[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Routing problem

  • Subject: Re: [Openvpn-users] Routing problem
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Fri, 01 Feb 2008 13:37:24 +0100

Hi Lars,

your openvpn tunnel is biting itself in its own tail:
The OpenVPN client connects to the OpenVPN server, and a new IP range 10.8.0.x is created. Let's follow the 
flow of packets when you ping from the client
1. packet is created with source address (SRC), destination 
address (DST)
2. this packet is sent to the tun0 interface of your client and is 
processed by the OpenVPN software on your client
3. OpenVPN will encapsulate and encrypt the packet and will then send it 
to (the 'remote' machine in your openvpn config file )
4. the openvpn process on the 'remote' machine receives the packet, 
decrypts it, forwards it out its 'tun' interface and waits for an answer.

Now imagine what happens if you add a route to send traffic for host also through this same tunnel:
1. SRC=, DST=
2. packets is sent to tun0, openvpn on the client encapsulates
3. packet is now sent to Wait. How do I send stuff to Ow right, I must send it to the tun0 interface. Go to step 2.

so you've created a 'tunneling loop' for lack of a better word.

the only way round this is to separate the vpn server from the database 
application server.



Lars Skjærlund wrote:
> Hi list,
> I'm new to OpenVPN and stuck with a routing problem - a trivial
> problem, I hope.
> I'm trying to connect two Linux computers:
> <->
> The first is using a registered IP, the second a private IP. I've
> created a tunnel using more or less default values, with the registered
> IP as the server and the private IP as the client. The server has the IP
>, and the client I can ping both these adresses.
> Unfortunately, I must run an application that will only connect to the
> servers' primary addresses: It's a database application, and when the
> two instances need to communicate, it will connect from to
> or vice versa.
> Because of this, I've setup an extra route pointing to the primary
> interface on the other end, ie. the server has a route directing
> through tun0, and the client routes
> through it's tun0. When the tunnel comes up, routing tables in both ends
> are updated correctly and I've enabled packet forwarding.
> Still, though, it doesn't work: Using tcpdump, when I ping an IP, I can
> see echo request packets entering tun0, but they are never received on
> the other end. The behaviour is identical in both ends.
> What am I missing?
> Regards,
> Lars

Openvpn-users mailing list