Page 1 of 1

OpenVPN with redirect-gateway renders public ip inaccessable

Posted: Tue Oct 12, 2010 11:07 am
by tuxx
Hi,

i am using a Swedish vpn service (called vpntunnel.se) which redirects all traffic from eth0 to tap0. The ip address assigned to tap0 is dynamic..

for various reasons i must also be able to access the server via the static ip of eth0. The Iface eth0 however is not pingable.

tcpdump shows incoming pings on eth0. No outgoing pings are detected on either eth0 nor tap0.

Code: Select all

root@ks361921:~# sudo tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:54:43.115276 IP p57DF5C29.dip.t-dialin.net > rps1829.ovh.net: ICMP echo request, id 2057, seq 4257, length 64
22:54:44.115733 IP p57DF5C29.dip.t-dialin.net > rps1829.ovh.net: ICMP echo request, id 2057, seq 4258, length 64
22:54:45.115769 IP p57DF5C29.dip.t-dialin.net > rps1829.ovh.net: ICMP echo request, id 2057, seq 4259, length 64
root@ks361921:~# sudo tcpdump -i tap0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
here you will find the routing table and the ip addresses:

Code: Select all

sh-4.0# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1c:c0:65:20:5a  
          inet addr:91.121.199.129  Bcast:91.121.199.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10685 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1846 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2026093 (2.0 MB)  TX bytes:279306 (279.3 KB)
          Interrupt:19 Base address:0x2000 

tap0      Link encap:Ethernet  HWaddr aa:46:4c:05:f9:da  
          inet addr:178.73.204.222  Bcast:178.73.204.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8920 errors:0 dropped:0 overruns:0 frame:0
          TX packets:224 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1353544 (1.3 MB)  TX bytes:44927 (44.9 KB)

sh-4.0# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
178.73.215.186  91.121.199.254  255.255.255.255 UGH   0      0        0 eth0
91.121.199.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
178.73.204.0    0.0.0.0         255.255.255.0   U     0      0        0 tap0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         178.73.204.1    128.0.0.0       UG    0      0        0 tap0
128.0.0.0       178.73.204.1    128.0.0.0       UG    0      0        0 tap0
0.0.0.0         91.121.199.254  0.0.0.0         UG    100    0        0 eth0
furthermore iptables is completley flushed.

I have been trying to figure out a way to make this possible.. but so far to no avail. I would greatly appreciate any help and advice you guys can give me!

many thanks,
tuxx

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Tue Oct 12, 2010 1:42 pm
by tuxx
After many frustrating hours, I finally managed to get this working with the help of \malex\ on freenode IRC.

To achieve this, the following, surprisingly simple commands were used to create a second routing table and then setup a rule for packets with the src address 91.121.199.129:

Code: Select all

ip rule add from 91.121.199.129 table 10
ip route add default via 91.121.199.254 table 10

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Mon Sep 26, 2011 8:25 pm
by skrewt
I know this post is old, but I felt the need to add my own update.

I was able to get this exact functionality working by using the same 2 commands provided in the above post. In the first command, the IP is the IP of the local server accepting SSH connections (also the VPN client) and the second line uses the IP of my gateway/router.

I can confirm that I can now connect via SSH to my server using the VPN client and funnel my traffic through the VPN.

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Fri Jan 13, 2012 8:12 am
by dshafirov
I have a similar problem. I'm connected via ssh to a remote Ubuntu 10.04 server. I've installed OpenVPN on that server, and the configuration and credentials for a third-party OpenVPN server, which pushes redirect-gateway. If I establish the VPN connection, I will almost certainly lose my ssh connection. And I'll need to ask the provider's staff to hard reboot the remote server, which is not a good thing.

Just to be clear, the remote server's primary network interface ...

Code: Select all

auto eth0
iface eth0 inet static
address X.Y.Z.243
gateway X.Y.Z.242
netmask 255.255.255.254
The Kernel IP routing table ...

Code: Select all

Destination    Gateway      Genmask           Flags Metric Ref    Use Iface
X.Y.Z.242      0.0.0.0      255.255.255.254   U     0      0        0 eth0
0.0.0.0        X.Y.Z.242    0.0.0.0           UG    100    0        0 eth0
After executing the specified ip commands, I have ...

Code: Select all

ip rule list
0:	from all lookup local 
32765:	from X.Y.Z.243 lookup 10 
32766:	from all lookup main 
32767:	from all lookup default

ip route list
X.Y.Z.242/31 dev eth0  proto kernel  scope link  src X.Y.Z.243 
default via X.Y.Z.242 dev eth0  metric 100 
What are my chances?

Will I be able to "ssh david@X.Y.Z.243" after establishing the VPN connection?

Is there a better way to address this?

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Thu Jan 26, 2012 1:39 pm
by Mimiko
dshafirov wrote:What are my chances?
Before running the OpenVPN add a static route to your remote computer:

Code: Select all

route add {your computer's external IP} 255.255.255.255 gw X.Y.Z.242

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Tue Feb 21, 2012 11:30 am
by awol
hi there,

i can also successfully log into my ssh server from a remote address with the following 2 lines:

Code: Select all

ip rule add from <internal IP of SSH server/VPN client> table 10
ip route add default via <internal IP of gateway/router> table 10
however when I enter these 2 commands, it will bump off the users on my internal lan.

my ssh server/vpn client also acts as a squid proxy server, through which the internal lan clients access the internet, and allows them to share the vpn connection.

i think this is either a routing issue or an iptables issue (or a combination of the two), but my (limited) knowledge in this area has me stuck at this point, and i'm not having a lot of luck with google...

can anyone point me in the right direction?

Re: OpenVPN with redirect-gateway renders public ip inaccess

Posted: Sun Apr 29, 2012 6:46 am
by Mimiko
Can't help without seeing any config file, log, and network configuration.