Changes between Initial Version and Version 1 of 285-everything-seems-to-be-configured-correctly-but-i-cant-ping-across-the-tunnel


Ignore:
Timestamp:
04/30/16 13:12:19 (6 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • 285-everything-seems-to-be-configured-correctly-but-i-cant-ping-across-the-tunnel

    v1 v1  
     1= Everything seems to be configured correctly, but I can't ping across the tunnel =
     2
     3Make sure that your options match on both sides of the connection. See below for more info.
     4
     5Some connection problems are caused by incompatible crypto, compression, or mtu options on either side of the tunnel. If you are using any of the following options on one side of the connection, make sure that you precisely match it on the other side:
     6
     7* --cipher
     8* --auth
     9* --keysize
     10* --dev tun|tap [unit number need not match]
     11* --dev-type tun|tap--link-mtu
     12* --udp-mtu
     13* --tun-mtu--no-replay
     14* --no-iv
     15* --comp-lzo
     16* --fragment
     17* --tun-ipv6
     18* --tls-auth
     19* --secret
     20* --key-method
     21* --tls-client [matched with --tls-server on the other end of the connection]
     22* --tls-server [matched with --tls-client on the other end of the connection]
     23* --ifconfig x y [matched with --ifconfig y x on the other end of the connection]
     24* --proto udp
     25* --proto tcp-client [matched with --proto tcp-server on the other end of the connection]
     26* --proto tcp-server [matched with --proto tcp-client on the other end of the connection]
     27
     28It is also useful to try to isolate the problem, e.g. is the crypto support working independently of the networking code? You can test this with:
     29{{{
     30openvpn --genkey --secret key
     31openvpn --test-crypto --secret key
     32}}}
     33Other loopback tests are presented in the INSTALL file. Many connectivity problems start at the firewall. For example, if an OpenVPN daemon is tunneling data to and from a given TUN or TAP virtual adapter, a firewall rule must be present to permit incoming traffic on that TUN/TAP adapter. On a Linux iptables-based firewall you can enable incoming packets on a TUN device with this command:
     34{{{
     35iptables -A INPUT -i tun+ -j ACCEPT
     36}}}
     37or similarly you can enable incoming packets on a TAP device:
     38{{{
     39iptables -A INPUT -i tap+ -j ACCEPT
     40}}}
     41tcpdump or Wireshark are also very useful tools for troubleshooting connection problems. tcpdump can be used to show encrypted tunnel traffic transiting OpenVPN's UDP port:
     42{{{
     43tcpdump -i eth0 udp port 1194
     44}}}
     45The above example assumes that your connection to the internet is via eth0, and that you are using UDP port 1194 as the tunnel port (the default). tcpdump can also be used to show unencrypted traffic on OpenVPN's virtual TUN/TAP device:
     46{{{
     47tcpdump -i tun0
     48}}}
     49In the above example, replace tun0 with the name of the TUN/TAP device. ifconfig can be used to show active network devices, both real and virtual. Also, note that you cannot mix --dev tun and --dev tap on different ends of the connection. Use one or the other consistently. If you are connecting different versions of OpenVPN, check the compatibility</a> page.
     50
     51[wiki:FAQ Return to FAQ]