I have a properly working server and client (both 2.3.11) passing traffic mostly as expected, but have encountered some odd behavior I'm hoping someone can enlighten me about. I've tested the below on all three major platforms (as clients) with identical results.
Say we have a client server at 1.1.1.1 that is assigning client addresses in the 10.0.0.0/24 range and allows client-to-client traffic. It is not pushing a default route, but is pushing a LAN route (irrelevant, but 10.1.0.0/24). As expected, clients can reach each other - a netcat listener on 10.0.0.2 may be reached by 10.0.0.3. If, however, one wishes to port-forward an external port (say tcp/1234 on 1.1.1.1) to an internal client (e.g., 10.0.0.2:1234), things get weird. Opening and forwarding the port is an easy exercise for the firewall on 1.1.1.1, and tcpdump on 10.0.0.2 shows SYNs arriving on the TUN or TAP device (I've tried both). They are not, however, delivered to the listening netcat. In terse form: # establish tunnels, remote clients are assigned addresses 10.0.0.2 and 10.0.0.3 1.1.1.1: forward tcp/1234 to 10.0.0.2:1234 10.0.0.2: nc -vv -l -p 1234 2.2.2.2: nc 1.1.1.1 1234 (times out, tcpdump on 10.0.0.2 shows unrequited SYNs from 2.2.2.2 to 10.0.0.2:1234) 10.0.0.3: nc 10.0.0.2 1234 (works) We're don't appear to be seeing a case of asymmetric routing, because a packet capture of all interfaces on 10.0.0.2 shows no response going out any interface. The -vv option on netcat should also report as soon as a connection is made, and it remains silent until the connection from 10.0.0.3. Setting --verb 9 provides zero insight, there appear to be no errors as those packets from 2.2.2.2 arrive. If, however, I advertise a default route over the tunnel, this works. I also suspect that if I advertised a route to 2.2.2.2, it would also work. Any guesses as to why this is? I've started to trace through the code in an attempt to figure this out, but any pointers or answers would be extremely welcome. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
