split tunneling - ping only works one way

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
gkamgang
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 14, 2017 1:20 pm

split tunneling - ping only works one way

Post by gkamgang » Tue Nov 14, 2017 1:26 pm

Living in a country where Internet is restricted, I want to use openvpn to connect our servers inside my country and the servers outside. The network diagram could be the following :

ServerInside <---> OpenVPNServer (Outside) <----> ServerOutside.

We choose to use the split tunneling option because we dont want all the traffic of the ServerInside tunneling into VPN.

Here is the client.conf of ServerInside

Code: Select all

route-nopull
route ServerOutsideIp  255.255.255.255 vpn_gateway
the server.conf of VPNServer

Code: Select all

;push "redirect-gateway def1" (commented)
Ping ServerInside -> ServerOutside

The Ping ServerInside -> ServerOutside works perfectly. Here is a tcpdump of ServerInside :

Code: Select all

03:06:06.519059 IP (tos 0x0, ttl 64, id 45210, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.14 > ServerOutsideIp: ICMP echo request, id 12723, seq 32, length 64
03:06:06.591531 IP (tos 0x0, ttl 47, id 36420, offset 0, flags [none], proto ICMP (1), length 84)
ServerOutsideIp > 10.8.0.14: ICMP echo reply, id 12723, seq 32, length 64
Here is a tcpdump of ServerOutside :

Code: Select all

3:12:54.974800 IP (tos 0x0, ttl 39, id 4679, offset 0, flags [DF], proto ICMP (1), length 84)
OpenVPNServerIp > 172.31.17.228: ICMP echo request, id 12741, seq 1, length 64
03:12:54.974826 IP (tos 0x0, ttl 64, id 57406, offset 0, flags [none], proto ICMP (1), length 84)
172.31.17.228 > OpenVPNServerIp: ICMP echo reply, id 12741, seq 1, length 64
Ping ServerOutside -> ServerInside

The ping doesn't work in this way. The icmp request is well received in ServerInside interface eth0, forwarded to tun0 going to the openVPNServer, but it seems that the ServerOutside doesn't receive.

The tcpdump of openVPNServer:

Code: Select all

20:50:49.092278 IP (tos 0x0, ttl 64, id 60561, offset 0, flags [none], proto ICMP (1), length 84)
172.31.28.40 > ServerOutsideIp: ICMP echo reply, id 14640, seq 580, length 64
The tcpdump of ServerOutside:

Code: Select all

13:05:35.027509 IP (tos 0x0, ttl 64, id 55583, offset 0, flags [DF], proto ICMP (1), length 84)
172.31.17.228 > ServerInsideIP: ICMP echo request, id 16060, seq 1, length 64
I doubt that the ServerOutside is unable to match the reply packet with the request one and the packet is dropped.

Even if I am newbie to openvpn, have some basics to networking, didn't expect that setup a basic split tunneling will bother me for few days :? .

Is it possible to configure the route so that the (ServerOutSide -> ServerInside) ping reply doesn't go by the VPN tunnel, but that the ping (ServerInside -> ServerOutSide) goes by the VPN....

Hope that openvpn guys here could give me the lights ;)
Top
Post Reply

Return to “Scripting and Customizations”