Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default Cannot ping host after double OpenVPN connection

    Hi,

    I have built the following network structure:
    - Home location
    - Two Azure tenants with 3 virtual networks
    - Three untangle appliances


    Between untangle boxes BGP is configured and routes (seems) are properly configured. At least the proper routes are including from BGP on all boxes.

    Machine 10.2.0.1 has a public IP in Azure to could test the network traffic.

    The following scenarios are working:
    - Ping from Home to 10.1.0.132
    - Ping from 10.100.254.4 to 10.1.0.132
    - Ping from 10.1.0.132 to 10.100.254.4 and 192.168.10.1
    - Ping from 10.1.0.132 to 10.2.0.1 (VNET peering is working fine)
    - Ping from 10.2.0.1 to 10.1.0.132

    The following scenarios are not working:
    - Ping from Home (192.168.10.100) to 10.2.0.1
    - Ping from 10.100.254.4 to 10.2.0.1
    - Ping from 10.2.0.1 to 192.168.10.1
    - Ping from 10.2.0.1 to 10.100.254.4

    Traceroute from 192.168.10.100 to 10.2.0.4 stops on the device in the middle (10.100.254.4):
    PS C:\Users\myuser> tracert -d 10.2.0.4

    Tracing route to 10.2.0.4 over a maximum of 30 hops

    1 3 ms 1 ms 1 ms 192.168.10.1
    2 54 ms 53 ms 53 ms 172.16.110.1
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 * * * Request timed out.
    8 * * * Request timed out.
    9 * * * Request timed out.
    10 * * * Request timed out.


    IP address from range 172.16.110.0/24 are the OpenVPN address:
    172.16.110.10 = router 10.1.0.132
    172.16.110.2 = router 10.100.254.4
    172.16.110.6 = router 192.168.10.1

    Do you have any idea, why the traffic is not passing through 10.1.0.132 untangle box? I already tried everything. All traffic from other locations can reach the box 10.1.0.132 and back. All traffic from 10.1.0.132 can reach every endpoints on every locations.

    Do you have any idea what I should configure on untangle box 10.1.0.132 to the traffic can pass through and reach all endpoints?

    In case I change the VPN configuration, and remove the VPN link between 10.1.0.132 and 10.100.254.4 and create a new one between 192.168.10.1 and 10.1.0.132 everything works fine without any problem. However, traffic between 10.100.254.4 and 10.1.0.132 is not working (but this is not important now).

    Thanks!
    Gabor
    Last edited by gabor.varga; 01-24-2021 at 06:03 AM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,789

    Default

    Azure Tenant 1's OpenVPN module is missing an export for 10.2.0.0/24

    Without this, clients connecting to it won't have a route for that IP range, and therefore will not connect. Full tunnel is likely in play, and that's making more work than would otherwise.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default

    It is coming from BGP. At least it appears in BGP imported networks and appears in route of all untangle boxes.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,789

    Default

    It can appear in Untangle all it wants, if it's not in the export list the OpenVPN clients of that OpenVPN server clients connecting to it can't access it.

    Untangle has access, the OpenVPN client does not.

    Another way to look at it, the Exports are not only routes for the openvpn clients, but also ACLs (firewall).

    P.S. You might want to make sure that the Azure Tenant 2 Untangle has a route for Azure Tenant 1s OpenVPN address pool range too... though if you're using NAT with OpenVPN there it shouldn't care.
    Last edited by sky-knight; 01-24-2021 at 10:08 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default

    Quote Originally Posted by sky-knight View Post
    It can appear in Untangle all it wants, if it's not in the export list the OpenVPN clients of that OpenVPN server clients connecting to it can't access it.

    Untangle has access, the OpenVPN client does not.

    Another way to look at it, the Exports are not only routes for the openvpn clients, but also ACLs (firewall).

    P.S. You might want to make sure that the Azure Tenant 2 Untangle has a route for Azure Tenant 1s OpenVPN address pool range too... though if you're using NAT with OpenVPN there it shouldn't care.
    Ahh ok. I will check it then. I believed if I export it via BGP only it will work without any problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2