LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-09-2014, 05:06 AM   #1
Parbold
LQ Newbie
 
Registered: Oct 2014
Location: West Midlands
Distribution: Centos, AmazonLinux, RedHat, Oracle Linux
Posts: 4

Rep: Reputation: Disabled
Getting return traffic back onto the LAN after traversing tun0 interface


I have an issue here, that has me stumped. I've spent several days on google and reading old forum posts - but have not been able to find the answer.

Summary: I don't seem to be able to get return traffic from tun0 on a VPN endpoint to egress onto the local network back to the real initiating host

I need to connect two machines (linux to Windows) using a TCP protocol. Both can chat to each other quite happily via the internet but I need the TCP stream encrypted.
I can't install VPN software on either existing servers, so I wanted to set up two other machines with a VPN link and have the original two machines talk to each other via that link.

What I have so far is (IP and MAC addresses sanitised):-

Client machine : 10.0.0.2
VPN client machine: 10.0.0.3 (OpenVPN 2.3.2 client)

VPN remote machine: 10.38.0.3 (OpenVPN 2.3.2 server)
Server remote machine: 10.36.0.2

I have a tunnel established between the two new machines using OpenVPN, and it is working ok.

tun0 is on 10.255.255.0/24 - 10.255.255.6 being the client address, 10.255.255.1 being the server address

I have a route on 10.0.0.2 (Client machine) to shove traffic destined for 10.36.0.2 (the service) to 10.0.0.3 (the vpn endpoint)

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.36.0.2       10.0.0.3        255.255.255.255 UGH       0 0          0 eth0
10.255.255.6    10.0.0.3        255.255.255.255 UGH       0 0          0 eth0
169.254.169.254 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
I have a route table on 10.0.0.3 (VPN gateway mahcine, local side) to shove traffic for 10.36.0.2 (the service) down the tunnel. The VPN NATs the tunnel traffic to make it separate and distinct.

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.36.0.2       10.255.255.5    255.255.255.255 UGH       0 0          0 tun0
10.255.255.1    10.255.255.5    255.255.255.255 UGH       0 0          0 tun0
10.255.255.5    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
169.254.169.254 0.0.0.0         255.255.255.255 UH        0 0          0 eth0



If I sit on the client vpn machine, a ping to 10.36.0.2 works (As does establishing a TCP connection to the endpoint service on 10.36.0.2)
I can see tcpdump traffic as such:-

Code:
10.0.0.3  -> : 08:37:47.249412 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64

10.38.0.3 -> : 08:37:47.251461 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.251486 IP 10.38.0.3 > 10.36.0.2: ICMP echo request, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.252169 IP 10.36.0.2 > 10.38.0.3: ICMP echo reply, id 13610, seq 1, length 64
10.38.0.3 -> : 08:37:47.252178 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 13610, seq 1, length 64

10.0.0.3  -> : 08:37:47.252070 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 13610, seq 1, length 64


If i sit on the client machine (10.0.0.2) that actually wants to talk to the server (10.36.0.2), then the tcpdump is pretty much the same, with an extra hop at the beginning

Code:
10.0.0.2 ->  : 08:42:40.720806 IP 10.0.0.2 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64

10.0.0.3 ->  : 08:42:40.720525 IP 10.0.0.2 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.0.0.3 ->  : 08:42:40.720558 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64

10.38.0.3 -> : 08:42:40.722559 IP 10.255.255.6 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.722582 IP 10.38.0.3 > 10.36.0.2: ICMP echo request, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.723061 IP 10.36.0.2 > 10.38.0.3: ICMP echo reply, id 21328, seq 1, length 64
10.38.0.3 -> : 08:42:40.723072 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 21328, seq 1, length 64

10.0.0.3 ->  : 08:42:40.722981 IP 10.36.0.2 > 10.255.255.6: ICMP echo reply, id 21328, seq 1, length 64
10.0.0.3 ->  : 08:42:40.722991 ARP, Request who-has 10.0.0.2 tell 10.0.0.3, length 28
10.0.0.3 ->  : 08:42:40.723078 ARP, Reply 10.0.0.2 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 46
10.0.0.3 ->  : 08:42:40.723084 IP 10.36.0.2 > 10.0.0.2: ICMP echo reply, id 21328, seq 1, length 64

10.0.0.2 ->  : Nothing :(
The bit that is missing is the packet actually getting back to 10.0.0.2
(The MAC address returned by the ARP, does match the MAC address of 10.0.0.2)

I can ping 10.0.0.2 from 10.0.0.3 quite happily, and can ping 10.0.0.3 from 10.0.0.2 also


The iptables config on 10.0.0.3 (local VPN tunnel end) is

cat /etc/sysconfig/iptables
Code:
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j ACCEPT
:OUTPUT ACCEPT [8:1065]
-A OUTPUT -j ACCEPT
COMMIT
I would like to understand why the traffic is not getting back to the initiating host.

Thanks for any help, or pointers that you could suggest
 
Old 10-17-2014, 11:35 AM   #2
Parbold
LQ Newbie
 
Registered: Oct 2014
Location: West Midlands
Distribution: Centos, AmazonLinux, RedHat, Oracle Linux
Posts: 4

Original Poster
Rep: Reputation: Disabled
Sorted - by adding a specific port forward on 10.0.0.3 (VPN Client)

-A FORWARD -d 10.36.0.2/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.36.0.2

Now, all I do is point to 10.0.0.3:8080 (VPN Client) and forget about adding routes to 10.36.0.2 (target) via 10.0.0.3 (VPN Client)

---------- Post added 10-17-14 at 04:35 PM ----------

Sorted - by adding a specific port forward on 10.0.0.3 (VPN Client)

-A FORWARD -d 10.36.0.2/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.36.0.2

Now, all I do is point to 10.0.0.3:8080 (VPN Client) and forget about adding routes to 10.36.0.2 (target) via 10.0.0.3 (VPN Client)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN Interface Traffic Dropped bhushan.karia Linux - Networking 4 01-11-2013 03:27 PM
Force all internet traffic through tun0 (Vpn Interface) dschuett Linux - Security 3 08-10-2011 09:36 AM
Force all internet traffic through tun0 (Vpn Interface) dschuett Linux - Security 2 08-10-2011 01:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration