysconfig/network-scripts/route-eth0 (presumably with /sbin/ip route, though did it manually in this case), I was able to fix the issue.

So, what I learnt from this is that /sbin/route can't be relied upon to give you an accurate picture of Linux's effective routing rules and that it is better to use /sbin/ip for this purpose.

Thanks to ptman whose answer to this question helped me see the light. Thank you ptman!

Solution 2:

What about your iptables rules? They look rather empty.

I use the following rules, I am not sure if it would solve your exact problem though:

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

# Allow TUN interface connections to get out
iptables -A OUTPUT -o tun+ -j ACCEPT

# We want to allow routing from OpenVPN tunnels
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.8.1.0/255.255.255.0 -j MASQUERADE
$IPTABLES -A FORWARD -i tun+ -o eth1 -s 10.8.1.0/255.255.255.0 -j ACCEPT

On the gateway you need a routing entry to direct traffic for 10.8.1.0/24 to the openvpn server.

On the openvpn server traffic for 10.8.1.0/24 subnet uses the IP address of the openvpn server's tun interface, for example 10.8.1.2. This though should already be configured by openvpn itself.

Update: I had to edit a few things, I use a setup here with 2 openvpn servers that also communicate with eachother. So I mixed up some things that aren't relevant for your situation.

Related

How to set which IP to use for a HTTP request?
nginx ssl certificate issue key values mismatch
Is it possible to hold rejected messages in a queue?
GNU screen, how to get current sessionname programmatically
How would you remotely install software on multiple Windows XP machines?
Can't ping host from vmware guest using bridged networking
Campus VLAN Segmentation - By OS?
Preventing RCPT TO: username enumeration in sendmail on ubuntu
Synology Cloud Sync : How to read encrypted files in the cloud?
How do you calculate ROI for a new product or service offering?
iotop does not show writes
how do I set static routes in windows domain to all computers at once