Re: OpenVPN and IP Forwarding

To: "debian-user" <debian-user@lists.debian.org>
Subject: Re: OpenVPN and IP Forwarding
From: cletusjenkins <cletusjenkins@zoho.com>
Date: Tue, 15 Jan 2013 13:09:55 -0800
Message-id: <44759037.5020.1358284495749.JavaMail.sas2@[172.29.254.227]>
In-reply-to: <[🔎] 20130115183109.GB11658@hysteria.proulx.com>
References: <653296968.3261.1358243191686.JavaMail.sas@[172.29.249.242]> <[🔎] 89D1798A7351D040B4E74E0A043C69D71CC4DE4B@HGLEXCH-01.tio.nl> <1602576786.2590.1358273391617.JavaMail.sas1@[172.29.252.227]> <[🔎] 20130115183109.GB11658@hysteria.proulx.com>

>This is a good clarification. But still confusing. I think you need 
>to give us a block diagram or picture of things. Because in the above 
>it reads like you have two machines in your path where most of us 
>would have only one. Because you say that you vpn to a server and 
>that server you vpn'd to provides you access to the internet. If you 
>are not using the internet to get to that server then I can only 
>assume that you have yet another private lan segment between. 
> 

I used dia to make a png file diagram of my network. I tried to make one with text, but
I couldn't understand it and I made it. I assume the list won't forward attachments, so
I posted it at:

http://i1309.photobucket.com/albums/s629/CletusJenkins/network_zps9f815828.png

If there is a better way to share things like this to the list let me know.

I only have one "router". I buy a service from a company that gives me an encrypted
tunnel to their site and access to the rest of the internet from there. I'd mentioned
their name/wesbite since that would probably make it clearer, but I didn't want to do
advertising for them here.

The extra overhead is the point, everything is encrypted from me to them and their
site is in a foreign jurisdiction and obfuscated by thousands of other user's traffic.
This is a "big brother''ll take my internet from my cold dead hands", kind of deal.

Anyway, here is an of my openvpn config (domain names expunged):
client
dev tun
proto tcp
remote ca.vpn.namehidden.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/namehidden.ca.crt
verb 3
mute 3
auth-user-pass
mute-replay-warnings
float
reneg-sec 0
auth-user-pass  pass.word

I connect to the internet via a DSL line, the private network machines reach it through
the "router" machine. I just want the private machines traffic to pass through the VPN
like traffic generated on my "router" machine itself.

The thing I don't understand is when I bring up the VPN link, I lose the ability to ping
or otherwise connect from my "router" machine to the local lan (192.168.2.0/8)
machines. But the VPN works fine from the "router" machine, I can do everything I
normally would do on the internet.

>From machines on that lan I can ping my "router" and use services running on it, but
they cannot reach the internet when the VPN is connected (connected meaning
openvpn is running on my "router", not the other systems). In my mind (...heh...)
traffic that comes in via ip forwarding should go out the default gateway whether
that is a DSL connection or a VPN running over that DSL link. I have to think the
loss of connectivity from my "router" back to the private network is the crux of the
problem or at least a major symptom of it.

Reply to:

Follow-Ups:
- RE: OpenVPN and IP Forwarding
  - From: Bonno Bloksma <b.bloksma@tio.nl>

References:
- OpenVPN and IP Forwarding
  - From: cletusjenkins <cletusjenkins@zoho.com>
- RE: OpenVPN and IP Forwarding
  - From: Bonno Bloksma <b.bloksma@tio.nl>
- RE: OpenVPN and IP Forwarding
  - From: cletusjenkins <cletusjenkins@zoho.com>
- Re: OpenVPN and IP Forwarding
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: Grub gone nuts after recent dist-upgrade in unstable[SOLVED]
Next by Date: Re: What would be the appropriate forum?
Previous by thread: Re: OpenVPN and IP Forwarding
Next by thread: RE: OpenVPN and IP Forwarding
Index(es):
- Date
- Thread