On Tue, May 29, 2018 at 11:09 AM, Antonio Quartulli <a...@unstable.cc> wrote: > Hi, > > On 29/05/18 13:44, Yuri Kanivetsky wrote: > > [cut] > >> >> These two commands make it work: >> >> $ ip rule add from srv.eth0.ip table 1 >> $ ip route add table 1 default via srv.eth0.gw >> >> More details can be found here: >> https://lists.debian.org/debian-user/2018/05/msg00780.html >> >> Can you explain what's going on here? Thanks in advance. >> > > Once you connect to the VPN and set a default route to the VPN server > IP, packets flowing back over the SSH connection do not go over eth0 > anymore, but they follow the new default route.
>From my experience, SSH packets from my local computer reach server's eth0, but disappear when kernel makes a routing decision: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg To determine that I run the following commands on the server: $ iptables -t nat -A PREROUTING -p icmp -j LOG --log-prefix="nat: PREROUTING: " $ iptables -t nat -A INPUT -p icmp -j LOG --log-prefix="nat: INPUT: " $ iptables -t nat -A OUTPUT -p icmp -j LOG --log-prefix="nat: OUTPUT: " $ iptables -t nat -A POSTROUTING -p icmp -j LOG --log-prefix="nat: POSTROUTING: " $ iptables -t mangle -A PREROUTING -p icmp -j LOG --log-prefix="mangle: PREROUTING: " $ iptables -t mangle -A INPUT -p icmp -j LOG --log-prefix="mangle: INPUT: " $ iptables -t mangle -A FORWARD -p icmp -j LOG --log-prefix="mangle: FORWARD: " $ iptables -t mangle -A OUTPUT -p icmp -j LOG --log-prefix="mangle: OUTPUT: " $ iptables -t mangle -A POSTROUTING -p icmp -j LOG --log-prefix="mangle: POSTROUTING: " $ iptables -t security -A INPUT -p icmp -j LOG --log-prefix="security: INPUT: " $ iptables -t security -A FORWARD -p icmp -j LOG --log-prefix="security: FORWARD: " $ iptables -t security -A OUTPUT -p icmp -j LOG --log-prefix="security: OUTPUT: " $ iptables -t raw -A PREROUTING -p icmp -j LOG --log-prefix="raw: PREROUTING: " $ iptables -t raw -A OUTPUT -p icmp -j LOG --log-prefix="raw: OUTPUT: " $ iptables -t filter -A INPUT -p icmp -j LOG --log-prefix="filter: INPUT: " $ iptables -t filter -A FORWARD -p icmp -j LOG --log-prefix="filter: FORWARD: " $ iptables -t filter -A OUTPUT -p icmp -j LOG --log-prefix="filter: OUTPUT: " With no OpenVPN running I get: raw: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip filter: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip security: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: INPUT: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip raw: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip mangle: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip filter: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip security: OUTPUT: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip mangle: POSTROUTING: IN= OUT=eth0 SRC=srv.eth0.ip DST=my.ip With OpenVPN: raw: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip mangle: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip nat: PREROUTING: IN=eth0 OUT= SRC=my.ip DST=srv.eth0.ip So, SSH packets doesn't reach SSH daemon, although they reach eth0. So, no reply packets. To be precise, I experimented with ICMP and HTTP packets. More details here: https://lists.debian.org/debian-user/2018/05/msg00780.html And why does this not work then? $ iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1 $ iptables -t mangle -A OUTPUT -m connmark --mark 1 -j MARK --set-mark 2 $ ip rule add fwmark 2 table 3 $ ip route add table 3 default via srv.eth0.gw Are there any other ways I can investigate the issue? > > This breaks the SSH connection because those packets are just lost (they > won't be routed/natted by the VPN server in any useful way). > > With the commands above, you are basically saying: "all the packets > having the eth0 IP as source address have to go out directly via eth0, > without being forwarded to the VPN". > > I hope this clarifies the problem. > > Cheers, > > -- > Antonio Quartulli > Regards, Yuri Kanivetsky ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
