localhost routing issue with new OpenVPN install

Fabian Peters lists.fabian at e-lumo.com
Fri Jul 13 15:18:11 PDT 2007 

Am 13.07.2007 um 22:14 schrieb Dan Shoop:

> At 12:26 AM +0200 7/13/07, Fabian Peters wrote:
>> Am 12.07.2007 um 23:18 schrieb Dan Shoop:
>>
>>> At 9:42 PM +0200 7/12/07, Fabian Peters wrote:
>>>> Hi all,
>>>>
>>>> I'm facing a strange issue here, after having decommissioned an old
>>>> OpenVPN setup and replaced it with a new one. The old one was at  
>>>> home
>>>> in the 10.100.100.x range, the new one is in 10.10.10.x. My machine
>>>> (running OS X 10.4.10) is placed in a small LAN using 10.0.0.x,  
>>>> with
>>>> its primary IP being 10.0.0.6 and the router placed at 10.0.0.1.
>>>>
>>>> While OpenVPN is not running, everything's fine. "netstat -rn"  
>>>> shows:
>>>>
>>>> Destination Gateway            Flags   Refs   Use  Netif   Expire
>>>> default     10.0.0.1           UGSc      40     8    en0
>>>> 10/24       link#4             UCS        3     0    en0
>>>> 10.0.0.1    XX:XX:XX:XX:X:X    UHLW      38    33    en0   1154
>>>> 10.0.0.6    127.0.0.1          UHS        0     0    lo0
>>>> 10.0.0.7    XX:XX:XX:XX:X:X    UHLW       1  5001    en0    507
>>>> 10.0.0.255  ff:ff:ff:ff:ff:ff  UHLWb      0     3    en0
>>>> 127         127.0.0.1          UCS        0     0    lo0
>>>> 127.0.0.1   127.0.0.1          UH        10  5865    lo0
>>>> 169.254     link#7             UC         0     0    fw0
>>>>
>>>> Internet6:
>>>> Destination     Gateway            Flags      Netif Expire
>>>> ::1             link#1             UHL         lo0
>>>> fe80::%lo0/64   fe80::1%lo0        Uc          lo0
>>>> fe80::1%lo0     link#1             UHL         lo0
>>>> fe80::%en1/64   link#5             UC          en1
>>>> ff01::/32       ::1                U           lo0
>>>> ff02::/32       ::1                UC          lo0
>>>> ff02::/32       link#5             UC          en1
>>>>
>>>> On connecting, OpenVPN issues the following commands:
>>>>
>>>> ifconfig tun0 10.10.10.10 127.0.0.1 mtu 1500 netmask  
>>>> 255.255.255.255 up
>>>> route add -net 10.10.10.0 127.0.0.1 255.255.255.0
>>>>
>>>> Which look fine to me and do succeed. "netstat -rn" then shows:
>>>>
>>>> Destination  Gateway          Flags   Refs  Use  Netif Expire
>>>> default      10.0.0.1         UGSc      40    9    en0
>>>> 10/24        link#4           UCS        2    0    en0
>>>> 10.0.0.1     XX:XX:XX:XX:X:X  UHLW      38   33    en0    936
>>>> 10.0.0.6     127.0.0.1        UHS        0    0    lo0
>>>> 10.0.0.7     XX:XX:XX:XX:X:X  UHLW       1  408    en0    289
>>>> 10.10.10/24  127.0.0.1        UGSc       1    8   tun0
>>>> 127          127.0.0.1        UCS        0    0    lo0
>>>> 127.0.0.1    127.0.0.1        UH        14  182    lo0
>>>> 169.254      link#7           UC         0    0    fw0
>>>>
>>>> Internet6:
>>>> Destination     Gateway            Flags      Netif Expire
>>>> ::1             link#1             UHL         lo0
>>>> fe80::%lo0/64   fe80::1%lo0        Uc          lo0
>>>> fe80::1%lo0     link#1             UHL         lo0
>>>> fe80::%en1/64   link#5             UC          en1
>>>> ff01::/32       ::1                U           lo0
>>>> ff02::/32       ::1                UC          lo0
>>>> ff02::/32       link#5             UC          en1
>>>>
>>>> Connections to the VPN are working flawlessly. But, connections to
>>>> 127.0.0.1 are now established from the VPN IP. "lsof -i" shows the
>>>> following for a telnet-instance connecting to 127.0.0.1:
>>>>
>>>> telnet   16347   502   3u  IPv4 0x4f6da8c   0t0  TCP  
>>>> 10.10.10.10:54293->127.0.0.1:telnet (SYN_SENT)
>>>>
>>>> There's no telnetd running on my host, so this should  
>>>> immediately return:
>>>>
>>>> telnet: connect to address 127.0.0.1: Connection refused
>>>> telnet: Unable to connect to remote host
>>>>
>>>> But instead after some 30 seconds or so:
>>>>
>>>> Trying 127.0.0.1...
>>>> telnet: connect to address 127.0.0.1: Operation timed out
>>>> telnet: Unable to connect to remote host
>>>>
>>>> Why is this and how can I prevent this? This never occurred with my
>>>> old VPN installation. I even tried to put a metric on the tun
>>>> interface and a lower one on lo0, but to no avail.
>>>>
>>>> Any hints greatly appreciated!
>>>
>>> Your primary IP address is now in 10.10.10.* so that is what the  
>>> telnet comes from so this is as would be expected in lsof
>>
>> Hhmm, okay, but why does it become my new "primary" IP? This is of  
>> course not intended, I want my LAN IP to remain the primary IP.  
>> How can I keep 10.0.0.6 as my primary IP then? The openvpn config  
>> did not change AFAIK, compared to the earlier one, so what would  
>> trigger this new behaviour?
>
> The whole point of most VPN is that you don't want to be on your  
> current LAN but want to be on the remote/VPN LAN. That is you want  
> to appear as if your current and local network is the VPN, not the  
> LAN physically attached too (say the hotel's).

Dan, thanks. However, for me this is neither what I want nor what's  
happening. My default gateway is still the router in my LAN and  
traffic to all servers outside my LAN or VPN is routed via this  
gateway, using 10.0.0.6 as the source address. Only connections to  
127.0.0.1 are using the VPN IP as their source IP.

I'm still clueless as to how to change this unwanted behaviour, so  
any hints are still most welcome.

cheers

Fabian

More information about the MacOSX-admin mailing list