localhost routing issue with new OpenVPN install
Dan Shoop
shoop at iwiring.net
Fri Jul 13 13:14:04 PDT 2007
At 12:26 AM +0200 7/13/07, Fabian Peters wrote:
>Am 12.07.2007 um 23:18 schrieb Dan Shoop:
>
>>At 9:42 PM +0200 7/12/07, Fabian Peters wrote:
>>>Hi all,
>>>
>>>I'm facing a strange issue here, after having decommissioned an old
>>>OpenVPN setup and replaced it with a new one. The old one was at home
>>>in the 10.100.100.x range, the new one is in 10.10.10.x. My machine
>>>(running OS X 10.4.10) is placed in a small LAN using 10.0.0.x, with
>>>its primary IP being 10.0.0.6 and the router placed at 10.0.0.1.
>>>
>>>While OpenVPN is not running, everything's fine. "netstat -rn" shows:
>>>
>>>Destination Gateway Flags Refs Use Netif Expire
>>>default 10.0.0.1 UGSc 40 8 en0
>>>10/24 link#4 UCS 3 0 en0
>>>10.0.0.1 XX:XX:XX:XX:X:X UHLW 38 33 en0 1154
>>>10.0.0.6 127.0.0.1 UHS 0 0 lo0
>>>10.0.0.7 XX:XX:XX:XX:X:X UHLW 1 5001 en0 507
>>>10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 0 3 en0
>>>127 127.0.0.1 UCS 0 0 lo0
>>>127.0.0.1 127.0.0.1 UH 10 5865 lo0
>>>169.254 link#7 UC 0 0 fw0
>>>
>>>Internet6:
>>>Destination Gateway Flags Netif Expire
>>>::1 link#1 UHL lo0
>>>fe80::%lo0/64 fe80::1%lo0 Uc lo0
>>>fe80::1%lo0 link#1 UHL lo0
>>>fe80::%en1/64 link#5 UC en1
>>>ff01::/32 ::1 U lo0
>>>ff02::/32 ::1 UC lo0
>>>ff02::/32 link#5 UC en1
>>>
>>>On connecting, OpenVPN issues the following commands:
>>>
>>>ifconfig tun0 10.10.10.10 127.0.0.1 mtu 1500 netmask 255.255.255.255 up
>>>route add -net 10.10.10.0 127.0.0.1 255.255.255.0
>>>
>>>Which look fine to me and do succeed. "netstat -rn" then shows:
>>>
>>>Destination Gateway Flags Refs Use Netif Expire
>>>default 10.0.0.1 UGSc 40 9 en0
>>>10/24 link#4 UCS 2 0 en0
>>>10.0.0.1 XX:XX:XX:XX:X:X UHLW 38 33 en0 936
>>>10.0.0.6 127.0.0.1 UHS 0 0 lo0
>>>10.0.0.7 XX:XX:XX:XX:X:X UHLW 1 408 en0 289
>>>10.10.10/24 127.0.0.1 UGSc 1 8 tun0
>>>127 127.0.0.1 UCS 0 0 lo0
>>>127.0.0.1 127.0.0.1 UH 14 182 lo0
>>>169.254 link#7 UC 0 0 fw0
>>>
>>>Internet6:
>>>Destination Gateway Flags Netif Expire
>>>::1 link#1 UHL lo0
>>>fe80::%lo0/64 fe80::1%lo0 Uc lo0
>>>fe80::1%lo0 link#1 UHL lo0
>>>fe80::%en1/64 link#5 UC en1
>>>ff01::/32 ::1 U lo0
>>>ff02::/32 ::1 UC lo0
>>>ff02::/32 link#5 UC en1
>>>
>>>Connections to the VPN are working flawlessly. But, connections to
>>>127.0.0.1 are now established from the VPN IP. "lsof -i" shows the
>>>following for a telnet-instance connecting to 127.0.0.1:
>>>
>>>telnet 16347 502 3u IPv4 0x4f6da8c 0t0 TCP
>>>10.10.10.10:54293->127.0.0.1:telnet (SYN_SENT)
>>>
>>>There's no telnetd running on my host, so this should immediately return:
>>>
>>>telnet: connect to address 127.0.0.1: Connection refused
>>>telnet: Unable to connect to remote host
>>>
>>>But instead after some 30 seconds or so:
>>>
>>>Trying 127.0.0.1...
>>>telnet: connect to address 127.0.0.1: Operation timed out
>>>telnet: Unable to connect to remote host
>>>
>>>Why is this and how can I prevent this? This never occurred with my
>>>old VPN installation. I even tried to put a metric on the tun
>>>interface and a lower one on lo0, but to no avail.
>>>
>>>Any hints greatly appreciated!
>>
>>Your primary IP address is now in 10.10.10.* so that is what the
>>telnet comes from so this is as would be expected in lsof
>
>Hhmm, okay, but why does it become my new "primary" IP? This is of
>course not intended, I want my LAN IP to remain the primary IP. How
>can I keep 10.0.0.6 as my primary IP then? The openvpn config did
>not change AFAIK, compared to the earlier one, so what would trigger
>this new behaviour?
The whole point of most VPN is that you don't want to be on your
current LAN but want to be on the remote/VPN LAN. That is you want to
appear as if your current and local network is the VPN, not the LAN
physically attached too (say the hotel's).
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.ustsvs.com/
shoop at iwiring.net http://www.iwiring.net/
1-714-363-1174
More information about the MacOSX-admin
mailing list