OpenVPN Traffic Drops One Way

T

timberdoodle

Gawd
Joined
Sep 22, 2008
Messages
878
Hey [H]

I have a weird issue I'm working through and could use some help. I've got a site to site VPN tunnel setup using two Ubuntu servers running OpenVPN and acting as gateways. I've set up the routing such that when I am in one LAN, lets call my client 10.0.0.5, I can ping any client in the other LAN, lets call them 10.10.0.4 and 10.10.0.6. I can also ssh into them without any issue.

Now, I switch sides. I try to ping from the second LAN to the first. So from 10.10.0.4 to 10.0.0.5. I get no echo reply. No ssh.

I run tcpdump on the various parties involved. The echo replies are traveling from the 10.0.0.5 node, through the VPN tunnel out the tunnel interface on my VPN gateway in the first LAN, show as destined for the originating node, but that's as far as they get. For some reason they are not going out the LAN interface of the VPN gateway and are just being dumped on the floor.

I have made several attempts to modify iptables and sysctl.conf for ip forwarding and am striking out. Anyone have any idea what I could try?
 
Sounds like an incoming firewall rule is blocking non established traffic. What does iptables -L show?
 
..and/or missing route(s).

Firewall should work fine using these commands

Code: 
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

//Danne
 
Last edited:
If it were a missing route then the ICMP traffic would never return when pinging from the one end but he said that it works so traffic does know how to get there.

Definitely sounds like firewall.
 
Uhm... Hold on, shouldn't he be doing bridging since he's on the same /24-net on both sides?
//Danne
 
He said 10.10.0.0/24 to 10.0.0.0/24. Or at least that's what I'm assuming.
 
Thanks guys. This was an iptables issue in a sense. We are running openstack and apparently there is some source/destination checking that is blocking the traffic. We are forgoing this project and going with a hardware VPN instead.

To answer the questions here:

Different subnets. Routing was not an issue as traffic is returning through the tunnel and pointing to the correct destination in the tcp packets, and iptables on the gateways had accept all.
 
Last edited:
You must log in or register to reply here.
Back
Top