Re: [Openvpn-users] Re: Problem with openvpn on multi-homed host

[John Locke <mail@xxxxxxxxxxxx>]

Hi, Evan,

Evan Harris wrote:

> > The problem comes up from the fact that openvpn doesn't appear to reply to
> > the other end of the tunnel with udp packets having the same source address
> > as the destination of the original packets.  Its sent replies have a source
> > ip address of the interface the reply packets were sent via.
> >
> > Normally that would be ok, because you can use the --float option and when
> > the replies from the server come back with a different ip, the peer (the
> > notebook) will see it and change the tunnel destination address to the
> > source of the packets, in this case the private ip of the server.
> >
> >    
> One last note I forgot to include:
>
> The reason we can't use --float is because the wireless routers are doing
> NAT.  When the reply comes back with a different source address, the router
> doesn't know it's really a reply to an existing udp connection, and it gets
> dropped.  And that keeps the tunnel from working.
>
>  
You know what I would try? Try setting up an SNAT rule in IPtables 
(presuming your gateway server is Linux) that rewrites all packets 
coming from the firewall zone going to the LAN zone in the port range 
you're using, to have a source address of the public interface.

Cheers,

--
John Locke
Open Source solutions for small business problems
http://freelock.com


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users