OpenVPN routing issue: client is able to reach server but not vice versa

ssdnvv · August 5, 2018, 12:45pm

Hi,

I’m about to connect 2 TO via custom OpenVPN config.
Tunnel get’s created fine - three kind of clients (TO as a client, Windows Client, Android client) can connect to the tunnel.
Client -> server-connection works just fine - I can ping the server and reach the server lan network and route all traffic through the tunnel if needed.
But due to some misconfiguration I just cannot spot I’m unable to reach TO client lan from server side lan (though I can reach the router itself via the OpenVPN IP).

Please find below all relevant configuration and logfiles - hopefully you are able to spot my routing error that prevents server lan from accessing client lan.

Server /etc/config/network

config interface 'lan'
	option force_link '1'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'tun0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'
	option enabled '1'

Server /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option network 'lan'
	option masq '1'

config zone
	option name 'tun0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'tun0'
	option masq '1'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option network 'wan wan6'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'tun0'
	option dest 'lan'

config forwarding
	option src 'tun0'
	option dest 'wan'

config rule
	option name 'tun0 input'
	option src 'wan'
	option dest_port '4000'
	option proto 'udp'
	option target 'ACCEPT'

Server /etc/config/openvpn

config openvpn 'tun0'
	option port '4000'
	option proto 'udp'
	option dev 'tun0'
	option topology 'subnet'
	option comp_lzo 'yes'
	option ifconfig_pool_persist '/srv/tun0-ipp.log'
	option status '/srv/tun0-status.log'
	option log '/srv/tun0.log'
	option pkcs12 '/etc/openvpn/Router-OpenVPN.p12'
	option dh '/etc/openvpn/dh5120.pem'
	option tls_crypt '/etc/openvpn/Router_ta.key'
	option reneg_sec '21600'
	option reneg_bytes '6400000000'
	option verify_client_cert '1'
	option remote_cert_tls 'client'
	option tls_version_min '1.2'
	option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
	option cipher 'AES-256-GCM'
	option auth 'SHA512'
	option sndbuf '393216'
	option rcvbuf '393216'
	option fragment '0'
	option mssfix '0'
	option tun_mtu '48000'
	option verb '4'
	option mute '20'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option server '172.16.10.0 255.255.255.248'
	option ifconfig '172.16.10.1 255.255.255.248'
	option route '192.168.3.0 255.255.255.0 172.16.10.1'
	list push 'route 192.168.4.0 255.255.255.0'
 	list push 'dhcp-option DNS 192.168.4.1'
	list push 'dhcp-option WINS 192.168.4.1'
	list push 'dhcp-option NTP 192.53.103.108'
	list push 'dhcp-option DNS 172.16.10.1'
	option client_to_client '1'
	option enabled '1'

Server /srv/tun0.log

Sun Aug  5 01:54:00 2018 us=556509 OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Aug  5 01:54:00 2018 us=556615 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
Sun Aug  5 01:54:00 2018 us=557710 Diffie-Hellman initialized with 5120 bit key
Sun Aug  5 01:54:00 2018 us=581812 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Aug  5 01:54:00 2018 us=581904 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Aug  5 01:54:00 2018 us=581952 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Aug  5 01:54:00 2018 us=581998 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Aug  5 01:54:00 2018 us=582045 TLS-Auth MTU parms [ L:48122 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Aug  5 01:54:00 2018 us=583052 TUN/TAP device tun0 opened
Sun Aug  5 01:54:00 2018 us=583153 TUN/TAP TX queue length set to 100
Sun Aug  5 01:54:00 2018 us=583209 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Aug  5 01:54:00 2018 us=583275 /sbin/ifconfig tun0 172.16.10.1 netmask 255.255.255.248 mtu 48000 broadcast 172.16.10.7
Sun Aug  5 01:54:00 2018 us=606702 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 172.16.10.1
Sun Aug  5 01:54:00 2018 us=610138 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Sun Aug  5 01:54:00 2018 us=610302 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Aug  5 01:54:00 2018 us=610367 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sun Aug  5 01:54:00 2018 us=610425 UDPv4 link local (bound): [AF_INET][undef]:4000
Sun Aug  5 01:54:00 2018 us=610468 UDPv4 link remote: [AF_UNSPEC]
Sun Aug  5 01:54:00 2018 us=610534 GID set to nogroup
Sun Aug  5 01:54:00 2018 us=610624 UID set to nobody
Sun Aug  5 01:54:00 2018 us=610704 MULTI: multi_init called, r=256 v=256
Sun Aug  5 01:54:00 2018 us=610801 IFCONFIG POOL: base=172.16.10.2 size=4, ipv6=0
Sun Aug  5 01:54:00 2018 us=610868 ifconfig_pool_read(), in='Router_Client_4,172.16.10.2', TODO: IPv6
Sun Aug  5 01:54:00 2018 us=610916 succeeded -> ifconfig_pool_set()
Sun Aug  5 01:54:00 2018 us=610955 ifconfig_pool_read(), in='Router_Client_1,172.16.10.3', TODO: IPv6
Sun Aug  5 01:54:00 2018 us=610992 succeeded -> ifconfig_pool_set()
Sun Aug  5 01:54:00 2018 us=611028 ifconfig_pool_read(), in='Router_Client_2,172.16.10.4', TODO: IPv6
Sun Aug  5 01:54:00 2018 us=611064 succeeded -> ifconfig_pool_set()
Sun Aug  5 01:54:00 2018 us=611123 IFCONFIG POOL LIST
Sun Aug  5 01:54:00 2018 us=611199 Router_Client_4,172.16.10.2
Sun Aug  5 01:54:00 2018 us=611252 Router_Client_1,172.16.10.3
Sun Aug  5 01:54:00 2018 us=611294 Router_Client_2,172.16.10.4
Sun Aug  5 01:54:00 2018 us=611977 Initialization Sequence Completed
Sun Aug  5 14:14:37 2018 us=331346 MULTI: multi_create_instance called
Sun Aug  5 14:14:37 2018 us=331578 <Client public IP>:53504 LZO compression initializing
Sun Aug  5 14:14:37 2018 us=333460 <Client public IP>:53504 Control Channel MTU parms [ L:48122 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Aug  5 14:14:37 2018 us=333541 <Client public IP>:53504 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Sun Aug  5 14:14:37 2018 us=333623 <Client public IP>:53504 TLS: Initial packet from [AF_INET]<Client public IP>:53504, sid=68fd6dfa 087a419e
Sun Aug  5 14:14:37 2018 us=957710 <Client public IP>:53504 VERIFY OK: depth=1, C=DE, ST=RlP, CN=OpenVPN-CA
Sun Aug  5 14:14:37 2018 us=961506 <Client public IP>:53504 VERIFY KU OK
Sun Aug  5 14:14:37 2018 us=961566 <Client public IP>:53504 Validating certificate extended key usage
Sun Aug  5 14:14:37 2018 us=961608 <Client public IP>:53504 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Aug  5 14:14:37 2018 us=961646 <Client public IP>:53504 VERIFY EKU OK
Sun Aug  5 14:14:37 2018 us=961681 <Client public IP>:53504 VERIFY OK: depth=0, C=DE, ST=RlP, L=KH, CN=Router_Client_4
Sun Aug  5 14:14:38 2018 us=10274 <Client public IP>:53504 peer info: IV_VER=2.4.4
Sun Aug  5 14:14:38 2018 us=10371 <Client public IP>:53504 peer info: IV_PLAT=linux
Sun Aug  5 14:14:38 2018 us=10417 <Client public IP>:53504 peer info: IV_PROTO=2
Sun Aug  5 14:14:38 2018 us=10456 <Client public IP>:53504 peer info: IV_NCP=2
Sun Aug  5 14:14:38 2018 us=10493 <Client public IP>:53504 peer info: IV_LZ4=1
Sun Aug  5 14:14:38 2018 us=10548 <Client public IP>:53504 peer info: IV_LZ4v2=1
Sun Aug  5 14:14:38 2018 us=10587 <Client public IP>:53504 peer info: IV_LZO=1
Sun Aug  5 14:14:38 2018 us=10624 <Client public IP>:53504 peer info: IV_COMP_STUB=1
Sun Aug  5 14:14:38 2018 us=10660 <Client public IP>:53504 peer info: IV_COMP_STUBv2=1
Sun Aug  5 14:14:38 2018 us=10696 <Client public IP>:53504 peer info: IV_TCPNL=1
Sun Aug  5 14:14:38 2018 us=49995 <Client public IP>:53504 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Aug  5 14:14:38 2018 us=50096 <Client public IP>:53504 [Router_Client_4] Peer Connection Initiated with [AF_INET]<Client public IP>:53504
Sun Aug  5 14:14:38 2018 us=50492 MULTI: new connection by client 'Router_Client_4' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sun Aug  5 14:14:38 2018 us=50550 MULTI_sva: pool returned IPv4=172.16.10.2, IPv6=(Not enabled)
Sun Aug  5 14:14:38 2018 us=50684 MULTI: Learn: 172.16.10.2 -> Router_Client_4/<Client public IP>:53504
Sun Aug  5 14:14:38 2018 us=50729 MULTI: primary virtual IP for Router_Client_4/<Client public IP>:53504: 172.16.10.2
Sun Aug  5 14:14:39 2018 us=288671 Router_Client_4/<Client public IP>:53504 PUSH: Received control message: 'PUSH_REQUEST'
Sun Aug  5 14:14:39 2018 us=288866 Router_Client_4/<Client public IP>:53504 SENT CONTROL [Router_Client_4]: 'PUSH_REPLY,route 192.168.4.0 255.255.255.0,dhcp-option DNS 192.168.4.1,dhcp-option WINS 192.168.4.1,dhcp-option NTP 192.53.103.108,dhcp-option DNS 172.16.10.1,route-gateway 172.16.10.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.10.2 255.255.255.248,peer-id 1,cipher AES-256-GCM' (status=1)
Sun Aug  5 14:14:39 2018 us=288935 Router_Client_4/<Client public IP>:53504 Data Channel MTU parms [ L:48050 D:48050 EF:50 EB:8156 ET:0 EL:3 ]
Sun Aug  5 14:14:39 2018 us=289240 Router_Client_4/<Client public IP>:53504 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug  5 14:14:39 2018 us=289288 Router_Client_4/<Client public IP>:53504 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Client /etc/config/network

config interface 'lan'
	option force_link '1'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'tun0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'
	option enabled '1'

Client /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'tun0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'tun0'
	option masq '1'
	option enabled '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'tun0'
	option dest 'lan'

config forwarding
	option src 'tun0'
	option dest 'wan'

Client /etc/config/openvpn


config openvpn 'Client'
	option client '1'
	option remote '<server public domain> 4000'
	option proto 'udp'
 	option dev 'tun0'
	option topology 'subnet'
	option resolv_retry 'infinite'
	option float '1'
 	option nobind '1'
	option pull '1'
	option fragment '0'
	option mssfix '0'
	option sndbuf '393216'
	option rcvbuf '393216'
	option comp_lzo 'yes'
	option mute_replay_warnings '1'
 	option mute '20'
	option persist_key '1'
	option persist_tun '1'
	option auth 'SHA512'
	option auth_nocache '1'
 	option cipher 'AES-256-GCM'
	option tls_client '1'
	option tls_version_min '1.2'
	option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
	option remote_cert_tls 'server'
 	option pkcs12 '/etc/openvpn/Router_Client_4.p12'
	option tls_crypt '/etc/openvpn/Router_ta.key'
	option verb '4'
	option enabled '1'

Client syslog

2018-08-05 14:13:30 notice openvpn(Client)[17285]: OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2018-08-05 14:13:30 notice openvpn(Client)[17285]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-08-05 14:13:30 notice openvpn(Client)[17285]: LZO compression initializing
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Data Channel MTU parms [ L:1622 D:1622 EF:122 EB:406 ET:0 EL:3 ]
2018-08-05 14:13:30 notice openvpn(Client)[17285]: TCP/UDP: Preserving recently used remote address: [AF_INET]<server public IP>:4000
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Socket Buffers: R=[163840->327680] S=[163840->327680]
2018-08-05 14:13:30 notice openvpn(Client)[17285]: UDP link local: (not bound)
2018-08-05 14:13:30 notice openvpn(Client)[17285]: UDP link remote: [AF_INET]<server public IP>:4000
2018-08-05 14:13:30 notice openvpn(Client)[17285]: TLS: Initial packet from [AF_INET]<server public IP>:4000, sid=cf33e3e1 a578ab2e
2018-08-05 14:13:30 notice openvpn(Client)[17285]: VERIFY OK: depth=2, C=DE, ST=RlP, CN=OpenVPN-CA
2018-08-05 14:13:30 notice openvpn(Client)[17285]: VERIFY OK: depth=1, C=DE, ST=RlP, CN=OpenVPN-ICA
2018-08-05 14:13:30 notice openvpn(Client)[17285]: VERIFY KU OK
2018-08-05 14:13:30 notice openvpn(Client)[17285]: Validating certificate extended key usage
2018-08-05 14:13:30 notice openvpn(Client)[17285]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-08-05 14:13:30 notice openvpn(Client)[17285]: VERIFY EKU OK
2018-08-05 14:13:30 notice openvpn(Client)[17285]: VERIFY OK: depth=0, C=DE, ST=RlP, L=KH, CN=<server public domain>
2018-08-05 14:13:31 notice openvpn(Client)[17285]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2018-08-05 14:13:31 notice openvpn(Client)[17285]: [<server public domain>] Peer Connection Initiated with [AF_INET]<server public IP>:4000
2018-08-05 14:13:32 notice openvpn(Client)[17285]: SENT CONTROL [<server public domain>]: 'PUSH_REQUEST' (status=1)
2018-08-05 14:13:32 notice openvpn(Client)[17285]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.4.0 255.255.255.0,dhcp-option DNS 192.168.4.1,dhcp-option WINS 192.168.4.1,dhcp-option NTP 192.53.103.108,dhcp-option DNS 172.16.10.1,route-gateway 172.16.10.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.10.2 255.255.255.248,peer-id 1,cipher AES-256-GCM'
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: timers and/or timeouts modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: --ifconfig/up options modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: route options modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: route-related options modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: peer-id set
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: adjusting link_mtu to 1625
2018-08-05 14:13:32 notice openvpn(Client)[17285]: OPTIONS IMPORT: data channel crypto options modified
2018-08-05 14:13:32 notice openvpn(Client)[17285]: Data Channel MTU parms [ L:1553 D:1553 EF:53 EB:406 ET:0 EL:3 ]
2018-08-05 14:13:32 notice openvpn(Client)[17285]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-08-05 14:13:32 notice openvpn(Client)[17285]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-08-05 14:13:32 notice openvpn(Client)[17285]: TUN/TAP device tun0 opened
2018-08-05 14:13:32 notice openvpn(Client)[17285]: TUN/TAP TX queue length set to 100
2018-08-05 14:13:32 notice openvpn(Client)[17285]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-08-05 14:13:32 notice openvpn(Client)[17285]: /sbin/ifconfig tun0 172.16.10.2 netmask 255.255.255.248 mtu 1500 broadcast 172.16.10.7
2018-08-05 14:13:32 notice netifd[]: Network device 'tun0' link is up
2018-08-05 14:13:32 notice netifd[]: Interface 'tun0' has link connectivity 
2018-08-05 14:13:32 notice netifd[]: Interface 'tun0' is setting up now
2018-08-05 14:13:32 notice openvpn(Client)[17285]: /sbin/route add -net 192.168.4.0 netmask 255.255.255.0 gw 172.16.10.1
2018-08-05 14:13:32 notice openvpn(Client)[17285]: Initialization Sequence Completed
2018-08-05 14:13:32 notice netifd[]: Interface 'tun0' is now up
2018-08-05 14:13:32 notice firewall[]: Reloading firewall due to ifup of tun0 (tun0)

Server routes [192.168.7.1: ISP modem]

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 eth1
172.16.10.0     0.0.0.0         255.255.255.248 U     0      0        0 tun0
192.168.3.0     172.16.10.1     255.255.255.0   UG    0      0        0 tun0
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.7.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth1

Client routes [192.168.5.1: ISP modem]

