Lindsay Haisley
2007-11-06 19:22:55 UTC
This is more an annoyance and a matter of curiosity than it is a
problem, but the answer may have implications elsewhere in my OpenVPN
setup.
I have a VPN set up using OpenVPN from my desktop to my server in
another location. The VPN works fine! I can ping the server through
the VPN, connect to it, mount filesystems via NFS, whatever I need to
do. The VPN passes through the server's firewall with iptables rules
that give complete trust to the tap0 IF and any boxes on the other end
of the tunnel.
If I traceroute to the server, from my desktop, the UDP traceroute
packets are being received, but no ICMP Unreachable (type 3) message is
being sent from the server to indicate that the UDP packets are being
received at the server, so traceroute simply cycles, sending packets to
successively higher ports until it gives up after 90 tries. I've
verified rcpt of the UDP packets and the non-issuance of the proper ICMP
message with tcpdump on the server.
I can traceroute to the server from other boxes, not on the VPN, and the
proper ICMP message packet is sent back when the packet TTL allows a
traceroute packet to reach the server. Ports 33434 and up are not
otherwise occupied, so the server should respond properly.
I can traceroute using ICMP packets instead of UDP packets (traceroute
-I ...) which works fine, but I should be able to use UDP packets for
this through the VPN tunnel just as I can from points elsewhere on the
Internet.
Anyone have any idea what's going on here?
problem, but the answer may have implications elsewhere in my OpenVPN
setup.
I have a VPN set up using OpenVPN from my desktop to my server in
another location. The VPN works fine! I can ping the server through
the VPN, connect to it, mount filesystems via NFS, whatever I need to
do. The VPN passes through the server's firewall with iptables rules
that give complete trust to the tap0 IF and any boxes on the other end
of the tunnel.
If I traceroute to the server, from my desktop, the UDP traceroute
packets are being received, but no ICMP Unreachable (type 3) message is
being sent from the server to indicate that the UDP packets are being
received at the server, so traceroute simply cycles, sending packets to
successively higher ports until it gives up after 90 tries. I've
verified rcpt of the UDP packets and the non-issuance of the proper ICMP
message with tcpdump on the server.
I can traceroute to the server from other boxes, not on the VPN, and the
proper ICMP message packet is sent back when the packet TTL allows a
traceroute packet to reach the server. Ports 33434 and up are not
otherwise occupied, so the server should respond properly.
I can traceroute using ICMP packets instead of UDP packets (traceroute
-I ...) which works fine, but I should be able to use UDP packets for
this through the VPN tunnel just as I can from points elsewhere on the
Internet.
Anyone have any idea what's going on here?
--
Lindsay Haisley | "Everything works | PGP public key
FMP Computer Services | if you let it" | available at
512-259-1190 | (The Roadie) | http://pubkeys.fmp.com
http://www.fmp.com | |
Lindsay Haisley | "Everything works | PGP public key
FMP Computer Services | if you let it" | available at
512-259-1190 | (The Roadie) | http://pubkeys.fmp.com
http://www.fmp.com | |