[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn on linux, netfilter traversal

  • Subject: Re: [Openvpn-users] openvpn on linux, netfilter traversal
  • From: Sebastian Pein <pein@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 29 Dec 2004 13:24:51 +0100


that was my idea, too. but packets to and from the tun/tap device are virtual
packets only, aren't they? when i listen on the cable with tcpdump i expect to
see (hear, hehe) packets from the openvpn servers port going back to the
openvpn clients port. and these packets should match.

something else: i straced the openvpn server. running it on the device with the
normal default route shows client-packets coming in. running it on the second
isp's device, shows nothing like that. but at the same moment tcpdump shows
incoming packets. maybe i was wrong thinking incoming packets are not the
problem. how could there be a gap between incoming packets and the openvpn
server not seeing them?

how can i track packets even more precisely than with libpcap tools?


Quoting Leonard Isham <leonard.isham@xxxxxxxxx>:

> On Wed, 29 Dec 2004 13:00:09 +0100, Sebastian Pein
> <pein@xxxxxxxxxxxxxxxxxxxx> wrote:
> > hi list.
> >
> > some days ago i posted this already, but the issue still rides my brain.
> >
> > there is a linux box running as firewall. it is connected to two isp's and
> to
> > one lan. ppp0 is the default gateway, eth0 is connected to the lan and eth1
> is
> > connected to the second isp's router. on the box there is openswan running
> > fine, i want to add openvpn.
> >
> > i'm about to fiddle out a working setup with policy based routing. since
> ppp0
> > is
> > the default gateway and connected to a asymmetric line, i want the vpn
> traffic
> > to travel over the second isp on eth1. openswan implements its own routing
> > scheme and i can tell it to use a specific device (eth1) and a specific
> gateway
> > (ip of the 2nd isp's router). this works pretty good.
> >
> > so far i did not found something similar in openvpn, so the kernel (2.6.9)
> > should be my friend with iproute2 and iptables.
> >
> > this is my plan: packets for openvpn will come in on eth1. openvpn does
> listen
> > on this device only. so incoming packets should not be a problem. outgoing
> > packets generated by openvpn should go out on eth1 and NOT the default
> gateway
> > ppp0. this can be done with iproute2. i want to mark packets generated
> locally
> > on a given port (5000 udp, the old one) with a iptables-mark. a kernel
> rule
> > would then send packets with this mark to the right device with the right
> > gateway. testing this setup with netcat works perfectly. but it does not
> with
> > openvpn. searching with iptraf and tcpdump it seems like the openvpn
> packets
> > vanish. but where do they go? is there any form of documentation how
> openvpn
> > packets travel across netfilter and devices? for sure the setup with
> openvpn is
> > not working correctly because i did not set it up correctly.
> >
> > i'm not sure if this question is more a kernel/iptables/other mailing
> lists
> > specific issue, but maybe someone can help.
> >
> > regards
> >
> > sebastian
> >
> I suspect that the problem is the packets are from the TUN/TAP
> interface and that is not allowed with your iptables rules.
> --
> Leonard Isham, CISSP
> Ostendo non ostento.
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


  sebastian pein
  infinity networks gmbh

  web: www.infinity-networks.de
  fon: +49-6104-68363-0
  fax: +49-6104-68363-199
  mob: +49-163-68363-01

Openvpn-users mailing list