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth1
172.16.10.0     0.0.0.0         255.255.255.248 U     0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.4.0     172.16.10.1     255.255.255.0   UG    0      0        0 tun0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.5.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth1

Server ping --> client: doesn’t work

root@Router:~# ping -c 2 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes

--- 192.168.3.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Client ping --> server: works

root@Client_Router:~# ping -c 2 192.168.4.1
PING 192.168.4.1 (192.168.4.1): 56 data bytes
64 bytes from 192.168.4.1: seq=0 ttl=64 time=39.866 ms
64 bytes from 192.168.4.1: seq=1 ttl=64 time=39.824 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 39.824/39.845/39.866 ms

Server ping --> OpenVPN client: works

root@Router:~# ping -c 2 172.16.10.2
PING 172.16.10.2 (172.16.10.2): 56 data bytes
64 bytes from 172.16.10.2: seq=0 ttl=64 time=39.306 ms
64 bytes from 172.16.10.2: seq=1 ttl=64 time=39.515 ms

--- 172.16.10.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 39.306/39.410/39.515 ms

anon50890781 · August 5, 2018, 12:59pm

There seems to be a discrepancy between the ip being pinged and the ip responding.

ssdnvv · August 5, 2018, 1:02pm

You’re right, I corrected that in the first post.

anon50890781 · August 5, 2018, 1:24pm

try instead without the gateway parameter (which seems redundant at this place)

option route '192.168.3.0 255.255.255.0'

ssdnvv · August 5, 2018, 1:38pm

In that case it creates following routes:
server.log:

Sun Aug  5 15:32:33 2018 us=262269 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 172.16.10.2

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 eth1
172.16.10.0     0.0.0.0         255.255.255.248 U     0      0        0 tun0
192.168.3.0     172.16.10.2     255.255.255.0   UG    0      0        0 tun0
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.7.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth1

Unfortunately that doesn’t work either - I already tried before it by explicitly setting option route '192.168.3.0 255.255.255.0 172.16.10.2'

anon50890781 · August 5, 2018, 1:49pm

Not sure what you want to achieve with that but it seems redundant.

With option server '172.16.10.0 255.255.255.248' the server will be assinged the ip 172.16.10.1 and any client a subsquent ip in the subnet.

Try without that ifconfig line and option route '192.168.3.0 255.255.255.0 only.

ssdnvv · August 5, 2018, 1:57pm

You’re again right, it is redundant, thanks.
But unfortunately it doesn’t seem to be causing my issue.

anon50890781 · August 5, 2018, 2:09pm

add option mtu_fix '1' to the tunnel fw zones. This might do the trick…

and perhaps remove option tun_mtu '48000'

ssdnvv · August 5, 2018, 2:25pm

Unfortunately not

hm…

To me it seems like a routing or firewall or resolving problem. Any idea how would I check if one of those three was causing the issue?

anon50890781 · August 5, 2018, 2:35pm

If it was a fw issue the ping response would likely be a drop or not reachable. No response is indicative of a routing/mtu issue.

ip addresses do not require resolving.

you could try traceroute but more thouroughly create a tcpdump file and inspect it with a tool like wireshark. mind you though that neither ping nor traceroute are tcp but icmp/udp and thus tcpdump needs to be configured to capture those package types

anon50890781 · August 5, 2018, 2:54pm

Not relevant to the issue but curious that 2 different DNS servers are pushed to the clients?

list push 'dhcp-option DNS 192.168.4.1'
list push 'dhcp-option DNS 172.16.10.1'

Just noticed option mssfix '0'. You might want to try and remove it but maintain option mtu_fix '1' in the fw

ssdnvv · September 4, 2018, 10:08pm

Logs I posted in first post are from when I tried to get this flying with
TO1 (192.168.4.1) being the server and
TO2 (192.168.3.1) being the client.

This sunday I reverted the configuration and set up
TO1 (192.168.4.1) being the client and
TO2 (192.168.3.1) being the server.

Result is the very same: Client is able to reach the server and access servers subnet but not vice versa (only client itself is reachable via openvpn-IP).
Unfortunately playing with MSS or MTU didn’t help either…

Any more ideas?

@techmania: What does Linksys has to do with a OpenVPN related problem?