[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] reverts to port 1024 and then doesn't process replies


  • Subject: Re: [Openvpn-users] reverts to port 1024 and then doesn't process replies
  • From: "Brian J. Murrell" <brian@xxxxxxxxxxxxxxx>
  • Date: Tue, 28 Aug 2007 11:38:19 -0400

Ah ha!  I think I've found the problem here.  It seems that openvpn
decides to use the wrong source address at some point.  When things are
working notice:

root@wireless:/etc/openvpn# grep 1195 /proc/net/ip_conntrack
udp      17 179 src=72.38.139.100 dst=205.189.48.131 sport=1195 dport=1195 src=205.189.48.131 dst=72.38.139.100 sport=1195 dport=1195 [ASSURED] use=1 mark=64 bytes=177840

However when things are not working, see what ip_conntrack shows as it's
internal state for the openvpn port (1195):

root@wireless:/etc/openvpn# grep 1195 /proc/net/ip_conntrack 
udp      17 179 src=66.11.173.224 dst=205.189.48.131 sport=1195 dport=1195 src=205.189.48.131 dst=72.38.139.100 sport=1195 dport=1024 [ASSURED] use=1 mark=64 bytes=381216 

That src= address is the other Internet address of the openvpn gateway.
For some reason openvpn has decided to change the source address of it's
outgoing packets.

If I SIGHUP the openvpn process I get a couple of more packets out and
it reverts back to using 66.11.173.224 as you can see:

root@wireless:/etc/openvpn# grep 1195 /proc/net/ip_conntrack 
udp      17 179 src=66.11.173.224 dst=205.189.48.131 sport=1195 dport=1195 src=205.189.48.131 dst=72.38.139.100 sport=1195 dport=1024 [ASSURED] use=1 mark=64 bytes=513456 
udp      17 124 src=72.38.139.100 dst=205.189.48.131 sport=1195 dport=1195 src=205.189.48.131 dst=72.38.139.100 sport=1195 dport=1195 [ASSURED] use=1 mark=64 bytes=608 

Notice the new src=72.38.139.100 entry and the timer on it is a few
seconds old while the existing src=66.11.173.224 entry has a fresh 179
seconds on it which is evidence that openvpn is being treated with that
conntrack entry.

Any ideas why?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

Attachment: signature.asc
Description: This is a digitally signed message part