Member
Registered: Jun 2003
Location: Kalkar, Germany
Distribution: Slackware
Posts: 108
Rep:
|
Trying to route via OpenVPN client
Hello, *
I have a problem.
I am trying to connect two networks, 10.x.y.z and 192.168.87.t via a VPN tunnel.
The tunnel itself works, and I can route via the server, but not via the client.
The (in my opinion, of course) relevant machines are:
A 192.168.87.6 the machine from which I try to control everything
B 192.168.87.5 the VPN client/designated router (this is where I seem to have a problem)
C 10.0.0.21 the VPN server, and router (which works)
When I try to PING from Machine A to Machine C, I get no reply.
Using tcpdump -i tun0 icmp,
these come from Machine A, tcpdump on machine B, do not arrive at machine C:
11:33:07.263612 IP 192.168.87.6 > 10.0.0.21: ICMP echo request, id 42802, seq 7, length 64
11:33:08.264026 IP 192.168.87.6 > 10.0.0.21: ICMP echo request, id 42802, seq 8, length 64
11:33:09.263407 IP 192.168.87.6 > 10.0.0.21: ICMP echo request, id 42802, seq 9, length 64
11:33:10.350762 IP 192.168.87.6 > 10.0.0.21: ICMP echo request, id 42802, seq 10, length 64
Of course I also used tcpdump at machine C, to verify, and I never see anything from
icmp appear on tun0.
Next I start ping from machine B: these arrive at machine C, and get replies:
11:33:51.049617 IP 192.168.101.10 > 10.0.0.21: ICMP echo request, id 27714, seq 1, length 64
11:33:51.135377 IP 10.0.0.21 > 192.168.101.10: ICMP echo reply, id 27714, seq 1, length 64
11:33:52.050230 IP 192.168.101.10 > 10.0.0.21: ICMP echo request, id 27714, seq 2, length 64
11:33:52.133727 IP 10.0.0.21 > 192.168.101.10: ICMP echo reply, id 27714, seq 2, length 64
11:33:53.050244 IP 192.168.101.10 > 10.0.0.21: ICMP echo request, id 27714, seq 3, length 64
11:33:53.133586 IP 10.0.0.21 > 192.168.101.10: ICMP echo reply, id 27714, seq 3, length 64
11:33:54.050243 IP 192.168.101.10 > 10.0.0.21: ICMP echo request, id 27714, seq 4, length 64
11:33:54.133149 IP 10.0.0.21 > 192.168.101.10: ICMP echo reply, id 27714, seq 4, length 64
My routing table on Machine A:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
217.0.116.140 * 255.255.255.255 UH 0 0 0 ppp0
localnet * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 Penti 255.255.0.0 UG 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default * 0.0.0.0 U 0 0 0 ppp0
#
so indeed, packets for 10.0.0.21 will go to "Penti", which is Machine B.
On Machine B, I have a routing table:
# route
Kernel IP routing table
Destination * * Gateway * * * * Genmask * * * * Flags Metric Ref Use Iface
192.168.101.9 * * * * * * * * * 255.255.255.255 UH * *0 * * *0 * 0 tun0
192.168.101.1 * 192.168.101.9 * 255.255.255.255 UGH * 0 * * *0 * 0 tun0
192.168.101.0 * 192.168.101.9 * 255.255.255.0 * UG * *0 * * *0 * 0 tun0
192.168.87.0 * ** * * * * * * * 255.255.255.0 * U * * 0 * * *0 * 0 eth0
link-local * * ** * * * * * * * 255.255.0.0 * * U * * 1000 * 0 * 0 eth0
10.0.0.0 * * * *192.168.101.9 * 255.0.0.0 * * * UG * *0 * * *0 * 0 tun0
default * * * * 192.168.87.6 * *0.0.0.0 * * * * UG * *100 * *0 * 0 eth0
so everything entering for 10.x.y.z should go to 192.168.101.9, and via tun0 to machine C.
And indeed, as the above example shows, it does come out on tun0, but then it only seems to arrive at the other end when originating on machine B, but not when routed from Machine A.
Of course:
root@Penti:/home/administrator# cat /proc/sys/net/ipv4/ip_forward
1
and the firewall is empty:
root@Penti:/home/administrator# iptables -L
Chain INPUT (policy ACCEPT)
target * * prot opt source * * * * * * * destination * * * *
Chain FORWARD (policy ACCEPT)
target * * prot opt source * * * * * * * destination * * * *
Chain OUTPUT (policy ACCEPT)
target * * prot opt source * * * * * * * destination * * * *
Am I missing something?
|