0

I have an OpenVPN server and two clients,

I can ping clients from each other, but when I do so, I don't see any packets on the server using tcpdump

Server

is running on 192.168.0.1

and I try to capture traffic using tcpdump -i tun0 icmp --immediate-mode -l -n

Clients

is running on 192.168.0.2

and I can ping client2 ping 192.168.0.3 which resolves fine:

PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=128 time=32.4 ms

TCP Dump

but I can't see anything from tcpdump:

0 packets captured
0 packets received by filter
0 packets dropped by kernel

Although if I ping the openvpn server directly ping 192.168.0.1, I can see packets being captured there:

18:05:04.022747 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 5, seq 5, length 64
18:05:04.022801 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 5, seq 5, length 64

How can I capture inter-client communication packets on the server?

emte
  • 103
  • 3

1 Answers1

5

If you use client-to-client option, there is no way to see it with tcpdump. In this case OpenVPN doesn't forward any traffic to the kernel. It receives a packet, processes it and sends to another client, but since it is not destined for the server system nor routed through it, there is no need to emit it to the tun device.

You can see if traffic is inside OpenVPN by using a management console and a high verbosity level (6):

In server config file:

...
management localhost 7505
...

Use:

$ telnet localhost 7505
...
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
log on
SUCCESS: real-time log notification set to ON
verb 6
SUCCESS: verb level changed
>LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX UDPv4 READ [XXX] from [AF_INET]XXX.XXX.XXX.XXX:XXXXX (via [AF_INET]XXX.XXX.XXX.XXX%XXX): P_DATA_V2 kid=2 DATA len=XXX
>LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX TUN WRITE [XXX]
>LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX TUN READ [XXX]
>LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX UDPv4 WRITE [XXX] to [AF_INET]XXX.XXX.XXX.XXX:XXXXX (via [AF_INET]XXX.XXX.XXX.XXX%XXX): P_DATA_V2 kid=2 DATA len=XXX
...
log off
SUCCESS: real-time log notification set to OFF
verb 3
SUCCESS: verb level changed
exit
$

(In this case I had to write 'log off' blindly, because output was completely disturbed by the real time log. I've done this on busy server. But it worked anyway.)

See man openvpn for details. Note, everything will also reach a server log file if it's used, and for a high amount of traffic there will be very large log. AFAIK you can even made it to log packet data in hex form.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • so if I want to see this traffic and apply some advanced routing with iptables I would have to create two servers and forward traffic from one to another in order to hit kernel (and apply ip tables rules)? – emte Feb 06 '21 at 19:46
  • I just tested that and it works like a charm :) thanks a lot for clarification about packets not hitting kernel with client-to-client option – emte Feb 06 '21 at 20:23