Menu
▾
▴
Re: [Openvpn-users] Re: tunnel between LAN and external gateway-interface
|
From: Ralph <ra...@de...> - 2004-05-28 17:43:48
|
> i did it like you described but got an error at this point > (i used my real adresses of course): > # ip route add 1.2.3.4 via tun0 table lan2mailserver > Error: an inet address is expected rather than "tun0" oh, sorry. my error... it should be: ip route add 1.2.3.4 via <ip-of-the-remote-tunnel-interface> dev tun0 table lan2mailserver > both methods didnt work. the rule is saved correctly. but a traceroute > shows me he is not using the tunnel. from a computer in you lan (not the server itself?). Because this only routes these packets over the tun interface when the origin is the lan. The openvpn server itself uses for such communication it's virtual ip on the tun interface, so because of that the source-based routing doesn't route the openvpn server itself over the tun interface when the destination is the other openvpn server. > when i look up all ip routes: > # ip route > there is no entry with the specific ip route. i guess thats why it doesnt > work. i dont even know if the route is saved correctly or where it is saved > to look it up and check if it is right. you can use: ip route ls table lan2mailserver to see the routes for the lan2mailserver table. With "ip route" you see the default table. This used for all, as long as there is no "rule" that says that another table is used for that. So, with the ip rule statement you said your linux router, that he should use the lan2mailserver routing table for all packets from the lan with the external ip of your mailserver. for all other stuff the normal default routing table is used. With this it also posible to route singe pc's out of your lan over diffrent links and stuff like this. > fyi, i'm working with a 2.4.25 kernel, the iproute2-ss010824 debian-version > and openvpn 1.6.0 i386-pc-linux-gnu. have you added the "ip rule" statement? it is as important as the actual route entry. You should see the rule with: "ip rule ls" One thing I forgot to mention: This should only work in the routing (tun) mode, not with the bridge (tap) mode in openvpn. Hmmm, maybe the remote side (the mailserver you want to reach) answers over the unsecured internet link. If so, you only need one source-based route on that side, too... But I don't think this is the problem you have. It is quite easy to detect such problems. You can tcpdump on the tun device and on the internet-device (ppp or eth) and see what actually happens. maybe this tcpdump command is good for debugging your problem. "tcpdump -i tun0 -n -n -v icmp" and then ping the remote side from another console... Maybe you are missing forwarding rule for your firewall or something like that. --Ralph |
