[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Re: Re: Routing forever

  • Subject: Re: [Openvpn-users] Re: Re: Re: Routing forever
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 20 Jan 2005 17:02:38 +0100 (CET)

On Thu, 20 Jan 2005, Jochen Witte wrote:

Am Thu, 20 Jan 2005 15:17:22 +0100 schrieb Mathias Sundman:

On Thu, 20 Jan 2005, Jochen Witte wrote:

I have a rather simple setup:
- 2 static, public ip servers (<pip1>, <pip2>)
- 2 private subnets (,
- OpenVPN network:<->

Here is the picture:

Subnet A                 GW1            GW2           SubnetB<---><--->
                      |                 |

Obviously this is a routing problem (no firewalling, since all packets are
logged for debuggung).

GW1 routes: UH    0      0        0 tun0
<pipnet1> U     0      0        0 eth1   U     0      0        0 eth0   UG    0      0        0 tun0     U     0      0        0 eth1     <default-gw>         UG    0      0        0 eth1

GW2 routes:
<default-gw> UH    0      0        0 ppp0 UH    0      0        0 tun0   UG    0      0        0 tun0     U     0      0        0 eth0         <default-gw>      UG    0      0        0 ppp0

The packets get stuck immediately in the gateway. (GW1 for packets from and GW2 for

Can you see it both on the ethX device and on tun0?

No, I just see it on my internal ethx and then it is gone. I even can't
see it on the external device (e.g. ppp0)

Then I'd bet on a firewall problem after all. If routing is enabled, but you still can't see the packet traverse from ethX to tun0, then it's most likly blocked by netfilter.

If you would have seen it on some other interface, like ppp0, then it
would have been a routing problem.

Hm, I do not agree. I log all traffic to example host with:

       # Log-Chain
       $IPTABLES -N my_log
       $IPTABLES -A my_log -p ICMP -j LOG --log-level info --log-prefix "LOG-ICMP "
       $IPTABLES -A my_log -p UDP -j LOG --log-level info --log-prefix "LOG-UDP "
       $IPTABLES -A my_log -p TCP -j LOG --log-level info --log-prefix "LOG-TCP "

$IPTABLES -A FORWARD -d -j my_log
$IPTABLES -A INPUT -d -j my_log
$IPTABLES -A OUTPUT -d -j my_log

This is one of the first things I do in my script. I can see packages, when sending from the GW:

Jan 20 15:55:48 <host> kernel: LOG-ICMP IN= OUT=tun0 SRC=
CODE=0 ID=51242 SEQ=0

But nothing happens, when sending from the inside host.

Hm, so the packet arrives on eth0, it's not routed to any other interface, and not seen by netfilter via your log rules.

Stills smells like a simple typo in the firewall ruleset to me.

Some things to check:

Is rp_filter enabled? Could it be causing any problems. I really don't know, as I've never used it. I rely on my iptables rules instead.

Do you have any PREROUTING DNAT rules that could be natting your packets incorrectly so you don't see them with your dest based log rules?

You ain't doing any other fancy policy routing via iproute2, that isn't seen in you normal routing table?

To make absolutly sure it's not a firewall issue, would it be possible to try running without any rules, or with defauly policy ALLOW and just one
blocking rule denying traffic from the internet interface?

One thing I'm a little uncertain about is whether the packets can be seen on tun0 regardless of if any userspace application is processing the packets or not. My previous assumptions are made on that you can always see the packets on tun0 if the kernel is routing properly even if OpenVPN is not running at all. If this is not case, then we should perhaps move on and have a look at your openvpn configs.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list