OpenVPN Support Forum

Hi I have a Problem it would be great if anyone can help me. I try since two days get this running but had no luck ;-(

My Problem: Inbound port forwardings from my Internet-Router when running OpenVPN.

When I am away from home I usualy use SSH to log into my machine. So I "dial" in by SSH to my public static IP on port 2222. This Port forwards to my Linux Desktop port 22.

If I start OpenVPN this stops working. I guess that inbound traffic comes from eth0 (192.168.220.1) and outbound traffic goes through vpns tun0. Is there a way to keep local net running?

Network Configuration:

{ Internet } -> [Router] -> [LinuxDesktop]
11.11.11.11 -> 192.168.220.1 -> 192.168.220.174
-> Port 2222 -> Port 22

VPN client Configuration:

client
dev tun
daemon
auth-retry nointeract
proto udp
remote de1.vpn.goldenfrog.com 1194
resolv-retry infinite
nobind
comp-lzo
reneg-sec 0
keepalive 10 60
persist-key
persist-tun
<ca>
...
</ca>

ifconfig:

eth0 Link encap:Ethernet Hardware Adresse 00:0d:b9:33:76:82 * inet Adresse:192.168.220.174 Bcast:192.168.220.255 Maske:255.255.255.0 * UP BROADCAST RUNNING MULTICAST MTU:1492 Metrik:1 * RX packets:517 errors:0 dropped:0 overruns:0 frame:0 * TX packets:492 errors:0 dropped:0 overruns:0 carrier:0 * Kollisionen:0 Sendewarteschlangenlänge:1000 * RX bytes:54426 (53.1 KiB) TX bytes:44948 (43.8 KiB) * Interrupt:30

tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-* 00 * inet Adresse:10.24.2.56 P-z-P:10.24.2.56 Maske:255.255.0.0 * UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1 * RX packets:6 errors:0 dropped:0 overruns:0 frame:0 * TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 * Kollisionen:0 Sendewarteschlangenlänge:100 * RX bytes:469 (469.0 B) TX bytes:293 (293.0 B)

route with openvpn on:

138.199.67.146 192.168.220.1 255.255.255.255 UGH 0 0 0 eth0
192.168.220.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.24.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
0.0.0.0 10.24.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.24.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.220.1 0.0.0.0 UG 0 0 0 eth0

Any idea?

Tim

if you search the forum this is common situation when you redirect all traffic via your server
then try to access it using its public ip,

answer you have to use policy based routing on your server (if its linux its relatively easy)

Michael.

Hi Michael,

yes its a comnon situation but I've searched and tested a lot but found nothing. I cannot change the settings of my VPN provider. Any public VPN-Providers I've tested handle it like this. Most of them use NAT too so external IP is no solution.

Is there a way to change route metrik or by using iptables SNAT or DNAT to override this?

Tim

typo error on my behalf,

answer you have to use policy based routing on your server (if its linux its relatively easy)

on your client i meant..

search for policy based routing on linux,

basic you use kernels multiple routing table feature and using iptables mangle table
you mark the packets you want to go outside the vpn,in your case
the responses to incoming ssh sessions

Michael.

Yes, there is a way.

Micheal is right. Its an issue of routing. The following commands should fix it right up.

thumbdriven wrote:Yes, there is a way.

Micheal is right. Its an issue of routing. The following commands should fix it right up.

Code: Select all

sudo ip rule add from 192.168.220.174 table 128
sudo ip route add table 128 to 192.168.220.0/24 dev eth0
sudo ip route add table 128 default via 192.168.220.1

Thank you very much for this response. This is much simpler than the other methods which require marking traffic and specifying individual ports, and it got the job done.

The Linux Documentation Project has a policy based routing example:
http://www.tldp.org/HOWTO/Adv-Routing-H ... imple.html