Question OpenVPN (personal computer - domain network)

[Mazila9968]

My colleague installed Linux (Ubuntu) OpenVPN server for remote work from home and remote devices from the domain network. In the domain we have such subnets as 192.168.(0/1/3/4/6/11/24).0 . The connection between the networks is via CiscoVPN (each network is a different work office). I would like to note: subnet 6 has a mask of 23, and all the others 24.
When connecting to OpenVPN from a home computer, it is possible to ping all subnets and devices, with the exception of 6. In turn, from the OpenVPN server itself, ping to absolutely all subnets is available. What could be the problem? I don’t know how the routes (if there is a ping from the server) can affect and how to configure them differently.

 

[bill001g]

Way to complex a installation to easily troubleshoot on a forum.

It all depends where the actual router function is that routes between those subnets. Also it depends on how the vpn is assigning IP addresses to the remote clients. Does that also have its own dedicated subnet or is it assigning them IP out of one of the other subnets.

The most common cause would be you either have some device configured with the wrong subnet mask for the "6" network or you have the gateway IP for one or more of the subnets set incorrectly. Could be the DHCP function where ever that is being done.

Again way to many ways you can implement stuff like this to say for sure. If all the router and vpn are all done on the same server it is likely something wrong on that.

 

[Mazila9968]

Way to complex a installation to easily troubleshoot on a forum.

It all depends where the actual router function is that routes between those subnets. Also it depends on how the vpn is assigning IP addresses to the remote clients. Does that also have its own dedicated subnet or is it assigning them IP out of one of the other subnets.

The most common cause would be you either have some device configured with the wrong subnet mask for the "6" network or you have the gateway IP for one or more of the subnets set incorrectly. Could be the DHCP function where ever that is being done.

Again way to many ways you can implement stuff like this to say for sure. If all the router and vpn are all done on the same server it is likely something wrong on that.

OpenVPN gives addresses from the pool - 172.27.224.0/24 . General route server that knows all the paths - 3.33 . It is registered as a gateway for my OpenVPN server - so I can ping all subnets from it

 

[palladin9479]

OpenVPN gives addresses from the pool - 172.27.224.0/24 . General route server that knows all the paths - 3.33 . It is registered as a gateway for my OpenVPN server - so I can ping all subnets from it

This is routing related and a result of a halfway thought out design.

The OpenVPN device itself is a router, you just don't know it. I'm going to assume it's topology mode subnet as that's the most common, so the OpenVPN server has a TUN interface as 172.27.224.1 and routes for 172.27.224.0/24. The other network adapter (physical/virtual) should have a status IP address on it's host subnet.


Now this gets network architecture depending, if you are doing dynamic routing like OSPF then you can install quagga onto the OpenVPN server and have it form adjacency with that sites router and advertise the VPN subnet through that. If your not doing dynamic routing (my suspicion), then you need to ensure the every router in the network has a route statement that says that OpenVPN subnet is available through the local IP address of the OpenVPN server. This might be best discussed through PM's as I might need network diagrams to show you where the problems are at.

I've built multi-site networks where every location is in a different country with redundant VPN connects to each other, all using just OpenVPN + Quagga + Shorewall.

 

[Mazila9968]

This is routing related and a result of a halfway thought out design.

The OpenVPN device itself is a router, you just don't know it. I'm going to assume it's topology mode subnet as that's the most common, so the OpenVPN server has a TUN interface as 172.27.224.1 and routes for 172.27.224.0/24. The other network adapter (physical/virtual) should have a status IP address on it's host subnet.


Now this gets network architecture depending, if you are doing dynamic routing like OSPF then you can install quagga onto the OpenVPN server and have it form adjacency with that sites router and advertise the VPN subnet through that. If your not doing dynamic routing (my suspicion), then you need to ensure the every router in the network has a route statement that says that OpenVPN subnet is available through the local IP address of the OpenVPN server. This might be best discussed through PM's as I might need network diagrams to show you where the problems are at.

I've built multi-site networks where every location is in a different country with redundant VPN connects to each other, all using just OpenVPN + Quagga + Shorewall.

At the moment it so happened that I am the most important manager of data transmission networks. I did not understand much - where the routes should be. Direct example: 3.33 has all the routes to other networks. On the server where OpenVPN is located, this route is laid. Are you saying that something else needs to be written in the VPN web interface itself?
As I wrote above - all visits except 6 are pinged from the home network. I don't see any pattern in the problem, except for the difference in the subnet mask.

 

[Ralston18]

Question:

Per @billg0001 (Post #2)

Reference:

"The most common cause would be you either have some device configured with the wrong subnet mask for the "6" network or you have the gateway IP for one or more of the subnets set incorrectly. Could be the DHCP function where ever that is being done."

Meaning a typo of some sort: where, for example, 255.255.255.0 is entered versus using 255.255.254.0 ?

Overall, subnet 6 having twice as many hosts (510) as the other 5 subnets with 254 hosts?

Not trying to "solve" the problem - just trying to understand it a bit more....

What are the IP address ranges and subnet masks for each of the subnets?

Curious about the big or bigger picture.

 

[palladin9479]

At the moment it so happened that I am the most important manager of data transmission networks. I did not understand much - where the routes should be. Direct example: 3.33 has all the routes to other networks. On the server where OpenVPN is located, this route is laid. Are you saying that something else needs to be written in the VPN web interface itself?
As I wrote above - all visits except 6 are pinged from the home network. I don't see any pattern in the problem, except for the difference in the subnet mask.

Are you doing any sort of dynamic routing or did someone put static routes into every device along the path? This is very important because a bad route statement somewhere can cause bad things to happen.

So quick class on basic layer 3, every network device is a router. If your on a windows desktop open a command prompt and type "route print" and it'll show you the devices routing table. Now most devices tables are very short, the know about every directly connected network then have a final gateway of last resort, otherwise known as a default route. You can see this by looking for a destination of 0.0.0.0 netmask 0.0.0.0. Your OpenVPN server also has a routing able along with every router responsible for every subnet. Dynamic routing protocols like OSPF allow each of these routers to exchange routes with each other for consistency, otherwise a human is responsible for checking each and every device to ensure it has the correct entries.

Now you mentioned one of your subnets having a /23 netmask, is there a reason why and can you check and make sure that netmask (255.255.254.0 vs 255.255.255.0) is actually being used by all devices. That /23 has an IP range of 192.168.6.0 - 192.168.7.255 and if something has the wrong netmask in a route entry then a packet might be dropped somewhere.