Client cannot ping server's local IP

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Client cannot ping server's local IP

Post by TurboSlayer » Fri Sep 30, 2022 1:38 pm

What currently works:
  • Client can access the internet and other devices in the LAN
  • Client's public IP is the same as the LAN's
Problem details:
  • I am using the SecureNAT function, not a bridge
  • The client can ping other devices in the LAN, but not the server computer
  • When using tcpdump, the server receives the ping but it cannot send it back to the client
  • The pings are also visible on the NAT session table. It says the destination is 0.0.0.0 and it has send size but no receive size.
  • I cannot ping the public IP and nothing shows up on the session table when I try
I have two final goals:
  • To access a local service hosted on my server machine (doesn't work, but I think it worked before)
  • To route all client traffic through the VPN (done)
I have already read this section in the manual. I guess for some strange reason, the virtual NAT doesn't return dummy packets when pinging the server:
When virtual NAT is enabled, sending ICMP packets via IP addresses assigned by a virtual host network interface as routers, and further sending said packets to a separate host results in the virtual NAT returning dummy ICMP echo response packets to all ICMP echo request packets. This is a specification of the SoftEther VPN whereby this operation becomes inevitable because most operating systems do not allow the transmission of arbitrary ICMP packets in network APIs which can be called up with user authority. When using Virtual NAT it is therefore impossible to confirm the existence of a host on the other side of a Virtual NAT router using ICMP packets.
Any help would be appreciated.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sat Oct 01, 2022 12:35 am

It looks like a SE server on Linux. Use a soft tap to work around the kernel limitation.

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Sat Oct 01, 2022 3:33 am

Once again I am not using a local bridge, so I assume this also applies to the NAT function?

If that is the case then are you saying that I have to bridge the virtual hub with a new tap? Then I would be able to communicate with the physical adapter via vpn?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sat Oct 01, 2022 4:37 am

yes; yes; yes

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Sat Oct 01, 2022 5:44 am

I've added the bridge between my virtual hub and the new tap device but I still cannot ping the host/access webserver. Doesn't work even after restarting the VPN server. I shouldn't need to turn off NAT right? Should I restart the host machine?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sat Oct 01, 2022 6:55 am

should; should; more

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Sun Oct 02, 2022 12:50 pm

It still doesn't work but I've got a couple of updates.
  • Right now my setup looks like this: Virtual hub - tap - ethernet. The bridge connecting tap and ethernet is called br0. The bridge between the virtual hub and tap was created using the SE server manager.
  • br0 has an ip from my router so that I can still remotely access the machine.
  • My machine is constantly at minimum 2MB/s upload usage for no apparent reason. When the client is connected it can go up to 7MB/s. I've tried using the command shown on this page to possibly help with this but it just gives me an error (the page looks old so it may just be outdated).
  • The situation is exactly the same - I can ping/access other servers on the LAN but not the host itself.
  • I've only been testing the VPN on my phone's hotspot. And for some reason, my phone can't ping my server's public IP even when not connected to VPN. However, it can ssh into my server. This is probably irrelevant though.
  • I'm still using SecureNAT
I would just like to clarify that I should be using br0's ip when trying to access the host machine via VPN?

Also here is my client's ip route show, after connecting to the VPN:

Code: Select all

~ ip route show
default via 192.168.30.1 dev vpn_vpn  
(server_public_ip) via 172.20.10.1 dev wlp8s0  
172.20.10.0/28 dev wlp8s0 proto kernel scope link src 172.20.10.4  
192.168.30.0/24 dev vpn_vpn proto kernel scope link src 192.168.30.10

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sun Oct 02, 2022 1:56 pm

Disable SecNAT and post as code from the server:
  • ifconfig
  • route -n
  • iptables -S
  • cat /proc/sys/net/ipv4/ip_forward
  • brctl show
  • vpncmd localhost:port /server /password:*** /cmd BridgeDeviceList
  • vpncmd localhost:port /server /password:*** /cmd BridgeList
  • //replace: *** with SE admin password; @@@ with VPN hub's name

