kanocz/lcvpn

how service side send out the ip packets to target server

shyandsy opened this issue · 13 comments

I notice you just write ip packets into the tun device after decryption, is that data will go to the LAN?

in my test case code, the icmp request packet disappered after writtrn to tun

@shyandsy tun is just normal (but little bit virtual) network device, so after I'm writing to tun device packet appears in linux network stack and then regular routing (and firewall) rules apply... so at least net.ipv4.ip_forward (please read for example https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux) must be set and if you have any rules in iptables (or other firewall implementation) you need allow both INPUT and FORWARD rules for packets incoming from tun interface

hi, thanks for your reply

I added two iptables rule

iptables -A INPUT -i mytun -j ACCEPT
iptables -A FORWARD -i mytun -j ACCEPT

my code is really simple. I just run the following command to test it

ping -I mytun "another server ip"

image

The iptable config shows below
image

image

theres no icmp received in another vps yet

could you help to check why it doesnt work?

i also tried this, still not working

image

@shyandsy if you want to get "one more loopback" you'll probably need to create 2 different tun devices and copy from one to other, as linux will drop packages with "wrong direction" (look at https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
but anyway this will be tricky and can't understand practical value or just can't understand your network structure :)

is that mean i have to create another tune device named like tun2, and write the ip packet from mytun and write to tun2, then the packet will be send out by tun2?

@shyandsy if you'll turn off rp_filter and setup ip_forward this may work 😅 if no you can write me directly and I'll try to help

hi its still not work

could u help online by teamview? emm, I will pay some to you for your work

@shyandsy theoretically yes, but somewhen after x-mas and New Year... and no, I don't need your money if you're not developing some commercial project :)

Could you help on-site today?
There's just 20 lines of code

I guess the working is about iptables

the icmp request routed to eno1(127.0.0.1) after close rp_filter

net.ipv4.conf.all.rp_filter = 0

why not go though enp0s25(public ip)?

image

image

hi
The problem still there

@shyandsy you have too complicated setup - using interfaces on the same computer is always a problem as linux network stack will try to drop anything "looped"... and as I say I may help with this not lcvpn-related problem somewhen after begin of next year - I just have no time for such activity
and it's strange for me if somebody demands immediate response and help in such situation
so I closing this issue as irrelevant

sorry for disturbing

are u avalable now?