OpenVPN routing problems.
David Scheidt
dscheidt at panix.com
Mon Nov 28 04:32:32 GMT 2005
I'm trying to set up an OpenVPN tunnel, from a remote (Win XP)
machine to my local network. I've got that working, except for one
problem. When I start the OpenVPN server, my FreeBSD
router/firewall/ipnat/OpenVPN machine stops routing packets to the
outside world. The machine is running 6.0-STABLE from about a week
ago:
FreeBSD tor 6.0-STABLE FreeBSD 6.0-STABLE #1: Mon Nov 21 23:06:14 EST
2005 root at tor:/usr/obj/usr/src/sys/TOR i386
though I built world before the new kernel, and it's a slow machine,
so sources are at least 16 hours older than that.
It's a pretty un-complicated network: the router has two NICs, rl0 is
the real world, rl1 is the private network. Ipfilter has this rule
set: (10.10.10.169 is (munged) public IP address, 172.21.172.0/24 is
the private LAN, and 172.21.173.0/24 is the VPN subnet).
block in log first quick on rl0 from 192.168.0.0/16 to any
block in log first quick on rl0 from 172.16.0.0/12 to any
block in log first quick on rl0 from 127.0.0.0/8 to any
block in log first quick on rl0 from 0.0.0.0/8 to any
block in log first quick on rl0 from 169.254.0.0/16 to any
block in log first quick on rl0 from 192.0.2.0/24 to any
block in log first quick on rl0 from 204.152.64.0/23 to any
block in log first quick on rl0 from 224.0.0.0/3 to any
block in log first quick on rl0 from 10.0.0.0/8 to any
block in log first on rl0 from any to any
pass in quick on tun0
pass out quick on tun0
pass in quick on rl0 proto tcp from any to 10.10.10.169/32 port = 22
flags S ke ep state
pass in quick on rl0 proto udp from any to 10.10.10.169/32 port = 1194
keep state
pass out quick on rl0 proto tcp from 172.21.172.0/24 to any flags S keep state
pass out quick on rl0 proto udp from 172.21.172.0/24 to any keep state
pass out quick on rl0 proto icmp from 172.21.172.0/24 to any keep state
pass out quick on rl0 proto tcp from 10.10.10.169/32 to any flags keep state
pass out quick on rl0 proto udp from 10.10.10.169/32 to any keep state
pass out quick on rl0 proto icmp from 10.10.10.169/32 to any keep state
ipnat has one rule:
map rl0 172.21.172.0/24 -> 0/32 portmap tcp/udp auto
The output of netstat -rn before starting the OpenVPN server:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.10.10.129 UGS 0 4399 rl0
127.0.0.1 127.0.0.1 UH 0 88 lo0
10.10.10.128/26 link#1 UC 0 0 rl0
10.10.10.129 00:09:e9:b5:2f:fc UHLW 2 0 rl0 1160
172.21.172/24 link#2 UC 0 0 rl1
172.21.172.5 00:30:c1:0e:14:8f UHLW 1 1 rl1 781
172.21.172.8 00:0d:88:c9:d2:99 UHLW 1 167 rl1 366
172.21.172.9 00:11:24:bc:d1:cd UHLW 1 965 rl1 657
172.21.172.100 00:11:24:9f:2d:dd UHLW 1 1245 rl1 705
Internet6:
Destination Gateway Flags Netif
Expire
::1 ::1 UH lo0
fe80::%rl0/64 link#1 UC rl0
fe80::211:95ff:fe1c:2992%rl0 00:11:95:1c:29:92 UHL lo0
fe80::%rl1/64 link#2 UC rl1
fe80::250:baff:fed1:8d6c%rl1 00:50:ba:d1:8d:6c UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
ff01:1::/32 link#1 UC rl0
ff01:2::/32 link#2 UC rl1
ff01:4::/32 ::1 UC lo0
ff02::%rl0/32 link#1 UC rl0
ff02::%rl1/32 link#2 UC rl1
ff02::%lo0/32 ::1 UC lo0
The output of netstat -rn after starting OpenVPN:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.10.10.129 UGS 0 6544 rl0
127.0.0.1 127.0.0.1 UH 0 128 lo0
10.10.10.128/26 link#1 UC 0 0 rl0
10.10.10.129 00:09:e9:b5:2f:fc UHLW 2 0 rl0 1134
172.21.172/24 link#2 UC 0 0 rl1
172.21.172.5 00:30:c1:0e:14:8f UHLW 1 1 rl1 199
172.21.172.8 00:0d:88:c9:d2:99 UHLW 1 75 rl1 1164
172.21.172.9 00:11:24:bc:d1:cd UHLW 1 977 rl1 75
172.21.172.100 00:11:24:9f:2d:dd UHLW 1 2145 rl1 123
172.21.173/24 172.21.173.2 UGS 0 57 tun0
172.21.173.2 172.21.173.1 UH 1 0 tun0
Internet6:
Destination Gateway Flags Netif
Expire
::1 ::1 UH lo0
fe80::%rl0/64 link#1 UC rl0
fe80::211:95ff:fe1c:2992%rl0 00:11:95:1c:29:92 UHL lo0
fe80::%rl1/64 link#2 UC rl1
fe80::250:baff:fed1:8d6c%rl1 00:50:ba:d1:8d:6c UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
fe80::%tun0/64 link#5 UC tun0
fe80::211:95ff:fe1c:2992%tun0 link#5 UHL lo0
ff01:1::/32 link#1 UC rl0
ff01:2::/32 link#2 UC rl1
ff01:4::/32 ::1 UC lo0
ff01:5::/32 link#5 UC tun0
ff02::%rl0/32 link#1 UC rl0
ff02::%rl1/32 link#2 UC rl1
ff02::%lo0/32 ::1 UC lo0
ff02::%tun0/32 link#5 UC tun0
Again, what happens is the FreeBSD machine stops forwarding packets from the
172.21.172/24 machines. It can talk to the world, the private LAN, and the
VPN client. The private LAN can talk to the router, and to the VPN client.
And I can't get it to restart. Deleting routes and adding them back
doesn't work. net.inet.ip.forwarding is still 1. The only way I can
get it to start working again is reboot the machine.
I'm stuck, I think.
David
More information about the freebsd-questions
mailing list