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Sun Oct 02, 2022 2:50 pm

For the ones where I removed irrelevant stuff, it was basically just docker.
FYI my ethernet device is eno1.

ifconfig (I removed the irrelevant devices):

Code: Select all

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::5ca8:44ff:fefa:4426  prefixlen 64  scopeid 0x20<link>
        ether 5e:a8:44:fa:44:26  txqueuelen 1000  (Ethernet)
        RX packets 8218650  bytes 4617357289 (4.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88558080  bytes 25812432163 (25.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether a8:a1:59:43:25:eb  txqueuelen 1000  (Ethernet)
        RX packets 8213643  bytes 4765466417 (4.7 GB)
        RX errors 0  dropped 12  overruns 0  frame 0
        TX packets 88620567  bytes 26170578879 (26.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xb1200000-b1220000  

tap_fullaccess: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5c76:95ff:fe90:9cf8  prefixlen 64  scopeid 0x20<link>
        ether 5e:76:95:90:9c:f8  txqueuelen 1000  (Ethernet)
        RX packets 22146  bytes 1146963 (1.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 73568857  bytes 19460621440 (19.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
		
route -n (br-6c025368abdd, tun0 and docker0 are for docker)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br0
0.0.0.0         192.168.1.1     0.0.0.0         UG    425    0        0 br0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-6c025368abdd
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
iptables -S

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -p udp -m multiport --dports 4011 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 4000 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-6c025368abdd -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-6c025368abdd -j DOCKER
-A FORWARD -i br-6c025368abdd ! -o br-6c025368abdd -j ACCEPT
-A FORWARD -i br-6c025368abdd -o br-6c025368abdd -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.18.0.2/32 ! -i br-6c025368abdd -o br-6c025368abdd -p udp -m udp --dport 53 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-6c025368abdd -o br-6c025368abdd -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-6c025368abdd -o br-6c025368abdd -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-6c025368abdd ! -o br-6c025368abdd -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-6c025368abdd -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p udp -m udp --dport 3389 -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p udp -m udp --dport 3306 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2456 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 2456 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3333 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 3333 -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p tcp -m tcp --dport 4000 -j ACCEPT
-A ufw-user-input -s 192.168.1.11/32 -p udp -m udp --dport 4000 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 32400 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 32400 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25565 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 25565 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 7777 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 7777 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 1194 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1194 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 989 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 989 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 53 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 992 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 992 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
cat /proc/sys/net/ipv4/ip_forward

Code: Select all

1
brctl show (I removed irrelevant entries once again)

Code: Select all

bridge name	bridge id		STP enabled	interfaces
br0		8000.5ea844fa4426	yes		eno1
							tap_fullaccess	
vpncmd localhost:port /server /password:*** /cmd BridgeDeviceList (br-6c025368abdd, tun0 and docker0 are for docker)

Code: Select all

br-6c025368abdd
br0
docker0
eno1
veth7e793fe
vethbdcc115
wlp2s0
vpncmd localhost:port /server /password:*** /cmd BridgeList

Code: Select all

Number|Virtual Hub Name|Network Adapter or Tap Device Name|Status
------+----------------+----------------------------------+---------
1     |fullaccess      |fullaccess                        |Operating

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sun Oct 02, 2022 11:57 pm

Can you confirm that after disabling SecNAT clients can access LAN? If not, fix it with Linux replacements before proceeding.

Next, "accept" EVERYTHING in iptables for the duration of this test and ping the server from a client. If still no go, post the client's routing and arp tables.

Incidentally, if you prefer there is another 2x bridge config to access the server but on a different subnet:

Code: Select all

	   |---NIC---LAN
	 vHUB 
	   |---TAP (standalone)

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Mon Oct 03, 2022 4:07 am

What kind of routing do I need to do on the client with SecNAT disabled? Usually with SecNAT I would start a dhcp client for the virtual IP but since it's disabled this obviously doesn't work anymore. It doesn't seem to work out of the box though - it cannot access any devices on the LAN.

Also what do you mean by Linux replacements? My client is currently running linux if that's what you mean.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Mon Oct 03, 2022 8:58 am

SecNAT's Linux replacements are iptables' nat and dnsmasq for dhcp and client's routing.

