[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Problem with multiple push "route..."

  • Subject: Re: [Openvpn-users] Problem with multiple push "route..."
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Thu, 14 Sep 2006 20:24:41 +0200

Thomas Heidemann wrote:
> Hi!
> After the connection is initialised I can see outgoing packets on the ethernet interface from the client and from the server but no responses (not from the client and not from the server). So each party want to reach the other - with no success.
> In /proc/sys/net/ipv4/conf/tun0/rp_filter (of the server) I do have the value 0 (before connection and during the connection).
> I think that I do not have to iroute the network. This will be NATed and it's not a network behind my client. 

So your omitted the NAT box in your diagram?

Is your diagram about this right?

OpenVPN Server
----- remote subnet

It's the network where the client is in! So the source address (from the
view of the server) is the NAT box which protects my private network at
> But what I get are these messages:
> MULTI: bad source address from client [], packet dropped

This packet does not appear to be NATed then, why?

> Which makes sense (somehow) because the initial connection came from my nat box (from the view of the server).

You should _never_ see a packet with a 192.168.1.x address arrive at the
OpenVPN server if they are NATed.

It might make a lot of sense if you revealed your real network topology
and some dumps. Hide and seek is no fun in this environment.

> Do I have to set the iroute statement to I think I have not to because the client (roadwarrior) can be in every subnet or network which NAT boxes. The very strange thing about that is, that when I use a http proxy within the connection, everything is working like a charm. No problem with connection loss, no problem with multiple route statemens!?

You don't.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Get stuff done quickly with pre-integrated technology to make your job easier
Openvpn-users mailing list