Forwarding failure

O

orenbenkiki

My FreeBsd box does not forward packets from the LAN (xl0) through OpenVpn (tun0).
Here's my setup (local address is 192.168.0.7):

Code: 
# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0      965   tun0
xxx.xxx.xxx.xxx    192.168.0.1        UGHS        1      654    xl0
127.0.0.1          link#5             UH          0        6    lo0
192.168.0.0/24     link#4             U           3     1903    xl0
192.168.0.7        link#4             UHS         0        0    lo0
192.168.2.0/24     192.168.2.2        UGS         0        0   tun0
192.168.2.1        link#7             UHS         0        0    lo0
192.168.2.2        link#7             UH          0      157   tun0

Where xxx.xxx.xxx.xxx is the public static IP address of my OpenVpn server, somewhere out there on the Internet.

In my /etc/rc.conf I have:
Code: 
openvpn_enable="YES"
gateway_enable="YES"

My OpenVpn setup is simple:

Code: 
# cat /usr/local/etc/openvpn/openvpn.conf
dev tun
remote xxx.xxx.xxx.xxx
ifconfig 192.168.2.1 192.168.2.2
up /usr/local/etc/openvpn/up
secret /usr/local/etc/openvpn/static.key
port 1194
verb 3

What I'm trying to do is to have my FreeBsd box live on my LAN, which has a router for accessing the Internet (192.168.0.1). However, the FreeBsd box does not use this router to access the Internet, it uses the OpenVpn connection instead (via the 192.168.2.x tunnel). On the other side of this tunnel I have a Linux VPS which has a static Internet IP (xxx.xxx.xxx.xxx above). It performs NAT operations (using iptables).

If I try to access the Internet from the FreeBsd box as configured above, all is well. I can ping the other side of the tunnel, google.com, etc. and the packets do flow through the OpenVpn tunnel as expected.

However, if in any other machine on my LAN I set up the FreeBsd box as the default gateway (that is, if on another machine I change the default route from 192.168.0.1 to 192.168.0.7), it doesn't work. A traceroute shows that the packets never reach the 192.168.2.x tunnel. It is as if the FreeBsd box does not forward the packets from the xl0 NIC to the tun0 OpenVpn tunnel.

That is, on the FreeBsd, I can:

Code: 
ping 192.168.2.1
ping 192.168.2.2
ping xxx.xxx.xxx.xxx
ping google.com
And they all work.

On a machine with a default route leading to 192.168.0.7, I can:

Code: 
ping 192.168.0.7 - works
ping 192.168.2.1 - works
ping xxx.xxx.xxx.xxx - works (obviously not via the vpn tunnel)
But I can not:

Code: 
ping 192.168.2.2 - 100% packet loss
ping 8.8.8.8 - "From 192.168.0.7 ... Destination Host Unreachable"
Normally the 1st advice I see in HOWTOs and so on is gateway_enable="YES" but I do have that set up. Also, I _can_ ping 192.168.2.1 (the near side of the vpn tunnel) from outside the FreeBsd box - but not 192.168.2.2 (the far side of the vpn tunnel). Interestingly, when I ping 192.168.2.2 I see packets sent on the FreeBsd OpenVpn (with verb 9). But when I ping 8.8.8.8, I don't see such packets sent.

I'm pretty much stumped at this point. Any ideas will be appreciated...

Thanks,

Oren Ben-Kiki
 
Thanks. I was thrown off by the rich editor showing the post in fixed-width font. Should have caught it in the preview. My bad.

Anyway, still stumped. I'm on the verge on switching to a Linux server so I'll be able to use pppd and iptables and all that :-(
 
You must log in or register to reply here.
Back
Top