Re: [Openvpn-users] "zombie" one-way-to-client behaviour

[Jon Bendtsen <jon.bendtsen@xxxxxxxxxx>]

Den mandag 3.apr kl. 21:35 skrev Andrea Gronchi:

> Hi admins,
> i wanted to report a strange effect that I failed to investigate into.
>
> I have a tun-ed tcp-served openvpn server set up for multiple-links,
> spawning the 10.254.0.0/16 class.
> I also have several clients on it, and the whole setup runs perfectly
> fine from months now.
>
> So, it happened the other day to ping the wrong IP from one of  
> those clients.
> The server is supposed to take its role at 10.254.0.1: from the client
> 10.254.0.13, I launched a ping to 10.245.0.6 instead.
>
> To my astonishment, that system responded to me. How comes, since
> I explicitly don't have any client-to-client option on the server?
> I double-checked configurations and docs to find the explaination,
> with no considerable luck.

--client-to-client only means that openvpn sends the packet directly.
If you dont have it enabled, openvpn will sent the packet to the OS, and
then the OS will handle it. If you have no firewall and routing is  
enabled,
then the OS will sent it back through openvpn


> The fun part is: if I ping 10.254.0.13 from 10.254.0.6, it does not
> even attempts to route, just the way it is supposed to be.
> So how comes that 10.254.0.6 was able to respond to 10.254.0.13
> when pinged from there?

there might be a firewall at the other that disallows pinging?


> At now, none if the clients in the served subnet are able to  
> communicate
> openly, EXCEPT for 10.254.0.13->10.254.0.6 case (which appears to be
> different than the 10.254.0.6->10.254.0.13 case).
> This sounds absurd to me.

firewall?




JonB

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users