New 'magic' in topology subnet ?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
snspinn
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 25, 2021 12:10 pm

New 'magic' in topology subnet ?

Post by snspinn » Tue Feb 16, 2021 6:12 pm

Firstly, apologies if this is not as thoroughly researched as should be. I'm not asking for a solution (my setup works now) but I'm curious as to why my setup works.

Simple put, I have been using an openvpn server for some time now to connect two subnets. I was using the default topology for the tunnel IP addresses but after reading about the capabilites of 'subnet' I decided that I'd give it a whirl the next time I had to spin up a new setup.
That day was today.

On setting up the new server, I kept all the variable the same the same as my previous setup (auth types, OS (Ubuntu 18), subnets (mostly)), but included the line

Code: Select all

topology subnet
in my server configuration. I dutifully also ran some iptables commands that were essential in my previous config to get my local machine talking to machines on the other side of the tunnel. The tunnel come up ok and I can see the beautiful sight of no wasted ips in my ipp.txt, ahhhh 8-) ... but then... what this?!? DISASTER!, I cannot ping any machine on the far side of my tunnel! (or vice versa)

Several hours of troubleshooting later:
I decided to remove iptable peristence (one slight difference to the previous setup) and reboot, ergo flushing my iptables. Upon trying to pinging across the tunnel, without adding any iptables rules... it worked.

I see nothing fancy in my iptables that OpenVPN may have added so my question is, how does this work without iptables forwarding and postrouting explicitly set?

snspinn
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 25, 2021 12:10 pm

Re: New 'magic' in topology subnet ?

Post by snspinn » Thu Feb 18, 2021 9:47 am

Hmmm, thinking I didn't think this through enough before asking the question.

Seems I was following one Red Herring after another. I don't know if there's much point in giving a point by point breakdown but I suspect the reason the original connections/pings were failing was due to a mismatch in my iptables masquerading and firewall rules. Removing this left only one variable to correct. Can't say for sure though because I didn't take any detailed notes.

Moral of the story: Don't post questions to a problem, last thing in the day, before sleeping on it.

Post Reply