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Mon Oct 03, 2022 12:28 pm

If you don't mind, I'm gonna need a bit of help with the dhcp server.

I'm still running the Hub - Tap - Ethernet setup. I do not have any iptables NAT entries yet.

I've tried setting dnsmasq to listen on Bridge and Tap but that didn't work. I even tried listening on all interfaces and that didn't work either. Currently I only have the interfaces and the dhcp-range option set.

The way I've been testing it is by connecting to the VPN then running dhclient on my VPN interface.

Please let me know if something's wrong.


Also, which config do you personally recommend? Yours below or my current one?
Incidentally, if you prefer there is another 2x bridge config to access the server but on a different subnet:
|---NIC---LAN
vHUB
|---TAP (standalone)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Mon Oct 03, 2022 1:44 pm

Try this diagnostic check on your Hub - Tap - Ethernet setup:

on the server run:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

on the client set a static IP 192.168.1.222
then ping the server @192.168.1.2

???

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Mon Oct 03, 2022 4:16 pm

Nope that doesn't work. tcpdump on br0 and tap do not show anything either. Strange.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Tue Oct 04, 2022 12:34 am

Please prep the hub as follows:
Log Save Setting / Save Packet Log: ON / ICMP Packet: Header Only

Make a VPN connection and from the client post as code the output of:
  • ifconfig
  • route -n
  • traceroute 192.168.1.2
  • ping -n 2 192.168.1.2
  • arp
  • SE's packet_log //Redact your public IP and remove irrelevant events.
Since the config with a tap/etc and SecNAT works for non-server addr, enable SecNAT, switch the client to DHCP, and for comparison make another VPN connection and from the client post as code the output of:
  • ifconfig
  • route -n
  • traceroute 192.168.1.1
  • ping -n 2 192.168.1.1
  • arp
  • SE's packet_log //Redact your public IP and remove irrelevant events.

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Fri Oct 07, 2022 11:09 am

Without SecNAT:

Code: Select all

~ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 08:97:98:9c:8b:f1 brd ff:ff:ff:ff:ff:ff
3: wlp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 14:f6:d8:14:f1:d1 brd ff:ff:ff:ff:ff:ff
    inet 172.20.10.4/28 brd 172.20.10.15 scope global dynamic noprefixroute wlp8s0
       valid_lft 86350sec preferred_lft 86350sec
    inet6 fe80::e825:a6f8:b3f3:ee5d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: vpn_vpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 5e:65:8c:ba:c2:a9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5c65:8cff:feba:c2a9/64 scope link 
       valid_lft forever preferred_lft forever
 
~ ip route show
default via 172.20.10.1 dev wlp8s0 proto dhcp src 172.20.10.4 metric 600 
172.20.10.0/28 dev wlp8s0 proto kernel scope link src 172.20.10.4 metric 600
 
~ tracepath 192.168.1.2
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              3.099ms 
 1:  _gateway                                              3.209ms 
 2:  10.82.107.179                                        86.530ms 
 3:  10.82.107.177                                        47.538ms 
 4:  10.82.3.134                                          39.516ms asymm  7 
 5:  10.82.3.114                                          43.168ms asymm  6 
 6:  no reply
 
~ ping -n 2 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(124) bytes of data.
^C
--- 192.168.1.2 ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27369ms
 
~ ip neighbour
172.20.10.1 dev wlp8s0 lladdr 0a:87:c7:87:c2:64 REACHABLE 
fe80::2ae:c6ff:fe00:aec6 dev vpn_vpn lladdr 00:ae:c6:2e:04:13 DELAY
As for the packet log, I don't see any ping traffic. I only get these periodically:

Code: Select all

2022-10-07,17:49:51.860,SID-NAME-4,-,5E658CBAC2A9,333300000002,0x86DD,70,ICMPv6,Router Soliciation,fe80::5c65:8cff:feba:c2a9,-,ff02::2,-,-,-,SourceLinkLayer=5E658CBAC2A9,-,public.ip(port=43020),-

With SecNAT (included tracepath, traceroute -I and traceroute):

