Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yeah, you're right, the IP of the LAN side of the server is 10.10.202.2.
I was just thinking that I should be able to ping the other end of the tunnel with what the OpenVPN server assigns itself as it's IP in that tunnel.
I restarted openvpn from both the client and the server from the command line, and I'm getting this on the server:
Thu Apr 8 14:01:09 2010 client2/x.x.x.116:45573 MULTI: bad source address from client [x.x.x.116], packet dropped
So I am currently looking into that.
I also ran into a tip about running tcpdump on the tunnel interface, so I did so on my server while pinging from the client, and I am getting that traffic in it looks like:
Code:
[root@botcovpn01 ~]# tcpdump -i tun0
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
14:14:35.873256 IP 192.168.207.6 > 192.168.207.1: ICMP echo request, id 15631, seq 1, length 64
14:14:35.873313 IP 192.168.207.1 > 192.168.207.6: ICMP echo reply, id 15631, seq 1, length 64
14:14:36.871767 IP 192.168.207.6 > 192.168.207.1: ICMP echo request, id 15631, seq 2, length 64
14:14:36.871792 IP 192.168.207.1 > 192.168.207.6: ICMP echo reply, id 15631, seq 2, length 64
14:14:37.873010 IP 192.168.207.6 > 192.168.207.1: ICMP echo request, id 15631, seq 3, length 64
So as far as I can tell the tunnel is up, I just can't get traffic to hit the LAN side.
Edit...
Just did the same thing in reverse, pinging from my server down to the client while running tcpdump -i tun0 on the client, and I was able to see the ICMP replies and requests.
I made that change, and I can now ping 10.10.202.2 however, I can't hit 10.10.202.1 (which is the gateway of the OpenVPN server). This doesn't make sense, since the default gateway is 10.10.202.1 for that server.
Not so quickly, please.
First of all, I would like to ask you to do all tests from CLIENT computer only, and not from its LAN.
Please, do from CLIENT computer:
traceroute 10.10.202.2
As I understand right, 10.10.202.2 is the IP address of eth1 of the OpenVPN server?
Do you remember, you have shown me script from OpenVPN, which configures iptables, I did not find anything about NAT table there, but your iptables-save has NAT postrouting rules.
The nat part was in the original script, I just commented it out:
# Masquerade local subnet
# iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
Ok. This is your NAT part of iptables on server:
# Generated by iptables-save v1.3.5 on Thu Apr 8 08:27:17 2010
*nat
:PREROUTING ACCEPT [4407:265494]
:POSTROUTING ACCEPT [2689:182662]
:OUTPUT ACCEPT [611:45395]
-A POSTROUTING -s 10.10.202.0/255.255.255.0 -o eth1 -j MASQUERADE
-A POSTROUTING -s 10.10.202.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
I would like to ask you to REMOVE:
1. -A POSTROUTING -s 10.10.202.0/255.255.255.0 -o eth1 -j MASQUERADE
2. -A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth0 -j MASQUERADE
When you made chances, please reload iptables and check if changes were applied.
I can ping from the client back to the server, now I need to set this up so that I can ping from the server down to 192.168.204.1 (the eth1 IP of the client machine).
Lets make some changes. You have:
192.168.204.0 192.168.207.2 255.255.255.0 UG 0 0 0 tun0
Please, change it to:
192.168.204.0 192.168.207.5 255.255.255.0 UG 0 0 0 tun0
Also, remember, that any changes you have made through "route" or "ip" command are stored ONLY in memory, they are not permanent. So, after we finish (I hope) testing you need to write they to config. file on server and on client. Also this is true for iptables.
[root@vpn01 openvpn]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:f1:bb:e9:96 brd ff:ff:ff:ff:ff:ff
inet 10.10.202.2/24 brd 10.10.202.255 scope global eth1
inet6 fe80::20c:f1ff:febb:e996/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:4b:07:03:01 brd ff:ff:ff:ff:ff:ff
inet X.X.X.115/29 brd X.X.X.119 scope global eth0
inet6 fe80::210:4bff:fe07:301/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 192.168.207.1 peer 192.168.207.2/32 scope global tun0
[root@vpn01 openvpn]# ip route show
192.168.207.2 dev tun0 proto kernel scope link src 192.168.207.1
X.X.X.112/29 dev eth0 proto kernel scope link src X.X.X.115
10.10.202.0/24 dev eth1 proto kernel scope link src 10.10.202.2
192.168.204.0/24 via 192.168.207.2 dev tun0
192.168.207.0/24 via 192.168.207.2 dev tun0
169.254.0.0/16 dev eth1 scope link
default via 10.10.202.1 dev eth1
If I'm reading this right, 192.168.207.1 is the server, it's peer being 192.168.207.2 (the client), and in the routing table, we have 192.168.204.0/24 via 192.168.207.2 dev tun0.
So we have 192.168.207.1 -> 192.168.207.2 -> 192.168.204.0/24.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.