[colug-432] Issues with Routing under KVM / OpenVPN
Joshua Kramer
joskra42.list at gmail.com
Wed May 24 12:06:27 EDT 2017
"...a 192.168.6.xx address will never be an a
192.168.4.0/255.255.255.0 network. So the gateway you have setup
isn't legal and/or workable..."
At first glance I'd see why you would think I had it set up like that,
but the details have a different picture. Basically, that statement
says, "To reach a host on the 192.168.6.0/24 network, send your packet
to 192.168.4.34". On that 34 host, there is a rule that says..."If I
see a packet with a destination for the .6/24 network, send it through
tun0". The tun0 interface is a virtual interface, so it will know
what to do with packets that are destined for something on its .6
network.
So basically... if you are 192.168.4.36, for example, the scenario
goes something like this:
1. I have a packet that needs to get to 192.168.6.3. I don't have any
rules for this packet, so I'm going to send it through the default
gateway, which is 192.168.4.1.
2. 192.168.4.1, the hardware host, gets this packet. It sees the
rule, "To reach a host on the 192.168.6.0/24 network, send your packet
to 192.168.4.34" So it sends the packet to .34.
3. 192.168.4.34 sees this packet that is destined for 192.168.6.3 and
it forwards it through tun0. The tun0 interface then sends to its
destination.
In the end there were three issues:
1. The hardware host did not have net.ipv4.ip_forward=1 in its sysctl file.
2. The .34 OpenVPN host did not have an IPTABLES rule that would
forward the packets properly.
3. I had forgotten something. The whole purpose of this OpenVPN VM
was to connect to a server at 192.168.4.36. The .36 server has its
own different 192.168.6.0/24 network that is routed to a physical
interface on the KVM host. (I have a bunch of cheap Chinese IP
cameras that I want to isolate from everything)
I changed OpenVPN to serve up a 192.168.8.0/24 network and corrected
the forwarding rule mistakes, and presto, everything works as
expected!
More information about the colug-432
mailing list