[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Problem with multiple push "route..."


  • Subject: Re: [Openvpn-users] Problem with multiple push "route..."
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Thu, 14 Sep 2006 20:24:41 +0200

Thomas Heidemann wrote:
> Hi!
> After the connection is initialised I can see outgoing packets on the ethernet interface from the client and from the server but no responses (not from the client and not from the server). So each party want to reach the other - with no success.
> 
> In /proc/sys/net/ipv4/conf/tun0/rp_filter (of the server) I do have the value 0 (before connection and during the connection).
> 
> I think that I do not have to iroute the 192.168.1.0/24 network. This will be NATed and it's not a network behind my client. 

So your omitted the NAT box in your diagram?

Is your diagram about this right?

Client 192.168.1.100
|
192.168.1.1
NAT BOX
xx.xx.xx.xx
|
yy.yy.yy.yy
OpenVPN Server
192.168.a.1
|
192.168.a.x
gateway
10.1.b.1
|
----- remote subnet



It's the network where the client is in! So the source address (from the
view of the server) is the NAT box which protects my private network at
home.
> But what I get are these messages:
> MULTI: bad source address from client [192.168.1.100], packet dropped

This packet does not appear to be NATed then, why?

> Which makes sense (somehow) because the initial connection came from my nat box (from the view of the server).

You should _never_ see a packet with a 192.168.1.x address arrive at the
OpenVPN server if they are NATed.

It might make a lot of sense if you revealed your real network topology
and some dumps. Hide and seek is no fun in this environment.

> 
> Do I have to set the iroute statement to 192.168.1.0/24? I think I have not to because the client (roadwarrior) can be in every subnet or network which NAT boxes. The very strange thing about that is, that when I use a http proxy within the connection, everything is working like a charm. No problem with connection loss, no problem with multiple route statemens!?

You don't.

Erich

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
Get stuff done quickly with pre-integrated technology to make your job easier
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users