Re: [Openvpn-devel] Problem with alloc_buf_gc function

Thu, 29 Dec 2011 14:25:06 +0000 

Hi,

On Thu, Dec 22, 2011 at 10:07:42AM +0000, Tiran Kaskas wrote:
> It seems like I am through with the vpn initialization, and seems like the 
> session is created successfully.
> Now, I start sending data to some server from the client side (I have an 
> application which opens a socket to google.com and sends some data).
> I do see the packet is received on the server side and decrypted successfully 
> (virtual address is the client's tun ip).

Cool :-)

> I see the server reads this packet from the link adapter(ethernet), and 
> writes it to the tun adapter.
> Looking at the tun adapter (using wireshark), I see a packet is there with:
> source ip: client's tun ip
> destination ip: the google ip

That's good.

> The problem is that nothing happens from this point.

Most likely, the Linux kernel side of things is dropping the packet because
"ip forwarding" is not turned on - so it's not a router, and will not
forward packets destined to someone else's address.

What you need to do is:

 - make sure that your linux server is forwarding packets to its gateway
 - make sure that the answer packets from google (etc) are routed *back*
   to your linux server
     - either your external router knows how to route the client subnet
       back to the openvpn machine
     - or you need to turn on NAT (masquerading) on the openvpn server, so 
       that google will see all requests coming from the openvpn server's
       IP address

Some useful info is here:

http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing


> I am missing something, pretty sure about that, but do not know what...
> I know that when the server write this packet to the TUN, it means the 
> packet is injected into the OS ip stack, as if it was received from the 
> outside. 

Exactly.

> But who will take care of actually sending it to the destination 
> address? Am I missing some routing configuration?

Linux needs to know that it is to be a router:

 # echo 1 >/proc/sys/net/ipv4/ip_forward

and it needs to have routes toward the destination.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpML2D773ZGM.pgp
Description: PGP signature

Reply via email to