xen and openvpn

To: port-xen%netbsd.org@localhost
Subject: xen and openvpn
From: brook%biology.nmsu.edu@localhost (Brook Milligan)
Date: Sun, 21 Mar 2010 12:26:01 -0600

I am trying to duplicate an openvpn (openvpn-2.1rc21 from pkgsrc)
router (which works fine) on a xen i386 box (which also seems to work
fine for the 7 other domUs).  However, I cannot make packets travel a
full round trip through the openvpn tunnel.  The two basic setups are:

  client --- wpi0 --- internet --- wm1 --- openvpn router --- wm1 --- server
172.31/16 |                             |                     172.20/16
          +- tun0 --------------- tun0 -+

  client --- wpi0 --- internet --- xennet1 --- domU openvpn router --- xennet0 
--- server
172.31/16 |                                 |                          172.20/16
          +- tun0 ------------------- tun0 -+

Both use ipnat to translate packets from 172.31/16 to the 172.20
address of the router.

The first setup works and is using the same physical interface for
both the public internet connection and the private network.  On the
172.20 network I see packets with rewritten sources corresponding to
the router.  On the router's tun0 device, I see packets corresponding
to the appropriate 172.31 addresses.  All packets pass through the
tunnel just fine.

The second setup is intended to duplicate the other (and does as far
as I can tell).  In this case, however, packets originating at the
client are visible via tcpdump on the router after traversing the
tunnel.  They are visible on both the tun0 and the wm1 interfaces (in
the latter case with rewritten headers as a result of the ipnat
rules).  They are also visible on the 172.20 network and servers
respond with their own packets directed back to the router.

In contrast, packets originating at the router (including rewritten
responses from servers) are visible with tcpdump on the tun0 interface
with the appropriate 172.31 addresses.  However, they never emerge on
the client side of the tunnel and are invisible to tcpdump there.

This suggests to me that packets originating from the client make it
through the tunnel perfectly, but that packets originating from the
xen router enter the tunnel (as shown by tcpdump) but never emerge on
the client side.

Is this the correct interpretation?  Is this setup correct?  Can a
domU be used as an openvpn router like this?  How can I identify where
the packets are getting lost?

Any help is greatly appreciated.

Thanks alot.

Cheers,
Brook

Follow-Ups:
- Re: xen and openvpn
  - From: Greg Troxel

Prev by Date: netbsd-5 i386 PAE dom0 + hvm domU winxp?
Next by Date: Re: netbsd-5 i386 PAE dom0 + hvm domU winxp?
Previous by Thread: time keeping
Next by Thread: Re: xen and openvpn
Indexes:

Home | Main Index | Thread Index | Old Index