[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn on linux, netfilter traversal

  • Subject: Re: [Openvpn-users] openvpn on linux, netfilter traversal
  • From: Sebastian Pein <pein@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 29 Dec 2004 16:16:49 +0100

first of all: thanks for your help!

> The encrypted packets come in on/from eth1, port 5000. They are
> decrypted by the openvpn process and then come in again, unencrypted,
> from tapX/tunX and are processed either localy or routed/forwarded to
> another interface. 

really good information. that would mean openvpn should not work too if driven
in the usual setup with one default gw. but it does.

> Did you try to increase the verbosity level of the server process to see
> if the encrypted packets really get there?

i ran the server with verb 11. the logs shows the loop in which the process
runs. the output of the loop changes slightly, so i think something comes in.
the change that occurs is the process prints out "No outgoing address to send
packet". does that mean "cannot determine local interface" or "cannot determine
remote address"? tcpdump shows source and destination addresses of the packets
correctly, so openvpn should get them right as well. can they be mangled by
iptables in a way, openvpn won't find needed data? the only mangling present is
"iptables -A OUTPUT -t mangle -p UDP --dport 1194 -j MARK --set-mark 1". client
port is 1194, server port is 5000. i chose that to be able to distinguish
between server and client packets.

Openvpn-users mailing list