Hi, On 09/02/15 21:06, Jeff Mitchell wrote: > On Mon, Feb 9, 2015 at 3:00 PM, Gert Doering <g...@greenie.muc.de> wrote: >> Well, the program *is* behaving correctly - it's being talked to, and it >> responds. It has no way to "properly" respond with anything else than >> the address it was connected on, and programs have no influence on routing... >> >> You can work around this by using "ip rule" settings to force packets >> sourced from eth0 out the LAN default gateway, but it might not be worth >> the effort if everything else is working well enough. > Sorry, I didn't mean to suggest it wasn't behaving correctly in an > "it's a bug" sense, I simply mean not behaving according to what I > want -- which may mean that I have something bound to eth0 when I need > to tell it to bind to tun0 instead. Problem could well be me, just > need to figure out what it is :-) > >> NAT table entries expiring, or NAT rules being reloaded and flushing state >> at that. > If it's either of those things, I probably won't have much luck asking > VirtualBox not to do that, so the fix you guys have coming up sounds > nice... > >>> Regardless, I could potentially try out TLS floating as suggested -- >>> can you point towards any documentation about it (or perhaps the man >>> page in git master is already up-to-date)? >> It will just magically happen (git master on server, git master or 2.3.6 >> on client), but is not working correctly yet for some corner cases so >> there will be some more commits upcoming. When 2.3.7 is released (soon) >> everything should work nicely. > Great. I will try the tcpdump now but if it seems to be what you > suspect then I will try building from git master and let you guys know > if it helped or not (and help you debug if not). >
as you're on Linux it's also trivial to block such traffic from entering tun0 at all (on the client side): iptables -I INPUT -i tun+ -s 10.0.0.0/8 -j DROP iptables -I FORWARD -o tun+ -s 10.0.0.0/8 -j DROP or something similar - that way, you'll know if the 'bad source' traffic is causing the disconnects. HTH, JJK ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
