I have an issue here, that has me stumped. I've spent several days on google and reading old forum posts - but have not been able to find the answer.
Summary: I don't seem to be able to get return traffic from tun0 on a VPN endpoint to egress onto the local network back to the real initiating host
I need to connect two machines (linux to Windows) using a TCP protocol. Both can chat to each other quite happily via the internet but I need the TCP stream encrypted.
I can't install VPN software on either existing servers, so I wanted to set up two other machines with a VPN link and have the original two machines talk to each other via that link.
What I have so far is (IP and MAC addresses sanitised):-
Client machine : 10.0.0.2
VPN client machine: 10.0.0.3 (OpenVPN 2.3.2 client)
VPN remote machine: 10.38.0.3 (OpenVPN 2.3.2 server)
Server remote machine: 10.36.0.2
I have a tunnel established between the two new machines using OpenVPN, and it is working ok.
tun0 is on 10.255.255.0/24 - 10.255.255.6 being the client address, 10.255.255.1 being the server address
I have a route on 10.0.0.2 (Client machine) to shove traffic destined for 10.36.0.2 (the service) to 10.0.0.3 (the vpn endpoint)
Code:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.36.0.2 10.0.0.3 255.255.255.255 UGH 0 0 0 eth0
10.255.255.6 10.0.0.3 255.255.255.255 UGH 0 0 0 eth0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
I have a route table on 10.0.0.3 (VPN gateway mahcine, local side) to shove traffic for 10.36.0.2 (the service) down the tunnel. The VPN NATs the tunnel traffic to make it separate and distinct.
Code:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.36.0.2 10.255.255.5 255.255.255.255 UGH 0 0 0 tun0
10.255.255.1 10.255.255.5 255.255.255.255 UGH 0 0 0 tun0
10.255.255.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
If I sit on the client vpn machine, a ping to 10.36.0.2 works (As does establishing a TCP connection to the endpoint service on 10.36.0.2)
I can see tcpdump traffic as such:-
Code:
10.0.0.3 -> : 08:37:47.249412 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.251461 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.251486 IP 10.38.0.3 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.252169 IP 10.36.0.2 > 10.38.0.3: ICMP echo reply, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.252178 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 13610, seq 1, length 64
10.0.0.3 -> : 08:37:47.252070 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 13610, seq 1, length 64
If i sit on the client machine (10.0.0.2) that actually wants to talk to the server (10.36.0.2), then the tcpdump is pretty much the same, with an extra hop at the beginning
Code:
10.0.0.2 -> : 08:42:40.720806 IP 10.0.0.2 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.0.0.3 -> : 08:42:40.720525 IP 10.0.0.2 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.0.0.3 -> : 08:42:40.720558 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.722559 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.722582 IP 10.38.0.3 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.723061 IP 10.36.0.2 > 10.38.0.3: ICMP echo reply, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.723072 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 21328, seq 1, length 64
10.0.0.3 -> : 08:42:40.722981 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 21328, seq 1, length 64
10.0.0.3 -> : 08:42:40.722991 ARP, Request who-has 10.0.0.2 tell 10.0.0.3, length 28
10.0.0.3 -> : 08:42:40.723078 ARP, Reply 10.0.0.2 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 46
10.0.0.3 -> : 08:42:40.723084 IP 10.36.0.2 > 10.0.0.2: ICMP echo reply, id 21328, seq 1, length 64
10.0.0.2 -> : Nothing :(
The bit that is missing is the packet actually getting back to 10.0.0.2
(The MAC address returned by the ARP, does match the MAC address of 10.0.0.2)
I can ping 10.0.0.2 from 10.0.0.3 quite happily, and can ping 10.0.0.3 from 10.0.0.2 also
The iptables config on 10.0.0.3 (local VPN tunnel end) is
cat /etc/sysconfig/iptables
Code:
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j ACCEPT
:OUTPUT ACCEPT [8:1065]
-A OUTPUT -j ACCEPT
COMMIT
I would like to understand why the traffic is not getting back to the initiating host.
Thanks for any help, or pointers that you could suggest