At 22:41 9.1.2005, James Yonan wrote:
To explicitly allow packets from 10.YYY.YYY.YYY, you need to use --iroute/-client-config-dir.
The clients are behind NATs (different ones), so from where is that private address coming from? I mean, the NAT is working, the client is able to do anything in the net and OpenVPN correctly sees the client's public IP address 193.166.XXX.XXX, but still it gets that private address somewhere. That shouldn't be visible anywhere as the client host is far away in the internet.
Ok, is this some SMB feature? I haven't seen those messages without an active network mount. Samba must be carrying the real IP address somewhere inside the data. So, maybe the Samba server for some reason tries to send some packets to that private 10.YYY.YYY.YYY address.
If this is true, it raises another question: Why do those packets go to the OpenVPN server and not to the internet (from the Samba server)?
The OpenVPN server is in the same subnet as the Samba server in question, having public IP addresses. If the Samba server wants to send something to 10.YYY.YYY.YYY, the routing table directs those packets to the border router according to the default route as that network does not exist in our inside network. Still the OpenVPN server sees those packets.
I tried tcpdumping the traffic for those 10.YYY.YYY.YYY packets on eth0 and tap0 but did not see anything even if OpenVPN logged those messages at the same time.
One tested client host is behind a self-made Linux netfilter NAT, and one host is behind a Buffalo Airstation NAT.
Thanks for your comments!
Markku Leiniö, Turku, Finland