Re: [Openvpn-users] dns routing problem

Tue, 14 Jul 2015 01:51:38 -0700 

Hi,

On Fri, Jul 10, 2015 at 11:36:22AM +0000, Bonno Bloksma wrote:
> Trying to understand why my Linux machine with the openvpn client is sending 
> packets with one of it's local addresses via the tunnel to the other side.
> Fri Jul 10 12:11:51 2015 us=741813 m.duthler-lan/82.217.xxx.yyy:zzzz MULTI: 
> bad source address from client [192.168.178.5], packet dropped
> How do I debug this? Or maybe I already understand what is happening, but in 
> that case how to prevent it?

This is actually a good question.  Normally, "the kernel" takes care
of this - so if you send a packet towards an address routed via VPN, it
will pick the VPN interface's IP address as source, and for packets
sent "to the wild Internet", the outgoing interface.

In this case, "something" seems to bind() to the non-VPN interface, and
use that socket for all queries - which is not a useful thing to do.

Are you running nscd?  If not, it's "the client's resolver library"
(glibc or whatever the client is using)...

[..]
> How can I convince this Debian Linux machine to use it's local 172.16.18.1 
> address when doing a dns request to one of the 172.16.x.y dns servers?

You could force it by setting up a masquerade rule (NAT) on the tun
interface... "if wrong source address, just -j MASQ", but that stinks.

Can't really tell you why it's happening in the first place.

[..]
> linmwd:~# ip route
> default via 192.168.178.1 dev eth1
> 172.16.0.0/16 via 172.16.1.141 dev tun0
> 172.16.1.129 via 172.16.1.141 dev tun0
> 172.16.1.141 dev tun0  proto kernel  scope link  src 172.16.1.142
> 172.16.18.0/24 dev eth0  proto kernel  scope link  src 172.16.18.1
> 192.168.178.0/24 dev eth1  proto kernel  scope link  src 192.168.178.5
> linmwd:~#

I'm wondering if maybe adding the routes toward tun0 with an explicit
"src 172.16.1.142" might help as well - but then, it should not be 
necessary given normal source address selection rules...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpTjTb_oryxT.pgp
Description: PGP signature

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to