OpenVPN Routing issue.


#1

Ok, I have an OpenVPN site-to-site configuration

10.42.0.0/24 -> vyos -> Ubiquity -> 10.42.42.0/24

I have openvpn setup with interfaces 10.255.1.1 and 10.255.1.2

Both vyos & ubiquity can see the OpenVPN IP’s and the entire subnets on both ends.

When I try pinging 10.42.0.100 from 10.42.42.6 I can see the pings coming in, and on the vyos router, I can see the replys coming in on the ethernet interface, but the problem is that it is not passing the packet back into the tunnel.

I’ve looked into NAT and included a SNAT exclude:

source { rule 5 { destination { address 10.42.42.0/24 } exclude outbound-interface eth0 source { address 10.42.0.0/24 } }
rule 10 { outbound-interface eth0 source { address 10.42.0.0/24 } translation { address masquerade } } }

and traced the packet flow through IP Tables, where it seems to die after the Filter/FORWARD table and disappears in the routing decision

default via 38.XXX.XXX.2 dev eth0 proto zebra
10.42.0.0/24 dev eth1 proto kernel scope link src 10.42.0.1
10.42.42.0/24 dev vtun1 proto zebra scope link
10.255.1.1 dev vtun1 scope link
10.255.1.2 dev vtun1 proto kernel scope link src 10.255.1.1
38.XXX.XXX.0/24 dev eth0 proto kernel scope link src 38.XXX.XXX.42
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1

4: vtun1: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.255.1.1 peer 10.255.1.2/32 scope global vtun1
valid_lft forever preferred_lft forever

vyos@vyos# sudo /sbin/iptables -t nat -L -n -v -x
Chain PREROUTING (policy ACCEPT 52 packets, 4767 bytes)
pkts bytes target prot opt in out source destination
117 11307 VYATTA_PRE_DNAT_HOOK all – * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 46 packets, 4263 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 574 packets, 34464 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 580 packets, 34968 bytes)
pkts bytes target prot opt in out source destination
1150 69398 VYATTA_PRE_SNAT_HOOK all – * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all – * eth0 10.42.0.0/24 10.42.42.0/24 /* SRC-NAT-5 /
0 0 MASQUERADE all – * eth0 10.42.0.0/24 0.0.0.0/0 /
SRC-NAT-10 */

Chain VYATTA_PRE_DNAT_HOOK (1 references)
pkts bytes target prot opt in out source destination
117 11307 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain VYATTA_PRE_SNAT_HOOK (1 references)
pkts bytes target prot opt in out source destination
1150 69398 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

vyos@vyos# sudo /sbin/sysctl -p
kernel.printk = 4 4 1 7
net.ipv4.ip_forward = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.all.promote_secondaries = 1
net.core.rmem_max = 223232

Any help is appreciated… banging my head against the wall!


#2

Figured it out… was a conflict with an old IPSEC vpn that was configured…


#3

Glad that it solved :slight_smile: