You are not logged in.
- Topics: Active | Unanswered
#1 2015-10-02 13:17:03
- MaskedBerry
- Member
- Registered: 2015-07-21
- Posts: 8
OpenVPN routing trafic trouble
Hello everyone,
I have a server and a client, both on archlinux, and I try to configure openvpn on it to route all my trafic.
The VPN connection works fine and I'm able to ping from server to client and from client to server :
root@client# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=46.4 msroot@server# ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=50.0 msHowever, I am unable to ping (therefore to access the web) while connected to the VPN.
I try to ping 8.8.8.8 so it isn't a DNS problem.
I think I have correctly enabled forwarding on the server :
root@server # sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.tun0.stable_secret"and iptables' forwarding should also be enabled :
root@server# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 11 packets, 668 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 6 packets, 344 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 630 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9 packets, 630 bytes)
pkts bytes target prot opt in out source destination
5 324 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0Here is the relevant part of my server's /etc/openvpn/server.conf :
dev tun
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"I used wireshark on the client : ICMP echo requests go through the tun0 interface but there is no response.
I used wireshark on the server :
- ICMP echo requests come from the tun0 interface but there is no response.
- ICMP echo requests and their echo replies are visible on the eth0 interface
so it seems that traffic comming from the client actually goes to the server, then is forwarded to internet, but when the response comes it does not is forwarded back to the client.
If you need anymore details of configuration please tell me 
Offline
#2 2015-10-02 13:33:37
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: OpenVPN routing trafic trouble
Is your server "pushing" a *route* to to the client, so that the client's routing to 8.8.8.8 will go via the VPN?
Run on the client:
ip routeOffline
#3 2015-10-02 13:48:44
- MaskedBerry
- Member
- Registered: 2015-07-21
- Posts: 8
Re: OpenVPN routing trafic trouble
Hi brebs and thank you for your help !
Sadly, before starting the vpn :
root@client # ip route
default via 192.168.1.1 dev eno1 metric 202
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.5 metric 202 and after starting vpn:
root@client # ip route
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.1.1 dev eno1 metric 202
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
109.xxx.xx.xx via 192.168.1.1 dev eno1
128.0.0.0/1 via 10.8.0.5 dev tun0
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.5 metric 202 Last edited by MaskedBerry (2015-10-02 13:49:14)
Offline
#4 2015-10-03 11:22:51
- MaskedBerry
- Member
- Registered: 2015-07-21
- Posts: 8
Re: OpenVPN routing trafic trouble
I tested, with the same client, on another a raspbian server.
I am almost sure I have typed the same command to configure the raspbian-openvpn server, and the http forwarding is working well on it.
Here are some command output, both on the raspbian-working server and on the arch-non-working server.
raspbian server:
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 52581 packets, 4486K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 30673 packets, 3309K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 46715 packets, 3571K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 46715 packets, 3571K bytes)
pkts bytes target prot opt in out source destination
37 2383 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0# ip route
default via 192.168.0.1 dev eth0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 arch server:
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 128 packets, 11448 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 511 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 511 bytes)
pkts bytes target prot opt in out source destination
6 540 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0 # sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.tun0.stable_secret"# ip route
default via 192.168.1.1 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2Because the forwarding works correctly on raspbian, I assume the problem is not from my arch-client.
I have re-tested to capture icmp packets while pinging 8.8.8.8, and it behave that way :
arch-client | tun0 ------> echo request ip_src:10.8.0.5 ip_dest:8.8.8.8 ----> tun0 | arch-server | eth0 ------> echo request ip_src:109.xx.xx.xx ip_dest:8.8.8.8 ----> Google DNS
|
/
arch-client | tun0 <------------------------ nothing <----------------------------------- tun0 | arch-server | eth0 <------ echo reply ip_src:8.8.8.8 ip_dest:109.xx.xx.xx <------------
I'm running out of ideas 
Offline
#5 2015-10-30 11:58:11
- JoKo
- Member
- Registered: 2010-04-09
- Posts: 37
Re: OpenVPN routing trafic trouble
Hello,
I have just upgraded my OpenVPN server and I got into the same problem. Apparently systemd-netowrkd is to blame:
IPForward=
Configures IP forwarding for the network interface. If enabled incoming packets
on the network interface will be forwarded to other interfaces according to the
routing table. Takes either a boolean argument, or the values "ipv4" or "ipv6",
which only enables IP forwarding for the specified address family, or "kernel",
which preserves existing sysctl settings. This controls the
net.ipv4.conf.<interface>.forwarding and net.ipv6.conf.<interface>.forwarding
sysctl options of the network interface (see ip-sysctl.txt[1] for details about
sysctl options). Defaults to "no".Note: unless this option is turned on, or set to "kernel", no IP forwarding is
done on this interface, even if this is globally turned on in the kernel, with
the net.ipv4.ip_forward, net.ipv4.conf.all.forwarding, and
net.ipv6.conf.all.forwarding sysctl options.
Check the sentence in bold: even if I had IP forwarding set up via sysctl, systemd-networkd was not enabling IP forwarding for the interface.
Hope it works for you, too, MaskedBerry!
Edit: There is also IPMasquerade to enable
Last edited by JoKo (2015-10-30 12:04:10)
Offline