Re: [Openvpn-users] tracert for openvpn server

[Davide B. <da...@gm...>]

On Monday 10 May 2010, john espiro wrote:
> My openvpn server runs on mydomain.com.
> 
> When I am connected using redirect-gateway def1, I use tracert:
> 
> tracert anydomain.com:
> 
> 
>  1   321 ms   199 ms   223 ms  10.8.0.1
>  2   219 ms   160 ms   153 ms  10.0.2.78
>  3   290 ms   258 ms   259 ms  x.y.z.z
> 
> That's great because it shows me that the traffic is being routed over the
>  openvpn connection.
> 
> Now, if I run:
>  tracert mydomain.com, it returns:
> 
>  1     1 ms     1 ms     1 ms  192.168.252.1
>  2    57 ms   144 ms    61 ms  [90.129.85.1]
>  3    38 ms    29 ms    30 ms  192.168.18.185
> 
> What would cause tracert for the openvpn server to travel over the local
>  internet connection and not via openvpn?

That is normal.

"Normal" packets are encapsulated into UDP and sent to the server's public IP 
address, where they are decapsulated and routed (probably after being NATed).
But of course to be able to send those UDP packets to the server's public IP, 
the client must be told that packets to that address should NOT be 
encapsulated. In OpenVPN, when you you use "redirect-gateway", this is done by 
creating a special route to the OpenVPN server's public IP address, pointing 
to the client's Internet gateway (ie, the one it had before establiashing the 
VPN connection).
If packets destined to the OpenVPN server were themselves encapsulated, you'd 
have a loop as each packet resulting after the encapsulation would have to be 
encapsulated again, and again, etc.

"man openvpn" will explain in detail what happens when you use "redirect-
gateway def1".

-- 
D.