Hi, On Thu, Dec 22, 2011 at 10:07:42AM +0000, Tiran Kaskas wrote: > It seems like I am through with the vpn initialization, and seems like the > session is created successfully. > Now, I start sending data to some server from the client side (I have an > application which opens a socket to google.com and sends some data). > I do see the packet is received on the server side and decrypted successfully > (virtual address is the client's tun ip).
Cool :-)
> I see the server reads this packet from the link adapter(ethernet), and
> writes it to the tun adapter.
> Looking at the tun adapter (using wireshark), I see a packet is there with:
> source ip: client's tun ip
> destination ip: the google ip
That's good.
> The problem is that nothing happens from this point.
Most likely, the Linux kernel side of things is dropping the packet because
"ip forwarding" is not turned on - so it's not a router, and will not
forward packets destined to someone else's address.
What you need to do is:
- make sure that your linux server is forwarding packets to its gateway
- make sure that the answer packets from google (etc) are routed *back*
to your linux server
- either your external router knows how to route the client subnet
back to the openvpn machine
- or you need to turn on NAT (masquerading) on the openvpn server, so
that google will see all requests coming from the openvpn server's
IP address
Some useful info is here:
http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
> I am missing something, pretty sure about that, but do not know what...
> I know that when the server write this packet to the TUN, it means the
> packet is injected into the OS ip stack, as if it was received from the
> outside.
Exactly.
> But who will take care of actually sending it to the destination
> address? Am I missing some routing configuration?
Linux needs to know that it is to be a router:
# echo 1 >/proc/sys/net/ipv4/ip_forward
and it needs to have routes toward the destination.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgpML2D773ZGM.pgp
Description: PGP signature
