[vserver] openvpn in vserver prob since kernel upgrade:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

[vserver] openvpn in vserver prob since kernel upgrade

From: Philippe Teuwen <phil_at_teuwen.org>
Date: Tue 21 Aug 2007 - 09:59:28 BST
Message-ID: <46CAA970.5060500@teuwen.org>

Hello,

I recently upgraded kernel
from linux-image-2.6.17.14-grsec2.1.9-vs2.0.2.1
to linux-image-2.6.21.6-grsec2.1.10-200706182032-vs2.2.0.3

Since then I have some troubles in vpn routing.

My setup:
one vserver with openvpn inside, bcap NET_ADMIN
vserver_vpn public IP A.A.A.148 (if=ETH_R)
vserver_vpn private IP on a tap 192.168.6.103 (if=tap2)
MAIN public IP A.A.A.A.155 (if=ETH_R)

I connect from outside(laptop) to the vpn, no problem, remote vpn
IP=192.168.1.2
laptop# ping A.A.A.148 -> ok
laptop# ping A.A.A.155 -> ok
MAIN# ping 192.168.6.2 -> ok
vserver_vpn# ping 192.168.6.2 -> ok
laptop# ping 64.233.183.99 (google) -> no reply
More precisely: there is a reply up to the server:

MAIN# tcpdump -i ETH_R -l -n icmp
10:37:38.281783 IP A.A.A.155 > 64.233.183.99: ICMP echo request, id
6939, seq 1, length 64
10:37:38.286997 IP 64.233.183.99 > A.A.A.155: ICMP echo reply, id 6939,
seq 1, length 64

MAIN# tcpdump -i tap2 -l -n icmp
10:38:00.280136 IP 192.168.6.2 > 64.233.183.99: ICMP echo request, id
6939, seq 23, length 64

So private address was properly NATed, ping routed, sent and received
properly,
but the answer packet was never forwarded back through the vpn.

Relevant iptables snippet:
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o ETH_R -j MASQUERADE

This setup worked for months before the kernel upgrade.
I also noted that the netfilter modules changed quite a lot.
Is there something new to do with iptables to get the stuff working again?
Material is in a datacenter 200km away temporarely without PDU and
serial console
so I prefer not to change the kernel remotely "just to see" for now.

Thanks for any idea.
Phil

vserver-info
Versions:
                   Kernel: 2.6.21.6-grsec2.1.10-200706182032-vs2.2.0.3
                   VS-API: 0x00020200
             util-vserver: 0.30.213; May 7 2007, 04:20:41

Features:
                       CC: gcc, gcc (GCC) 4.1.3 20070429 (prerelease)
(Debian 4.1.2-5
)
                      CXX: g++, g++ (GCC) 4.1.3 20070429 (prerelease)
(Debian 4.1.2-5
)
                 CPPFLAGS: ''
                   CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W
-funit-at-a-tim
e'
                 CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W
-fmessage-length=0 -funit
-at-a-time'
               build/host: x86_64-pc-linux-gnu/x86_64-pc-linux-gnu
             Use dietlibc: yes
       Build C++ programs: yes
       Build C99 programs: yes
           Available APIs: compat,v11,fscompat,v13,net,v21,oldproc,olduts
            ext2fs Source: e2fsprogs
    syscall(2) invocation: alternative
      vserver(2) syscall#: 236/glibc

Paths:
                   prefix: /usr
        sysconf-Directory: /etc
            cfg-Directory: /etc/vservers
         initrd-Directory: $(sysconfdir)/init.d
       pkgstate-Directory: /var/run/vservers
          vserver-Rootdir: /var/lib/vservers

Assumed 'SYSINFO' as no other option given; try '--help' for more
information.
Received on Tue Aug 21 10:00:48 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 21 Aug 2007 - 10:00:52 BST by hypermail 2.1.8