Hello, I try to setup OpenVPN server to make internal services available from external users (openVpn clients).
But I cannot reach any internal resources. I might be missing something, but this is just as basic as possible I could go, but still traffic is not routed to internal resources.
// Release version: 1.4-rolling-202403221102
$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- --------------- ----------------- ------- ----- ----- ------------------
eth0 100.100.100.100/32 de:00:00:12:ed:6f default 1500 u/u
eth1 172.16.4.7/22 02:00:00:12:00:e7 default 1500 u/u
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128
vtun10 10.23.32.1/32 n/a default 1500 u/u
$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default one-gw-to-rule- 0.0.0.0 UG 0 0 0 eth0
10.23.32.0 10.23.32.2 255.255.255.0 UG 0 0 0 vtun10
10.23.32.2 0.0.0.0 255.255.255.255 UH 0 0 0 vtun10
one-gw-to-rule- 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.16.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
$ ping 172.16.4.11
PING 172.16.4.11 (172.16.4.11) 56(84) bytes of data.
64 bytes from 172.16.4.11: icmp_seq=1 ttl=64 time=0.848 ms
64 bytes from 172.16.4.11: icmp_seq=2 ttl=64 time=0.619 ms
$ arp -a
one-gw-to-rule- (62.210.0.1) at de:00:00:12:ed:70 [ether] on eth0
? (172.16.4.10) at 02:00:00:13:a8:9c [ether] on eth1
? (172.16.4.8) at 02:00:00:27:ee:e3 [ether] on eth1
? (172.16.4.2) at <incomplete> on eth1
? (172.16.4.6) at 02:00:00:16:f3:9f [ether] on eth1
? (172.16.4.9) at 02:00:00:19:5e:53 [ether] on eth1
? (172.16.4.11) at 02:00:00:1b:ba:a6 [ether] on eth1
? (169.254.169.254) at 00:00:22:05:ca:1e [ether] on eth1
? (172.16.4.3) at 02:00:00:19:95:75 [ether] on eth1
$ show openvpn server
OpenVPN status on vtun10
Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since
------------ -------------------- ----------- ------------ ---------- ---------- -------------------
user-1 5.5.5.5:44492 10.23.32.6 N/A 5.3 KB 5.4 KB 2025-02-26 07:43:55
configuration
firewall {
ipv4 {
input {
filter {
default-action "drop"
default-log
rule 10 {
action "accept"
protocol "tcp"
state "established"
state "related"
}
rule 20 {
action "accept"
protocol "icmp"
}
rule 30 {
action "accept"
protocol "udp"
source {
port "53"
}
}
rule 50 {
action "accept"
description "OpenVPN server"
destination {
port "1194"
}
protocol "udp"
}
rule 1000 {
action "accept"
description "Allow SSH"
destination {
port "22"
}
protocol "tcp"
source {
address "100.100.100.100/32"
}
}
rule 1010 {
action "accept"
description "Allow all from LAN"
protocol "tcp"
source {
address "172.16.4.0/22"
}
}
rule 1050 {
action "accept"
description "Allow all from OpenVPN subnet"
source {
address "10.23.32.0/24"
}
}
}
}
}
}
interfaces {
ethernet eth0 {
address "dhcp"
}
ethernet eth1 {
address "dhcp"
}
loopback lo {
}
openvpn vtun10 {
encryption {
cipher "aes256"
}
hash "sha512"
local-port "1194"
mode "server"
openvpn-option "duplicate-cn"
persistent-tunnel
protocol "udp"
server {
push-route 172.16.4.0/22 {
}
subnet "10.23.32.0/24"
}
tls {
ca-certificate "ca-1"
certificate "srv-1"
dh-params "dh-1"
}
}
}
When try to ping a device behind eth0 - timeouts, but can ping eth0 interface IP.
[from client, when connected to vyos router]
❯ ping 172.16.4.7
PING 172.16.4.7 (172.16.4.7): 56 data bytes
64 bytes from 172.16.4.7: icmp_seq=0 ttl=64 time=116.502 ms
64 bytes from 172.16.4.7: icmp_seq=1 ttl=64 time=299.593 ms
64 bytes from 172.16.4.7: icmp_seq=2 ttl=64 time=203.667 ms
^C
--- 172.16.4.7 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 116.502/206.587/299.593/74.775 ms
❯ ping 172.16.4.11
PING 172.16.4.11 (172.16.4.11): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 172.16.4.11 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
Could anyone point me to what I’m missing here? Ty!