[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] can't get traffic in both

  • Subject: [Openvpn-users] can't get traffic in both
  • From: Marcel Meyer <meyerm@xxxxxxxxx>
  • Date: Mon, 2 Feb 2004 13:59:21 +0100
Hi,

let me show you my config - I'm trying to get the notebook into the 
"realworld-IP-net":

mirror, the server has the official ip 123.123.123.42 - the gateway 
123.123.123.254

[code]
mirror root # brctl addbr br0
mirror root # brctl addif br0 eth0
mirror root # brctl addif br0 tap0
mirror root # ifconfig eth0 0.0.0.0 promisc
mirror root # ifconfig tap0 0.0.0.0 promisc
mirror root # ifconfig br0 123.123.123.42 netmask 255.255.255.0 broadcast 
123.123.123.255
mirror root # route add default gw 123.123.123.254
# I'm quite sure that everything until here is correct... :-)
mirror root # openvpn --dev tap0 --secret /root/static.key --daemon
mirror root # ifconfig
br0       Link encap:Ethernet  HWaddr 00:80:48:CD:97:27
          inet addr:123.123.123.42  Bcast:123.123.123.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 00:80:48:CD:97:27
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

tap0      Link encap:Ethernet  HWaddr 00:FF:29:92:15:72
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
mirror root # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
123.123.123.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         123.123.123.254 0.0.0.0         UG    0      0        0 br0
[/code]


yavin, the client has the inoffical ip 10.10.10.68 - the gateway here 
10.10.10.254

[code]
yavin root # openvpn --dev tap0 --secret /root/fachschaft.key --remote 
123.123.123.42 --daemon
yavin root # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         10.10.10.254    0.0.0.0         UG    1      0        0 eth0
yavin root # route del default gw 10.10.10.254
yavin root # route add 123.123.123.42 gw 10.10.10.254
yavin root # ifconfig tap0 123.123.123.137 netmask 255.255.255.0
yavin root # route add -net 123.123.123.0 netmask 255.255.255.0 dev tap0
yavin root # route add default gw 123.123.123.254
yavin root # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
123.123.123.42  10.10.10.254    255.255.255.255 UGH   0      0        0 eth0
123.123.123.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         123.123.123.254 0.0.0.0         UG    0      0        0 tap0
yavin root # ping -c1 123.123.123.42
PING 123.123.123.42 (123.123.123.42) 56(84) bytes of data.
64 bytes from 123.123.123.42: icmp_seq=1 ttl=58 time=17.4 ms

--- 123.123.123.42 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.432/17.432/17.432/0.000 ms
yavin root # ping -c1 123.123.123.1
PING 123.123.123.1 (123.123.123.1) 56(84) bytes of data.
>From 123.123.123.137 icmp_seq=1 Destination Host Unreachable

--- 123.123.123.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
[/code]

Hmm, you see that it doesn't work to ping throug the VPN (.1 is called 
"mars") :-/. OK, let's have a look at "mirror" to find out why it fails.

[code]
mirror root # tcpdump -l -i br0 | grep icmp
tcpdump: listening on br0
21:47:40.395979 10.10.10.68 > mirror.bla.de: icmp: echo request (DF)
21:47:40.396093 mirror.bla.de > 10.10.10.68: icmp: echo reply
mirror root # tcpdump -l -i tap0
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: listening on tap0
21:48:24.919297 arp who-has mars.bla.de tell 123.123.123.137
21:48:25.919974 arp who-has mars.bla.de tell 123.123.123.137
21:48:26.923290 arp who-has mars.bla.de tell 123.123.123.137
[/code]

Hey, the second ping doesn't even reach the bridge interface... The reason is, 
the arp-reply didn't even reach yavin.
Now, it gets interessting (just one ping to .1 - .42 is already in the 
arp-cache and obviously working):

[code]
mirror root # tcpdump -l -i br0 | grep arp
21:50:47.089601 arp who-has mars.bla.de tell 123.123.123.137
21:50:47.090003 arp reply mars.bla.de is-at 8:0:20:72:5f:ba
mirror root # tcpdump -l -i tap0 | grep arp
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: listening on tap0
21:51:36.413451 arp who-has mars.bla.de tell 123.123.123.137
[/code]

Now you can see, that packets are delivered to the VPN server on the br0 
interface. But why aren't they transmitted to the tap0 device? "brctl show" 
says it is included in the bridge...

Where is my error? I don't think I have to set a route on the server side 
since a) everything goes over br0 b) it is even not possible since I wanted 
to use dhcp over VPN. And this works - I got it to work myself... *g*

Thanks to everybody for reading so much.

Marcel

-- 
Marcel Meyer
| Netzwerk- und Rechnerorganisation / SET
| Fachschaft Mathematik/Physik/Informatik
| Technische Universitaet Muenchen



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users