On Tue, May 29, 2018 at 11:47 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > Hi, > > > On 29/05/18 07:44, Yuri Kanivetsky wrote: >> >> Hello, >> >> I have a server. When I connect it to e.g. one of NordVPN's VPN >> servers, my ssh connection (from local machine) freezes, and I can't >> connect to the server anymore. I tried it with other VPN provider and >> hosting company. To no avail. You can find OpenVPN config files here: >> https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip >> >> From what I can see, when I start OpenVPN packets coming from my local >> machine reach the server (its eth0 interface), but disappear when the >> server makes a routing decision >> >> (https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg >> after nat/PREROUTING). By disappear I mean that this rule logs the >> packet: >> >> iptables -t nat -A PREROUTING -p icmp -j LOG --log-prefix="nat: >> PREROUTING: " >> >> But this one doesn't: >> >> iptables -t mangle -A INPUT -p icmp -j LOG --log-prefix="mangle: INPUT: " >> >> I have basically no rules in iptables (only -j LOG ones). Nothing >> custom in routing table: >> >> $ ip route >> default via srv.eth0.gw dev eth0 >> srv.eth0.net dev eth0 proto kernel scope link src srv.eth0.ip >> $ ip rule >> 0: from all lookup local >> 32766: from all lookup main >> 32767: from all lookup default >> >> Where: >> >> my.ip - IP of my local machine >> srv.eth0.ip - public IP of my server >> srv.eth0.gw - default gateway of my server >> srv.eth0.net - my server's network >> srv.tun0.ip - public IP of my server supplied by VPN server >> srv.tun0.gw - default gateway of my server supplied by VPN server >> srv.tun0.net - VPN's network >> vpn.ip - VPN server's public IP >> >> VPN server adds the following rules: >> >> 0.0.0.0/1 via srv.tun0.gw dev tun0 >> srv.tun0.net dev tun0 proto kernel scope link src srv.tun0.ip >> vpn.ip via srv.eth0.gw dev eth0 >> 128.0.0.0/1 via srv.tun0.gw dev tun0 > > the VPN has added two new non-default routes, which together do make a > default route: > 0.0.0.0/1 via tun0 > 128.0.0.0/1 via tun0 > overrule > 0.0.0.0/0 via eth0 > > This is by design, actually, although it does not lead to confusion for some > users.
I think as much. > >> These two commands make it work: >> >> $ ip rule add from srv.eth0.ip table 1 >> $ ip route add table 1 default via srv.eth0.gw >> >> > the reasons these 2 commands make it work again - if I briefly look at them > - is because you've introduced an extra routing table, and set a default GW > to point to the new routing table. This again "trumps" the VPN > 0.0.0.0/1+128.0.0.0/1 routes, making things work again. However, I do wonder > whether you want to actually use the VPN for your default route or not - if > not, then why bother with a VPN in the first place? > > HTH, > > JJK > Exactly, it looks like with these commands I have another routing table 1. It's inspected before main table. If lookup succeeds, main table is not inspected. And table 1 has my former default gateway as a default gateway. And table 1 is inspected for packets coming from eth0. So, if I were to run openvpn and do traceroute, packets would come through eth0 and my former default gateway. But they're coming through VPN. That leads to a question, what happens first, a packet gets source IP, or a route is chosen? My guess is that for reply packets source IP is predetermined. And that's why table 1 is inspected only for reply packets, be it SSH, ICMP, HTTP, you name it. That is, when I run traceroute, table 1 is not inspected. But for e.g. SSH reply packets, and others that are replies to packets that came via eth0, table 1 lookup succeeds. Now, when I don't run those two commands and compare traceroute from my local machine before I run openvpn on the server and after that, the difference is that when my server has been connected to VPN, I get no reply from server's eth0 (the routes are equal up until this point). And traceroute fails. And on the server I see that the packets reach eth0. But they disappear after kernel makes a routing decision https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg For that I run the following commands on the server: $ iptables -t nat -A PREROUTING -p icmp -j LOG --log-prefix="nat: PREROUTING: " $ iptables -t nat -A INPUT -p icmp -j LOG --log-prefix="nat: INPUT: " $ iptables -t nat -A OUTPUT -p icmp -j LOG --log-prefix="nat: OUTPUT: " $ iptables -t nat -A POSTROUTING -p icmp -j LOG --log-prefix="nat: POSTROUTING: " $ iptables -t mangle -A PREROUTING -p icmp -j LOG --log-prefix="mangle: PREROUTING: " $ iptables -t mangle -A INPUT -p icmp -j LOG --log-prefix="mangle: INPUT: " $ iptables -t mangle -A FORWARD -p icmp -j LOG --log-prefix="mangle: FORWARD: " $ iptables -t mangle -A OUTPUT -p icmp -j LOG --log-prefix="mangle: OUTPUT: " $ iptables -t mangle -A POSTROUTING -p icmp -j LOG --log-prefix="mangle: POSTROUTING: " $ iptables -t security -A INPUT -p icmp -j LOG --log-prefix="security: INPUT: " $ iptables -t security -A FORWARD -p icmp -j LOG --log-prefix="security: FORWARD: " $ iptables -t security -A OUTPUT -p icmp -j LOG --log-prefix="security: OUTPUT: " $ iptables -t raw -A PREROUTING -p icmp -j LOG --log-prefix="raw: PREROUTING: " $ iptables -t raw -A OUTPUT -p icmp -j LOG --log-prefix="raw: OUTPUT: " $ iptables -t filter -A INPUT -p icmp -j LOG --log-prefix="filter: INPUT: " $ iptables -t filter -A FORWARD -p icmp -j LOG --log-prefix="filter: FORWARD: " $ iptables -t filter -A OUTPUT -p icmp -j LOG --log-prefix="filter: OUTPUT: " With no OpenVPN running I get: raw: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip filter: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip security: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip raw: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip mangle: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip filter: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip security: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip mangle: POSTROUTING: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip With OpenVPN: raw: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip And why does this not work then? $ iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1 $ iptables -t mangle -A OUTPUT -m connmark --mark 1 -j MARK --set-mark 2 $ ip rule add fwmark 2 table 3 $ ip route add table 3 default via srv.eth0.gw Regards, Yuri Kanivetsky ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
