Re: [Openvpn-users] traceroute through a VPN tunnel

  Subject: Re: [Openvpn-users] traceroute through a VPN tunnel
  From: Lindsay Haisley <fmouse@xxxxxxx>
  Date: Wed, 07 Nov 2007 09:25:14 -0600

On Wed, 2007-11-07 at 08:42 +0530, Prasanna Krishnamoorthy wrote:
> I've done plain traceroute and tracepath through multi-hop VPN
> tunnels. So certainly there's no issue with openvpn. I would expect
> that it's a routing issue, except for the fact that you're getting
> back replies if you do traceroute -l.

It's actually "traceroute -I hostname" which uses ICMP packets for the
traceroute instead of UDP packets.  The routing seems to be OK.  The VPN
works as expected, except for this one issue.

> So there may be something specific in your firewall config which
> disallows replies to the UDP requests. You'll need to check your
> config.

Well I went through the available OpenVPN config options and couldn't
find anything relevant.  A tcpdump on the tap0 IF on the server clearly
shows UDP packets coming it, addressed to ports 33434 and up, but no
corresponding ICMP "unreachable" packets being sent out in reply.  I
would suspect an IF-specific kernel issue, maybe in the TAP/TUN module.
iptables rules specifically allow _all_ traffic from the tap0 IF to pass
through the firewall, so the traceroute UDP packets aren't being
dropped, just ignored.

I also looked through the sysctl params in and above /proc/sys/net/ipv4
and the documentation on them in the kernel docs, but found nothing
there, either.

I have a couple of client boxes on the same VPN, also running OpenVPN,
and they exhibit the same phenomenon.  I can ping them, log into them,
traceroute -I to them, but a traceroute using UDP packets goes nowhere.

