I investigated the problem a bit and came to a conclusion that these packets must be dropped somewhere in kernel, because:
- iptables is disabled
- I see packets in tcpdump sent to 10.4.0.1, but there are no corresponding entries in OpenVPN's logs (the only packets logged are probably the ping packets arriving from server side).
- routing table looks very similar on problematic device to regular devices:
Code: Select all
# ip ro
default dev ppp0 scope link
10.4.0.1 dev tun0 proto kernel scope link src 10.4.0.18
192.168.80.0/22 dev eth0 proto kernel scope link src 192.168.81.123
192.168.202.0 dev ppp0 proto kernel scope link src 10.187.248.19
Code: Select all
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.4.0.18 P-t-P:10.4.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:304 errors:0 dropped:580 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:65089 (63.5 KiB)
These are my configs, client and server side respectively:
Code: Select all
syslog openvpn_gw_srv
client
proto tcp
port 8911
nobind
comp-lzo
mute-replay-warnings
ns-cert-type server
cipher BF-CBC
hand-window 170
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
persist-key
ping-exit 92
reneg-sec 86400
management localhost 7012
Code: Select all
dev tun1
server 10.4.0.0 255.255.0.0
#proto udp
proto tcp
port 8894
ping 30
comp-lzo
mute-replay-warnings
cipher BF-CBC
dh /etc/ssl/private/server/dh1024.pem
ca /etc/ssl/private/server/ca.crt
cert /etc/ssl/private/server/server.crt
key /etc/ssl/private/server/server.key
ifconfig-pool-persist ipp.txt
ifconfig-pool-linear
persist-key
persist-tun
reneg-sec 86400
reneg-pkts 0
ping-restart 0
status openvpn-status.log
verb 5
management localhost 7012
daemon server-openvpn
hand-window 600