Cannot pass traffic through openvpn either KVM or LXC

stillzy

New Member
Jan 7, 2019
4
0
1
38
Ok So basically i have a VM that is an openvpn server. My Proxmox is connected to my firewall. Basically my openvpn tun ip's cant communicate with anything not even eachother. Ive built Linux Bridges, OVS bridges, enabled IP Forwarding and i really can figure it out. Only other thing i thing it could be is maybe the NIC? Has anyone seen this before?

My main subnet is 10.1.15.0/24
My OpenVPN server is 10.1.15.123
and my Openvpn clients are 10.1.9.0/26

From 10.1.15.1 (lets say) i can ping 10.1.9.1 but from 10.1.9.1 i cant ping 10.1.15.1
 
Last edited:
To consider this topic more information about network configuration is needed, e.g.: where are the opnvpn clients? Is 10.1.9.0/26 another network at Proxmox or the vpn address range?
 
To consider this topic more information about network configuration is needed, e.g.: where are the opnvpn clients? Is 10.1.9.0/26 another network at Proxmox or the vpn address range?
Thanks for replying

My proxmox bridge is 10.1.15.0/24 ....the VPN server is 10.1.15.123...the external router is 10.1.15.254 and the VPN subnet is 10.1.9.0/26 lives on 10.1.15.123. On my external router 10.1.9.0/26 is routed to 10.1.15.123
 
Thanks for replying

My proxmox bridge is 10.1.15.0/24 ....the VPN server is 10.1.15.123...the external router is 10.1.15.254 and the VPN subnet is 10.1.9.0/26 lives on 10.1.15.123. On my external router 10.1.9.0/26 is routed to 10.1.15.123


Probably somewhere a mistake in the routing tables and/or firewall settings. But the information still to less to consider seriously what it can be.

Follow the packets via tcpdump according to your routing architecture in oder to figure out the missing link.
 
Probably somewhere a mistake in the routing tables and/or firewall settings. But the information still to less to consider seriously what it can be.

Follow the packets via tcpdump according to your routing architecture in oder to figure out the missing link.
So basically tcpdump is telling me that the packets arent even leaving the VM. Looks like something on the proxmox bridge is blocking outbound packets sourcing from a different ip address other than the proxmox bridge subnet. Ive disabled the firewall on proxmox but still not working....any suggestions? Routing is good coming into the box but something on the proxmox host is blocking outbound.
 
Routing is good coming into the box but something on the proxmox host is blocking outbound.

I don't think so - I have a lot of openvpn tunnels running on VMs, containers and Proxmox hosts, whenever packets have not been sent to the requested destination the routing was not correct. But as already mentioned: without having information about the IP configuration from all involved nodes as there are
Code:
ip addr
ip route
iptables-save
brctl show
ovs-vsctl show

no analysis is possible.
 
My Proxmox server:




ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr 10 state UP group default qlen 1000
link/ether 78:2b:cb:7f:44:21 brd ff:ff:ff:ff:ff:ff
3: vmbr10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro up default qlen 1000
link/ether 78:2b:cb:7f:44:21 brd ff:ff:ff:ff:ff:ff
inet 10.1.15.100/24 brd 10.1.15.255 scope global vmbr10
valid_lft forever preferred_lft forever
inet6 fe80::7a2b:cbff:fe7f:4421/64 scope link
valid_lft forever preferred_lft forever
4: tap101i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr10 state UNKNOWN group default qlen 1000
link/ether 8a:f3:25:ed:86:37 brd ff:ff:ff:ff:ff:ff
5: tap102i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr10 state UNKNOWN group default qlen 1000
link/ether fa:8b:53:e6:65:54 brd ff:ff:ff:ff:ff:ff
6: tap103i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr10 state UNKNOWN group default qlen 1000
link/ether 4e:df:65:ea:e3:04 brd ff:ff:ff:ff:ff:ff
7: tap104i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr10 state UNKNOWN group default qlen 1000
link/ether f2:d2:76:f0:b0:9e brd ff:ff:ff:ff:ff:ff
root@salem-nh-svr-vms:~# ip route
default via 10.1.15.254 dev vmbr10 onlink
10.1.15.0/24 dev vmbr10 proto kernel scope link src 10.1.15.100
root@salem-nh-svr-vms:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Jan 18 12:09:40 2019
*filter
:INPUT ACCEPT [1375:1070532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [958:440990]
COMMIT
# Completed on Fri Jan 18 12:09:40 2019
root@salem-nh-svr-vms:~# brctl show
bridge name bridge id STP enabled interfaces
vmbr10 8000.782bcb7f4421 no eno1
tap101i0
tap102i0
tap103i0
tap104i0
root@salem-nh-svr-vms:~# ovs-vsctl show
2fee5a47-eda5-4666-932e-9a6a33d48a27
ovs_version: "2.6.2"
root@salem-nh-svr-vms:~#




Please let me know what I am missing....
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!