[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routing problem


  • Subject: Re: [Openvpn-users] Routing problem
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Fri, 01 Feb 2008 13:37:24 +0100

Hi Lars,

your openvpn tunnel is biting itself in its own tail:
The OpenVPN client 192.168.10.10 connects to the OpenVPN server 
195.10.10.10, and a new IP range 10.8.0.x is created. Let's follow the 
flow of packets when you ping 10.8.0.1 from the client 10.8.0.6:
1. packet is created with source address (SRC) 10.8.0.6, destination 
address (DST) 10.8.0.1
2. this packet is sent to the tun0 interface of your client and is 
processed by the OpenVPN software on your client
3. OpenVPN will encapsulate and encrypt the packet and will then send it 
to 195.10.10.10 (the 'remote' machine in your openvpn config file )
4. the openvpn process on the 'remote' machine receives the packet, 
decrypts it, forwards it out its 'tun' interface and waits for an answer.

Now imagine what happens if you add a route to send traffic for host 
195.10.10.10 also through this same tunnel:
1. SRC=10.8.0.6, DST=195.10.10.10
2. packets is sent to tun0, openvpn on the client encapsulates
3. packet is now sent to 195.10.10.10. Wait. How do I send stuff to 
195.10.10.10? Ow right, I must send it to the tun0 interface. Go to step 2.

so you've created a 'tunneling loop' for lack of a better word.

the only way round this is to separate the vpn server from the database 
application server.

HTH,

JJK

Lars Skjærlund wrote:
> Hi list,
>
> I'm new to OpenVPN and stuck with a routing problem - a trivial
> problem, I hope.
>
> I'm trying to connect two Linux computers:
>
> 195.10.10.10 <-> 192.168.10.10
>
> The first is using a registered IP, the second a private IP. I've
> created a tunnel using more or less default values, with the registered
> IP as the server and the private IP as the client. The server has the IP
> 10.8.0.1, and the client 10.8.0.6. I can ping both these adresses.
>
> Unfortunately, I must run an application that will only connect to the
> servers' primary addresses: It's a database application, and when the
> two instances need to communicate, it will connect from 195.10.10.10 to
> 192.168.10.10 or vice versa.
>
> Because of this, I've setup an extra route pointing to the primary
> interface on the other end, ie. the server has a route directing
> 192.168.10.10/32 through tun0, and the client routes 195.10.10.10/32
> through it's tun0. When the tunnel comes up, routing tables in both ends
> are updated correctly and I've enabled packet forwarding.
>
> Still, though, it doesn't work: Using tcpdump, when I ping an IP, I can
> see echo request packets entering tun0, but they are never received on
> the other end. The behaviour is identical in both ends.
>
> What am I missing?
>
> Regards,
> Lars
>   

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users