[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: Re: Re: Routing forever


  • Subject: [Openvpn-users] Re: Re: Re: Routing forever
  • From: Jochen Witte <jwitte@xxxxxxxxxxxxx>
  • Date: Thu, 20 Jan 2005 17:05:08 +0100

Am Thu, 20 Jan 2005 16:18:34 +0100 schrieb Jochen Witte:

> Am Thu, 20 Jan 2005 15:17:22 +0100 schrieb Mathias Sundman:
> 
>> On Thu, 20 Jan 2005, Jochen Witte wrote:
>> 
>>>>>>> I have a rather simple setup:
>>>>>>> - 2 static, public ip servers (<pip1>, <pip2>)
>>>>>>> - 2 private subnets (10.128.0.0/24, 192.168.0.0/24)
>>>>>>> - OpenVPN network: 10.129.0.1<->10.129.0.2
>>>>>>>
>>>>>>> Here is the picture:
>>>>>>>
>>>>>>> Subnet A                 GW1            GW2           SubnetB
>>>>>>> 10.128.0.0/24<--->10.128.0.1        192.168.0.254<--->192.168.0.0/24
>>>>>>>                       |                 |
>>>>>>>                  10.129.0.1        10.129.0.2
>>>>>>>                   (<pip1>)<-------->(<pip2>)
>>>>>>>                              VPN
>>>>>>>
>>>>>>> Obviously this is a routing problem (no firewalling, since all packets are
>>>>>>> logged for debuggung).
>>>>>>>
>>>>>>> GW1 routes:
>>>>>>> 10.129.0.2  0.0.0.0         255.255.255.255 UH    0      0        0 tun0
>>>>>>> <pipnet1>   0.0.0.0         255.255.255.248 U     0      0        0 eth1
>>>>>>> 10.128.0.0  0.0.0.0         255.255.255.0   U     0      0        0 eth0
>>>>>>> 192.168.0.0 10.129.0.2      255.255.255.0   UG    0      0        0 tun0
>>>>>>> 169.254.0.0 0.0.0.0         255.255.0.0     U     0      0        0 eth1
>>>>>>> 0.0.0.0     <default-gw>    0.0.0.0         UG    0      0        0 eth1
>>>>>>>
>>>>>>> GW2 routes:
>>>>>>> <default-gw>    0.0.0.0    255.255.255.255 UH    0      0        0 ppp0
>>>>>>> 10.129.0.1      0.0.0.0    255.255.255.255 UH    0      0        0 tun0
>>>>>>> 10.128.0.0      10.129.0.1 255.255.255.0   UG    0      0        0 tun0
>>>>>>> 192.168.0.0     0.0.0.0    255.255.0.0     U     0      0        0 eth0
>>>>>>> 0.0.0.0         <default-gw>  0.0.0.0      UG    0      0        0 ppp0
>>>>>
>>>>> The packets get stuck immediately in the gateway. (GW1 for packets from
>>>>> 10.128.0.0 and GW2 for 192.168.0.0).
>>>>
>>>> Can you see it both on the ethX device and on tun0?
>>>>
>>> No, I just see it on my internal ethx and then it is gone. I even can't
>>> see it on the external device (e.g. ppp0)
>> 
>> Then I'd bet on a firewall problem after all. If routing is enabled, but 
>> you still can't see the packet traverse from ethX to tun0, then it's most 
>> likly blocked by netfilter.
>> 
>> If you would have seen it on some other interface, like ppp0, then it 
>> would have been a routing problem.
> 
> Hm, I do not agree. I log all traffic to example host 10.128.0.10 with:
> 
>         # Log-Chain
>         ###########
>         $IPTABLES -N my_log
>         $IPTABLES -A my_log -p ICMP -j LOG --log-level info --log-prefix "LOG-ICMP "
>         $IPTABLES -A my_log -p UDP -j LOG --log-level info --log-prefix "LOG-UDP "
>         $IPTABLES -A my_log -p TCP -j LOG --log-level info --log-prefix "LOG-TCP "
> 
> $IPTABLES -A FORWARD -d 10.128.0.10 -j my_log
> $IPTABLES -A INPUT -d 10.128.0.10 -j my_log
> $IPTABLES -A OUTPUT -d 10.128.0.10 -j my_log
> 
> 
> This is one of the first things I do in my script.
> I can see packages, when sending from the GW:
> 
> Jan 20 15:55:48 <host> kernel: LOG-ICMP IN= OUT=tun0 SRC=10.129.0.2
> DST=10.128.0.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
> CODE=0 ID=51242 SEQ=0 
> 
> 
> But nothing happens, when sending from the inside host.
> 
> 
And: after disabling the firewall completely, the same behaviour occured:

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain my_drop (0 references)
target     prot opt source               destination         

Chain my_log (0 references)
target     prot opt source               destination

$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere           to:<external-ip>

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


 
----------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time by
> over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users