I have several observations, some of which may help clear up your routing issue.
First, routes are considered in the order they appear in the routing table; only if several offer a way to reach the desired destination is any weighting taken into consideration. As far as I can see, you have no way specified for anyone to reach addresses in the range 10.0.1.x/24, except for the inclusive 10.0.x.x/16 entry that datopdawg
has noted as problematic.
If you are sure that you did the ping
experiment showing that the Debian box could reach the other end of the tunnel by specifying a destination address rather than a name, then this indicates that the 10.0.x.x/16 route entry is the one that was used.
Yet machines beyond the Debian box on net 10.0.5.x are not able to ping 10.0.1.1 address. You say you are using the Debian box as a gateway for those machines; does that mean that they have a default route to the LAN interface on the Debian box (10.0.5.1?) Windows calls this a default gateway
. And just for completeness, does the Debian box have forwarding turned on (/proc/sys/net/ipv4/ip_forward
= 1), and are there any iptables rules in the FORWARD chain? Either of these could be blocking the ping packets.
I would agree that you should remove the 10.0/16 route, and I would replace it with an explicit route:
route add -net 10.0.1.0 255.255.255.0 dev tun0
If this still does not work, I would recommend using tcpdump to find out what the Debian box is actually doing with the packets from your windows box. You can specify that tcpdump will only report on packets with a source or destination address equal to that of the windows box under test; be sure to specify -i any
or tcpdump will not listen on all your interfaces.