|
|
Hi Lindsay Haisley wrote: > On Wed, 2007-11-07 at 08:42 +0530, Prasanna Krishnamoorthy wrote: >> I've done plain traceroute and tracepath through multi-hop VPN >> tunnels. So certainly there's no issue with openvpn. I would expect >> that it's a routing issue, except for the fact that you're getting >> back replies if you do traceroute -l. > > It's actually "traceroute -I hostname" which uses ICMP packets for the > traceroute instead of UDP packets. The routing seems to be OK. The VPN > works as expected, except for this one issue. > >> So there may be something specific in your firewall config which >> disallows replies to the UDP requests. You'll need to check your >> config. > > Well I went through the available OpenVPN config options and couldn't > find anything relevant. A tcpdump on the tap0 IF on the server clearly > shows UDP packets coming it, addressed to ports 33434 and up, but no > corresponding ICMP "unreachable" packets being sent out in reply. I > would suspect an IF-specific kernel issue, maybe in the TAP/TUN module. > iptables rules specifically allow _all_ traffic from the tap0 IF to pass > through the firewall, so the traceroute UDP packets aren't being > dropped, just ignored. What are the TTL values on these packets? A TTL of 0 should trigger the ICMP. cheers ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |