how service side send out the ip packets to target server
shyandsy opened this issue · 13 comments
I notice you just write ip packets into the tun device after decryption, is that data will go to the LAN?
in my test case code, the icmp request packet disappered after writtrn to tun
@shyandsy tun is just normal (but little bit virtual) network device, so after I'm writing to tun device packet appears in linux network stack and then regular routing (and firewall) rules apply... so at least net.ipv4.ip_forward
(please read for example https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux) must be set and if you have any rules in iptables (or other firewall implementation) you need allow both INPUT and FORWARD rules for packets incoming from tun interface
hi, thanks for your reply
I added two iptables rule
iptables -A INPUT -i mytun -j ACCEPT
iptables -A FORWARD -i mytun -j ACCEPT
my code is really simple. I just run the following command to test it
ping -I mytun "another server ip"
The iptable config shows below
theres no icmp received in another vps yet
could you help to check why it doesnt work?
@shyandsy if you want to get "one more loopback" you'll probably need to create 2 different tun devices and copy from one to other, as linux will drop packages with "wrong direction" (look at https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
but anyway this will be tricky and can't understand practical value or just can't understand your network structure :)
is that mean i have to create another tune device named like tun2, and write the ip packet from mytun and write to tun2, then the packet will be send out by tun2?
@shyandsy if you'll turn off rp_filter and setup ip_forward this may work 😅 if no you can write me directly and I'll try to help
hi its still not work
could u help online by teamview? emm, I will pay some to you for your work
@shyandsy theoretically yes, but somewhen after x-mas and New Year... and no, I don't need your money if you're not developing some commercial project :)
Could you help on-site today?
There's just 20 lines of code
I guess the working is about iptables
hi
The problem still there
@shyandsy you have too complicated setup - using interfaces on the same computer is always a problem as linux network stack will try to drop anything "looped"... and as I say I may help with this not lcvpn-related problem somewhen after begin of next year - I just have no time for such activity
and it's strange for me if somebody demands immediate response and help in such situation
so I closing this issue as irrelevant
sorry for disturbing
are u avalable now?