[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] traceroute through a VPN tunnel

  • Subject: Re: [Openvpn-users] traceroute through a VPN tunnel
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Wed, 07 Nov 2007 15:31:56 +0000


Lindsay Haisley wrote:
> On Wed, 2007-11-07 at 08:42 +0530, Prasanna Krishnamoorthy wrote:
>> I've done plain traceroute and tracepath through multi-hop VPN
>> tunnels. So certainly there's no issue with openvpn. I would expect
>> that it's a routing issue, except for the fact that you're getting
>> back replies if you do traceroute -l.
> It's actually "traceroute -I hostname" which uses ICMP packets for the
> traceroute instead of UDP packets.  The routing seems to be OK.  The VPN
> works as expected, except for this one issue.
>> So there may be something specific in your firewall config which
>> disallows replies to the UDP requests. You'll need to check your
>> config.
> Well I went through the available OpenVPN config options and couldn't
> find anything relevant.  A tcpdump on the tap0 IF on the server clearly
> shows UDP packets coming it, addressed to ports 33434 and up, but no
> corresponding ICMP "unreachable" packets being sent out in reply.  I
> would suspect an IF-specific kernel issue, maybe in the TAP/TUN module.
> iptables rules specifically allow _all_ traffic from the tap0 IF to pass
> through the firewall, so the traceroute UDP packets aren't being
> dropped, just ignored.

What are the TTL values on these packets? A TTL of 0 should trigger the

OpenVPN mailing lists