Cannot ping host after double OpenVPN connection

[gabor.varga]

Hi,

I have built the following network structure:
- Home location
- Two Azure tenants with 3 virtual networks
- Three untangle appliances


Between untangle boxes BGP is configured and routes (seems) are properly configured. At least the proper routes are including from BGP on all boxes.

Machine 10.2.0.1 has a public IP in Azure to could test the network traffic.

The following scenarios are working:
- Ping from Home to 10.1.0.132
- Ping from 10.100.254.4 to 10.1.0.132
- Ping from 10.1.0.132 to 10.100.254.4 and 192.168.10.1
- Ping from 10.1.0.132 to 10.2.0.1 (VNET peering is working fine)
- Ping from 10.2.0.1 to 10.1.0.132

The following scenarios are not working:
- Ping from Home (192.168.10.100) to 10.2.0.1
- Ping from 10.100.254.4 to 10.2.0.1
- Ping from 10.2.0.1 to 192.168.10.1
- Ping from 10.2.0.1 to 10.100.254.4

Traceroute from 192.168.10.100 to 10.2.0.4 stops on the device in the middle (10.100.254.4):
PS C:\Users\myuser> tracert -d 10.2.0.4

Tracing route to 10.2.0.4 over a maximum of 30 hops

1 3 ms 1 ms 1 ms 192.168.10.1
2 54 ms 53 ms 53 ms 172.16.110.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.


IP address from range 172.16.110.0/24 are the OpenVPN address:
172.16.110.10 = router 10.1.0.132
172.16.110.2 = router 10.100.254.4
172.16.110.6 = router 192.168.10.1

Do you have any idea, why the traffic is not passing through 10.1.0.132 untangle box? I already tried everything. All traffic from other locations can reach the box 10.1.0.132 and back. All traffic from 10.1.0.132 can reach every endpoints on every locations.

Do you have any idea what I should configure on untangle box 10.1.0.132 to the traffic can pass through and reach all endpoints?

In case I change the VPN configuration, and remove the VPN link between 10.1.0.132 and 10.100.254.4 and create a new one between 192.168.10.1 and 10.1.0.132 everything works fine without any problem. However, traffic between 10.100.254.4 and 10.1.0.132 is not working (but this is not important now).

Thanks!
Gabor

[sky-knight]

Azure Tenant 1's OpenVPN module is missing an export for 10.2.0.0/24

Without this, clients connecting to it won't have a route for that IP range, and therefore will not connect. Full tunnel is likely in play, and that's making more work than would otherwise.

[gabor.varga]

It is coming from BGP. At least it appears in BGP imported networks and appears in route of all untangle boxes.

[sky-knight]

It can appear in Untangle all it wants, if it's not in the export list the OpenVPN clients of that OpenVPN server clients connecting to it can't access it.

Untangle has access, the OpenVPN client does not.

Another way to look at it, the Exports are not only routes for the openvpn clients, but also ACLs (firewall).

P.S. You might want to make sure that the Azure Tenant 2 Untangle has a route for Azure Tenant 1s OpenVPN address pool range too... though if you're using NAT with OpenVPN there it shouldn't care.

[gabor.varga]

It can appear in Untangle all it wants, if it's not in the export list the OpenVPN clients of that OpenVPN server clients connecting to it can't access it.

Untangle has access, the OpenVPN client does not.

Another way to look at it, the Exports are not only routes for the openvpn clients, but also ACLs (firewall).

P.S. You might want to make sure that the Azure Tenant 2 Untangle has a route for Azure Tenant 1s OpenVPN address pool range too... though if you're using NAT with OpenVPN there it shouldn't care.

Ahh ok. I will check it then. I believed if I export it via BGP only it will work without any problem.