Code: Select all

~ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 08:97:98:9c:8b:f1 brd ff:ff:ff:ff:ff:ff
3: wlp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 14:f6:d8:14:f1:d1 brd ff:ff:ff:ff:ff:ff
    inet 172.20.10.4/28 brd 172.20.10.15 scope global dynamic wlp8s0
       valid_lft 84760sec preferred_lft 84760sec
    inet6 fe80::e825:a6f8:b3f3:ee5d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: vpn_vpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 5e:65:8c:ba:c2:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.30.10/24 brd 192.168.30.255 scope global vpn_vpn
       valid_lft forever preferred_lft forever
    inet6 fe80::5c65:8cff:feba:c2a9/64 scope link 
       valid_lft forever preferred_lft forever
 
~ ip route show
default via 192.168.30.1 dev vpn_vpn 
publicip via 172.20.10.1 dev wlp8s0 (I added this myself)
172.20.10.0/28 dev wlp8s0 proto kernel scope link src 172.20.10.4 
192.168.30.0/24 dev vpn_vpn proto kernel scope link src 192.168.30.10
 
~ tracepath 192.168.1.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  no reply
 
~ traceroute -I 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.30.1)  89.397 ms  89.392 ms  89.390 ms
 2  192.168.1.1 (192.168.1.1)  89.386 ms  89.390 ms  95.671 ms
 
~ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  * * *
 
~ ping -n 2 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(124) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10127ms
 
~ ip neighbour
192.168.30.1 dev vpn_vpn lladdr 5e:c2:c4:9c:9a:b1 REACHABLE 
172.31.199.47 dev vpn_vpn lladdr 00:ae:c6:2e:04:13 STALE 
172.20.10.1 dev wlp8s0 lladdr 0a:87:c7:87:c2:64 REACHABLE 
fe80::2ae:c6ff:fe00:aec6 dev vpn_vpn lladdr 00:ae:c6:2e:04:13 DELAY
Packet log contains:
  • ping: request and reply
  • ping -n 2: request only

Code: Select all

~ ping -n 2 192.168.1.1
2022-10-07,18:42:03.128,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,106,ICMPv4,Echo Request,192.168.30.10,-,0.0.0.2,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:42:04.105,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,106,ICMPv4,Echo Request,192.168.30.10,-,0.0.0.2,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:42:05.153,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,106,ICMPv4,Echo Request,192.168.30.10,-,0.0.0.2,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:42:06.141,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,106,ICMPv4,Echo Request,192.168.30.10,-,0.0.0.2,-,-,-,-,-,public.ip(port=44884),-

~ ping 192.168.1.1
2022-10-07,18:43:35.991,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,98,ICMPv4,Echo Request,192.168.30.10,-,192.168.1.1,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:43:35.991,SID-SECURENAT-5,SID-NAME-8,5EC2C49C9AB1,5E658CBAC2A9,0x0800,98,ICMPv4,Echo Reply,192.168.1.1,-,192.168.30.10,-,-,-,-,-,-,public.ip(port=44884)
2022-10-07,18:43:36.968,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,98,ICMPv4,Echo Request,192.168.30.10,-,192.168.1.1,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:43:36.978,SID-SECURENAT-5,SID-NAME-8,5EC2C49C9AB1,5E658CBAC2A9,0x0800,98,ICMPv4,Echo Reply,192.168.1.1,-,192.168.30.10,-,-,-,-,-,-,public.ip(port=44884)
2022-10-07,18:43:38.017,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,98,ICMPv4,Echo Request,192.168.30.10,-,192.168.1.1,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:43:38.017,SID-SECURENAT-5,SID-NAME-8,5EC2C49C9AB1,5E658CBAC2A9,0x0800,98,ICMPv4,Echo Reply,192.168.1.1,-,192.168.30.10,-,-,-,-,-,-,public.ip(port=44884)
2022-10-07,18:43:38.985,SID-NAME-8,SID-SECURENAT-5,5E658CBAC2A9,5EC2C49C9AB1,0x0800,98,ICMPv4,Echo Request,192.168.30.10,-,192.168.1.1,-,-,-,-,-,public.ip(port=44884),-
2022-10-07,18:43:38.985,SID-SECURENAT-5,SID-NAME-8,5EC2C49C9AB1,5E658CBAC2A9,0x0800,98,ICMPv4,Echo Reply,192.168.1.1,-,192.168.30.10,-,-,-,-,-,-,public.ip(port=44884)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Fri Oct 07, 2022 1:39 pm

