[Resolved] Client tunnel traffic reported over ethernet interface rather than tunnel interface?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Locked
gmb
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 12, 2019 2:40 am

[Resolved] Client tunnel traffic reported over ethernet interface rather than tunnel interface?

Post by gmb » Mon Jan 28, 2019 11:54 pm

I have hopefully what is a simple question to answer.

I am running a headless Ubuntu 18.04 server VM (bridged KVM) that has ens3 as its primary "ethernet" interface (in reality the virtual bridged interface).

I connect the VM to PrivateInternetAccess via OpenVPN, accepting the "redirect-gateway def1" option pushed by the PIA server. This creates what I understand are the default routes on my VM to ensure that all internet traffic is directed over the VPN tunnel (which is what I want).

When I start the OpenVPN client, the tunnel (tun1) is successfully established, the relevant routes are established, and leak tests (eg ipleak.net, akamai, ipinfo.io) all indicate that my IP address is that of PIA's server.

I also have iptables set up to ensure that, except for LAN traffic and some other limited exceptions (eg DNS and OpenVPN ports for tunnel establishment), only traffic over the VPN tunnel is allowed. When the tunnel is not established, this appears to work successfully as a "kill switch".

My issue is that when I look at the output of, eg, ifconfig, it shows that the vast bulk of traffic is incoming and outgoing over the ethernet interface (ens3), rather than the tunnel (tun1). I realise that the tunnel interface is a virtual overlay on the ethernet interface, but I would have expected the stats still to indicate that the tunnel is being used for the traffic. Am I wrong?

Relevant information below:

Client config
client
dev tun1
proto udp
remote au-sydney.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/client/pialogin.txt
auth-retry nointeract
compress
verb 3
reneg-sec 0
disable-occ
script-security 2
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
up /etc/openvpn/client/update-systemd-resolved
down /etc/openvpn/client/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .


Routes established when the tunnel is active:

Code: Select all

$ ip route list
0.0.0.0/1 via 10.33.10.5 dev tun1 
default via 10.0.77.1 dev ens3 proto dhcp src 10.0.77.11 metric 100 
10.0.77.0/24 dev ens3 proto kernel scope link src 10.0.77.11 
10.0.77.1 dev ens3 proto dhcp scope link src 10.0.77.11 metric 100 
10.33.10.1 via 10.33.10.5 dev tun1 
10.33.10.5 dev tun1 proto kernel scope link src 10.33.10.6 
128.0.0.0/1 via 10.33.10.5 dev tun1 
137.59.252.149 via 10.0.77.1 dev ens3

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5871
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client tunnel traffic reported over ethernet interface rather than tunnel interface?

Post by TinCanTech » Tue Jan 29, 2019 6:53 pm

gmb wrote:
Mon Jan 28, 2019 11:54 pm
My issue is that when I look at the output of, eg, ifconfig, it shows that the vast bulk of traffic is incoming and outgoing over the ethernet interface (ens3), rather than the tunnel (tun1). I realise that the tunnel interface is a virtual overlay on the ethernet interface, but I would have expected the stats still to indicate that the tunnel is being used for the traffic. Am I wrong?
Do you see what your thread is missing :?:

gmb
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 12, 2019 2:40 am

Re: Client tunnel traffic reported over ethernet interface rather than tunnel interface?

Post by gmb » Wed Jan 30, 2019 3:23 am

I didn't include that because it wouldn't have added anything of substance to the description I provided.

Anyway, a few tcpdumps later and I have figured out how things are working.

gmb
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 12, 2019 2:40 am

Re: Client tunnel traffic reported over ethernet interface rather than tunnel interface?

Post by gmb » Wed Jan 30, 2019 8:24 am

With the answer being that the traffic on ens3 and tun1 is generally consistent. The traffic on ens3 is to and from the OpenVPN port on the PIA server, and the traffic on tun1 is the underlying traffic to and from the actual destination. The reason why the ifconfig data was previously showing an inconsistency was ... drumroll ... that the tunnel had been restarted some time after the server had booted, and so its statistics were reset (but the ens3 statistics were from the time of boot).

Locked