On Thu, 15 Oct 2015 10:49:09 -0400, Selva Nair wrote:
> At least the output is different with the rule in place.. My guess: the
> packets are going out with source address of eth0 (192.168.0.2) and your
> VPN server is not set up to NAT them..
>
> Try this
>
> traceroute -n -s 10.211.1.33 8.8.8.8
>
> If that works you may need to use SNAT to rewrite the source address.
>
> Selva
See the test results:
$ traceroute -n -s 10.211.55.57 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
The corresponding relative configurations:
$ ip route show table openvpn
default via 10.211.55.58 dev tun-gfwlist
$ ip rule list
0: from all lookup local
32765: from all fwmark 0xc8 lookup openvpn
32766: from all lookup main
32767: from all lookup default
$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Oct 16 07:42:54 2015
*mangle
:PREROUTING ACCEPT [741:124514]
:INPUT ACCEPT [741:124514]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1117:110622]
:POSTROUTING ACCEPT [1117:110622]
-A PREROUTING -i eth0 -j MARK --set-xmark 0x0/0xffffffff
-A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff
-A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff
-A OUTPUT -d 8.8.8.8/32 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Oct 16 07:42:54 2015
# Generated by iptables-save v1.4.21 on Fri Oct 16 07:42:54 2015
*filter
:INPUT ACCEPT [3371:417658]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4852:619395]
COMMIT
# Completed on Fri Oct 16 07:42:54 2015
$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr 0c:c4:7a:6a:f7:f0
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1287 errors:0 dropped:0 overruns:0 frame:0
TX packets:2799 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:218764 (213.6 KiB) TX bytes:463301 (452.4 KiB)
Memory:de200000-de27ffff
eth1 Link encap:Ethernet HWaddr 0c:c4:7a:6a:f7:f1
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:de100000-de17ffff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2023 errors:0 dropped:0 overruns:0 frame:0
TX packets:2023 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:195303 (190.7 KiB) TX bytes:195303 (190.7 KiB)
tun-gfwlist Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.211.55.57 P-t-P:10.211.55.58 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:29628 (28.9 KiB) TX bytes:5400 (5.2 KiB)
Why it is a so tricky thing?
Regards
--
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