Great logs, thanks, I see a problem here:
"on the client set a static IP 192.168.1.222"
- but your log shows no static IP:

Code: Select all

4: vpn_vpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 5e:65:8c:ba:c2:a9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5c65:8cff:feba:c2a9/64 scope link 
Can you re-configure it properly, or try the static IP test from a Windows SE client which is much easier to work with?

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Sun Oct 09, 2022 7:27 am

My bad, here is the output with a static IP set.

There's been a breakthrough though. I redid my Eth-tap bridge, and all of a sudden my dnsmasq server worked! I tried starting a DHCP client with SecNAT and saw that it assigned me an IP outside of the specified subnet in the server manager. Now I can use DHCP on my client without SecNAT, and access my host machine.

However, I still need to be able to route internet traffic through the VPN. What would be the best way to do this?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Sun Oct 09, 2022 8:25 am

TurboSlayer wrote:
Sun Oct 09, 2022 7:27 am
I still need to be able to route internet traffic through the VPN. What would be the best way to do this?
In dnsmasq.conf set...
dhcp-option=3,192.168.1.2

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Mon Oct 10, 2022 10:33 am

Sorry my bad but I realised that my router was the one acting as the dhcp server. What would be the best course of action considering this?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Mon Oct 10, 2022 11:00 am

If your objective for VPN clients is to access LAN, SE server and internet, then the router's DHCP/NAT is OK.

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Tue Oct 11, 2022 5:00 am

Alright, thanks for all the help.

Just tried connecting and saw that my bridge and vpn server were down, so I restarted those but I can't seem to get an IP address from my router via the VPN. How should I diagnose this?

All I did was start the server, then add my tap interface to the bridge using brctl. Am I missing anything?

Here's the console output when I try to start dhclient:

Code: Select all

Internet Systems Consortium DHCP Client 4.4.3
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/vpn_vpn/5e:65:8c:ba:c2:a9
Sending on   LPF/vpn_vpn/5e:65:8c:ba:c2:a9
Sending on   Socket/fallback
DHCPDISCOVER on vpn_vpn to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on vpn_vpn to 255.255.255.255 port 67 interval 9
DHCPDISCOVER on vpn_vpn to 255.255.255.255 port 67 interval 19
DHCPDISCOVER on vpn_vpn to 255.255.255.255 port 67 interval 17
DHCPDISCOVER on vpn_vpn to 255.255.255.255 port 67 interval 8
No DHCPOFFERS received.
No working leases in persistent database - sleeping.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Tue Oct 11, 2022 6:49 am

No worries, on the server disable dnsmasq and run:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -F

Make a VPN connection and from the server post as code the output of:

ifconfig
route -n
brctl show
SE's packet_log //check timestamps and remove events before the client's connection time

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Tue Oct 11, 2022 10:10 am

Ok so it worked after changing the iptables rules. The problem seems to be my FORWARD policy - after a reboot it turns back to DROP. So I have two questions:
  • I know I can just google this but what would be the most recommended way to make this iptables option persistent?
  • Would you recommend dockerising SE (I'd assume this would work by setting network:host) or should I make it into a normal service?
Thanks again for pointing me in the right direction.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Client cannot ping server's local IP

Post by solo » Tue Oct 11, 2022 10:20 am

OK, do this:

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4
//not sure if it effective with Docker
and install SE as service

Cheers

TurboSlayer
Posts: 14
Joined: Fri Sep 30, 2022 1:09 pm

Re: Client cannot ping server's local IP

Post by TurboSlayer » Tue Oct 11, 2022 12:11 pm

Thanks. I ended up creating a systemd service which allows me to run the iptables command when SE starts. 2 in 1.

Thanks for your help and I hope this thread will help anyone who encounters the same issue :)

Post Reply