Hi,
On 29/05/18 07:44, Yuri Kanivetsky wrote:
Hello,
I have a server. When I connect it to e.g. one of NordVPN's VPN
servers, my ssh connection (from local machine) freezes, and I can't
connect to the server anymore. I tried it with other VPN provider and
hosting company. To no avail. You can find OpenVPN config files here:
https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
From what I can see, when I start OpenVPN packets coming from my local
machine reach the server (its eth0 interface), but disappear when the
server makes a routing decision
(https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
after nat/PREROUTING). By disappear I mean that this rule logs the
packet:
iptables -t nat -A PREROUTING -p icmp -j LOG --log-prefix="nat: PREROUTING: "
But this one doesn't:
iptables -t mangle -A INPUT -p icmp -j LOG --log-prefix="mangle: INPUT: "
I have basically no rules in iptables (only -j LOG ones). Nothing
custom in routing table:
$ ip route
default via srv.eth0.gw dev eth0
srv.eth0.net dev eth0 proto kernel scope link src srv.eth0.ip
$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Where:
my.ip - IP of my local machine
srv.eth0.ip - public IP of my server
srv.eth0.gw - default gateway of my server
srv.eth0.net - my server's network
srv.tun0.ip - public IP of my server supplied by VPN server
srv.tun0.gw - default gateway of my server supplied by VPN server
srv.tun0.net - VPN's network
vpn.ip - VPN server's public IP
VPN server adds the following rules:
0.0.0.0/1 via srv.tun0.gw dev tun0
srv.tun0.net dev tun0 proto kernel scope link src srv.tun0.ip
vpn.ip via srv.eth0.gw dev eth0
128.0.0.0/1 via srv.tun0.gw dev tun0
the VPN has added two new non-default routes, which together do make a default
route:
0.0.0.0/1 via tun0
128.0.0.0/1 via tun0
overrule
0.0.0.0/0 via eth0
This is by design, actually, although it does not lead to confusion for some
users.
These two commands make it work:
$ ip rule add from srv.eth0.ip table 1
$ ip route add table 1 default via srv.eth0.gw
the reasons these 2 commands make it work again - if I briefly look at them - is because you've introduced an extra routing
table, and set a default GW to point to the new routing table. This again "trumps" the VPN 0.0.0.0/1+128.0.0.0/1 routes, making
things work again. However, I do wonder whether you want to actually use the VPN for your default route or not - if not, then
why bother with a VPN in the first place?
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
