Packetloss from a openVPN-client to a VLAN it's attached to.

Hello,

i am a bit lost with this one und would be gratefull for your help!

The Setup Network consists of HP V1910-24G switches. The whole company is still running at VLAN_ID_1 within 192.168.2.0. The server which is running openVPN-server on Ubuntu Server is attached to VLAN_ID_30 within 192.168.22.0.

In the future, i wan't to create multiple vlans with VPNs which connect to them. So consider this to be the evaluation setup.

The Servers Interfaces The Ubuntu Server is connected to Port 14 on a switch, which is configured like this:

• untagged membership: 30
• tagged membership: 1
• Link Type: Hybrid
• PVID: 30

The interfaces of the server:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff inet 192.168.22.100/24 brd 192.168.22.255 scope global enp2s0 valid_lft forever preferred_lft forever inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8e8e:ff24:1aa3:fe9/64 scope link stable-privacy valid_lft forever preferred_lft forever 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:8c:ec:6b:11 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 5: vlan_1_buero@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff inet 192.168.2.100/24 brd 192.168.2.255 scope global vlan_1_buero valid_lft forever preferred_lft forever inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link valid_lft forever preferred_lft forever 6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:e3:00:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:e3:00:d2 brd ff:ff:ff:ff:ff:ff 11: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:03:5f:60 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe03:5f60/64 scope link valid_lft forever preferred_lft forever 

The openVPN config

port 1194 proto udp dev tun ca ...... cer ...... key ...... dh ...... server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "route 192.168.22.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1 

The Problem I can't ping any device in the 192.168.2.0 net besides the gateway/router (192.168.2.1), over the vpn-connection. 99% of the packets get lost. Here i have a tcpdump, showing a ping-packet, that succeded back to the pinging device.

13:52:33.558835 In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.558862 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.558866 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.559398 In 00:1d:aa:b5:ee:e8 ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 13:52:33.559398 In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 13:52:33.559427 Out ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 

Here is a packet which did not reach back to the VPN client.

13:52:34.571763 In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.571790 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.571794 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.572286 In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 52, length 64 

Seems like for something is wrong with the vlan_tag on the packets.

How can i troubleshot this? Thank you all!