[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Trying to understand...

  • Subject: Re: [Openvpn-users] Trying to understand...
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Tue, 11 Sep 2007 21:24:39 +0200
Hi

Stefan Lamby schrieb:
> Hi.
> 
> I have been watching this list for a while and also read the manual.
> Trying to solve this for a month now, but dont understand:
> 
> I am using openvpn in the standard configuration with dev=tun, udp on
> port 1194.
> 
> My server running openvpn is a linux box, running SuSE linux with
> SuSEfirewall2 running.
> 
> The intention is to remote control clients via tightvnc.
> 
> When I shut down my firewall script, everything is running, so it is
> obvious that the problem is caused by the firewall.
> 
> How can I find out, where exactly my problem is?

Oh my, if we would get a dime for everyone who runs into the same old
problem. I guess we are in need of a comprehensive TCP debugging course.
 The simple answer is, follow the packet trail and look into the
firewall logs.

> I used tcpdump -i tun0 at the server and when I like to get a connection
> from my openvpn client to the tightvnc server (the client 192.168.10.25
> behind the openvpn server) the output is as follows: 

Looks like some packets made it through the tunnel at least

19:17:47.724969 IP 10.8.0.6.citriximaclient > 192.168.10.25.5900: S
543787865:543787865(0)
win 16384 <mss 1118,nop,nop,sackOK>

> 
> Please help me understand, I am not an expert to iptables but I got the
> basics.

Time, source address and port, destination address and port, some IP
stuff, tcp window size, mss size, and tcp flags

The questions here are:
did this packet make it to 192.168.10.25 or not, was it replied to and
did 192.168.10.25 have a reasonable route to 10.8.0.6. Your tcpdump
entry does not give us an answer as it only looks at the tun interface.

To answer the first question first find which interface leads to
192.168.10.25

'ip route get 192.168.10.25'
should reveal it.

Then do a tcpdump on that interface and have a look for the packet. If
you cannot see it you need to review your firewall rules.

If you have difficulties to decipher the tcpdump output, then save it
with tcpdump ..... -w filename and open it with a tool like wireshark,
which will break up the packet for you.

cheers

Erich

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users