OpenVPN - client-to-client traffic working in one direction but not the other
Posted
by user42055
on Server Fault
See other posts from Server Fault
or by user42055
Published on 2010-05-05T08:56:17Z
Indexed on
2010/05/05
9:08 UTC
Read the original article
Hit count: 288
I have the following VPN configuration:
+------------+ +------------+ +------------+
| outpost |----------------| kino |----------------| guchuko |
+------------+ +------------+ +------------+
OS: FreeBSD 6.2 OS: Gentoo 2.6.32 OS: Gentoo 2.6.33.3
Keyname: client3 Keyname: server Keyname: client1
eth0: 10.0.1.254 eth0: 203.x.x.x eth0: 192.168.0.6
tun0: 192.168.150.18 tun0: 192.168.150.1 tun0: 192.168.150.10
P-t-P: 192.166.150.17 P-t-P: 192.168.150.2 P-t-P: 192.168.150.9
Kino is the server and has client-to-client enabled. All three machines have ip forwarding enabled, by this on the gentoo boxes:
net.ipv4.conf.all.forwarding = 1
And this on the FreeBSD box:
net.inet.ip.forwarding: 1
In the server's "ccd" directory is the following files:
client1:
iroute 192.168.0.0 255.255.255.0
client3:
iroute 10.0.1.0 255.255.255.0
The server config has these routes configured:
push "route 192.168.0.0 255.255.255.0"
push "route 10.0.1.0 255.255.255.0"
route 192.168.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
Kino's routing table looks like this:
192.168.150.0 192.168.150.2 255.255.255.0 UG 0 0 0 tun0
10.0.1.0 192.168.150.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 192.168.150.2 255.255.255.0 UG 0 0 0 tun0
192.168.150.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Outpost's like this:
192.168.150 192.168.150.17 UGS 0 17 tun0
192.168.0 192.168.150.17 UGS 0 2 tun0
192.168.150.17 192.168.150.18 UH 3 0 tun0
And Guchuko's like this:
192.168.150.0 192.168.150.9 255.255.255.0 UG 0 0 0 tun0
10.0.1.0 192.168.150.9 255.255.255.0 UG 0 0 0 tun0
192.168.150.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Now, the tests.
Pings from Guchuko to Outpost's LAN IP work OK, as does the reverse - pings from Outpost to Guchuko's LAN IP. However...
Pings from Outpost, to a machine on Guchuko's LAN work fine:
.(( root@outpost )). (( 06:39 PM )) :: ~ ::
# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3): 56 data bytes
64 bytes from 192.168.0.3: icmp_seq=0 ttl=63 time=462.641 ms
64 bytes from 192.168.0.3: icmp_seq=1 ttl=63 time=557.909 ms
But a ping from Guchuko, to a machine on Outpost's LAN does not:
.(( root@guchuko )). (( 06:43 PM )) :: ~ ::
# ping 10.0.1.253
PING 10.0.1.253 (10.0.1.253) 56(84) bytes of data.
--- 10.0.1.253 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
Guchuko's tcpdump of tun0 shows:
18:46:27.716931 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 1, length 64
18:46:28.716715 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 2, length 64
18:46:29.716714 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 3, length 64
Outpost's tcpdump on tun0 shows:
18:44:00.333341 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 3, length 64
18:44:01.334073 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 4, length 64
18:44:02.331849 IP 192.168.150.10 > 10.0.1.253: ICMP echo request, id 63009, seq 5, length 64
So Outpost is receiving the ICMP request destined for the machine on it's subnet, but appears not be forwarding it. Outpost has gateway_enable="YES" in its rc.conf which correctly sets net.inet.ip.forwarding to 1 as mentioned earlier. As far as I know, that's all that's required to make a FreeBSD box forward packets between interfaces. Is there something else I could be forgetting ?
© Server Fault or respective owner
