From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Port-based routing with OpenVPN
Date: Wed, 26 Sep 2007 12:33:56 +0200 [thread overview]
Message-ID: <46FA3594.9050306@plouf.fr.eu.org> (raw)
In-Reply-To: <1190758479.13546.8.camel@laptop>
Mario Hülsegge a écrit :
>
> i am sorry, i confused the tcpdump output with another test on a normal
> eth device, this is the capture on tun0:
>
> 23:47:54.378123 IP 192.168.0.125.3794 > ha-42.web.de.www: S 471744113:471744113(0) win 5840 <mss 1460,sackOK,timestamp 7974928 0,nop,wscale 3>
[etc.]
> the answer seems to be blocked in some way.. suggestions?
First, can you check on the VPN gateway that the request is received and
forwarded to the destination server ?
Then, check the return path routing. One step would be to set the
default route through the VPN and check that everything works well.
I see that your workstation source address, 192.168.0.125, is the same
as in the capture on the ethernet device, and probably different from
the tun0 address. This is normal, because the source address selection
occurs before the port based routing is taken into account. However if
the VPN gateway has no route to your source address, replies cannot come
back. You may need to add an iptables SNAT or MASQUERADE rule for
packets leaving the tun0 interface. Beware that with older kernels
MASQUERADE may not work well with advanced routing.
Also, if the source address is a private address, the VPN gateway must
perform SNAT or MASQUERADE on packets forwarded from the VPN to the
public network.
Finally, check that /proc/sys/net/ipv4/conf/tun0/rp_filter = 0, else
your workstation routing may drop the replies arriving at tun0 (although
tcpdump would see them).
next prev parent reply other threads:[~2007-09-26 10:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-15 23:15 (unknown) "Mario Hülsegge"
2007-09-16 11:05 ` Port-based routing with OpenVPN Pascal Hambourg
2007-09-19 21:38 ` Mario Hülsegge
2007-09-25 22:14 ` Mario Hülsegge
2007-09-26 10:33 ` Pascal Hambourg [this message]
2007-09-26 12:49 ` Mario Hülsegge
2007-09-26 14:10 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46FA3594.9050306@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox