DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at rtfm.co.ua on

OpenVPN: the No route to host and ERR_ADDRESS_UNREACHABLE errors – the cause and a solution

#networking #openvpn #security

We have an OpenVPN Access Server running, see its setup in the OpenVPN: OpenVPN Access Server set up and AWS VPC peering configuration post.

The VPN server is hosted in a one AWS VPC, and a Bitwarden service – in another one VPC.

Between those VPCs we have a VPC peering configured, and the OpenVPN has to route traffic between users and the Bitwarden host.

The problem is that if try to access the Bitwarden host (see the Bitwarden: an organization’s password manager self-hosted version installation on an AWS EC2 post about its setup) – we have the” ERR_ADDRESS_UNREACHABLE/No route to host ” error:

$ curl https://accounts.example.com
curl: (7) Failed to connect to accounts.example.com port 443: No route to host

Check the IP of the Bitwarden’s URL:

$ dig accounts.example.com +short
ec2-63-***-***-138.eu-west-1.compute.amazonaws.com.
172.31.41.159

172.31.41.159 – okay, it is resolved to a private IP, all good here (see the AWS: VPC peering DNS resolution and DNS settings for OpenVPN Access Server for details about DNS resolution setup).

Now, check the NAT rules in the OpenVPN server admin page – do we have a route to the 172.31.16.0/20 network:

Okay – the route is added.

Check a local route table:

$ route -n | grep 172.27.248.1
10.0.1.0        172.27.248.1    255.255.255.0   UG    101    0        0 tun0
10.0.3.0        172.27.248.1    255.255.255.0   UG    101    0        0 tun0
10.0.5.0        172.27.248.1    255.255.255.0   UG    101    0        0 tun0
10.0.10.0       172.27.248.1    255.255.255.0   UG    101    0        0 tun0
172.27.224.0    172.27.248.1    255.255.240.0   UG    101    0        0 tun0
172.31.16.0     172.27.248.1    255.255.240.0   UG    101    0        0 tun0

172.31.16.0 172.27.248.1

And here is our route – looks good? But still doesn’t work.

Check the hosts in this network:

$ ipcalc 172.31.16.0/20
Address:   172.31.16.0          10101100.00011111.0001 0000.00000000
Netmask:   255.255.240.0 = 20   11111111.11111111.1111 0000.00000000
Wildcard:  0.0.15.255           00000000.00000000.0000 1111.11111111

=>

Network:   172.31.16.0/20       10101100.00011111.0001 0000.00000000
HostMin:   172.31.16.1          10101100.00011111.0001 0000.00000001
HostMax:   172.31.31.254        10101100.00011111.0001 1111.11111110
Broadcast: 172.31.31.255        10101100.00011111.0001 1111.11111111
Hosts/Net: 4094                  Class B, Private Internet

And pay attention to the HostMax: 172.31. 31.254, while our Bitwarden host hosted in the 172.31. 41.0/24 subnet.

So, the solution could be to set a 172.31.31.0/18, subnet in the OpenVPN AS NAT routes, or to use 172.31.41.0/24.

Set it to the 172.31.41.0/24, re-connect and check local routes now:

$ route -n | grep 172.27.248.1
...
172.31.41.0     172.27.248.1    255.255.255.0   UG    101    0        0 tun0

Try with the curl:

$ curl -I https://accounts.example.com
HTTP/1.1 200 OK
Server: nginx/1.10.3
...

Done.

Similar posts

Top comments (0)

Read next

kachkolasa profile image

Laravel Application Security

Kachkol Asa -

kaazzu profile image

Understanding Stored XSS Attacks and How to Mitigate Them with Hono

kaazzu -

suin profile image

Securing external-dns: Encrypting TXT Registry Records

suin -

sty6x profile image

Scaling Zensearch's capabilities to query the whole database

FDiaz -