-2

I have the following problem: I am running an OpenVPN Server on my Debian 8 VPS. Everything is working fine except for one thing: All traffic to any server is completely routed through tun0 (according to traceroute), but any traffic to the external IP of my server (173.212.###.220, not the VPN internal one) is not.

Traceroute to google.com:

traceroute to google.com (172.217.23.174), 30 hops max, 60 byte packets
1  10.8.0.1 (10.8.0.1)  39.808 ms  39.866 ms  40.808 ms
2  ip-1-90-136-213.static.contabo.net (213.136.90.1)  43.087 ms 43.302 ms  43.267 ms
3  de-cix10.net.google.com (80.81.192.108)  55.582 ms  56.259 ms 57.598 ms
4  64.233.174.25 (64.233.174.25)  55.380 ms 64.233.174.255 (64.233.174.255)  59.579 ms  60.960 ms
5  216.239.47.245 (216.239.47.245)  58.919 ms  59.996 ms 216.239.47.247 (216.239.47.247)  60.717 ms
6  fra15s22-in-f174.1e100.net (172.217.23.174)  65.493 ms  49.944 ms  50.290 ms

Traceroute to 173.212.###.220:

traceroute to #######.de (173.212.###.220), 30 hops max, 60 byte packets
1  gateway (192.168.1.1)  0.264 ms  0.349 ms  0.472 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  mail.#######.de (173.212.###.220)  44.989 ms  45.009 ms  45.238 ms

Why is that? I mean, why is everything routed through the VPN except for traffic to and from the VPN server itself?

rocket_doge_
  • 171
  • 5

1 Answers1

1

I mean, why is everything routed through the VPN except for traffic to and from the VPN server itself

Because the VPN software needs to be able to communicate with the VPN server. If you didn't have a route that permit that to exist outside the tunnel, then the VPN connection would fail.

the ports are blocked for some reason and the mail server is running on the same VPS)?

Your VPN is connected to that server, and you have a private IP for the server. Adjust your client software to use that private IP. If you want to be fancy you can setup some kind of internal DNS or something. The daemon software may need to be adjusted listen on the VPN interface if it isn't listening on :: or *.*.*.*.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Is there a way for me to check my emails in school (the ports are blocked for some reason and the mail server is running on the same VPS)? – rocket_doge_ Apr 05 '17 at 16:35
  • If the VPN were the route to its own destination, the VPN would implode. The truck that carries your packages to London can go to London any way it wants, except inside that very same truck. – David Schwartz Apr 05 '17 at 16:36
  • Well, that makes sense :D So theres no way to access my email except for running OpenVPN or the mailserver on a different server? – rocket_doge_ Apr 05 '17 at 16:38
  • @rocket_doge_ Talk to the administrator of the server. – David Schwartz Apr 05 '17 at 16:38
  • @DavidSchwartz That would be me – rocket_doge_ Apr 05 '17 at 16:39
  • Updated with an answer to that comment. Basically, just use the private IP on the VPN network instead of the public IP. Possibly adjust your daemons to also listen on the server's VPN interface. – Zoredache Apr 05 '17 at 16:40
  • @Zoredache Would it be possible to use 173.212.###.220 to connect to the VPN and tell the computer that ######.de is at 10.8.0.1? – rocket_doge_ Apr 05 '17 at 16:40
  • @rocket_doge_ Ahh, so you didn't take this into account when you chose to put a mail server and a VPN server on the same VPS? ;) – David Schwartz Apr 05 '17 at 16:41
  • @DavidSchwartz Well, I only rent one VPS and since I need both there wasn't much thinking done about that :D – rocket_doge_ Apr 05 '17 at 16:41
  • Does it only have one public IP address? – David Schwartz Apr 05 '17 at 16:42
  • Yup >>12 more to go< – rocket_doge_ Apr 05 '17 at 16:43
  • `tell the computer that ######.de is at 10.8.0.1` - Resolving names to addresses is a DNS function. Your VPN can offer DNS servers to the client for resolution. You could setup a DNS server somewhere (probably on your vps) that has records that serve the private addresses. – Zoredache Apr 05 '17 at 16:47
  • @DavidSchwartz But if the VPN-Domain resolution to a VPN-Internal IP would create a black hole and destroy all of humanity, why does it work as intended on Android using the OpenVPN Connect client? – rocket_doge_ Apr 05 '17 at 16:58
  • @rocket_doge_ Likely it's because the OpenVPN Connect client uses more than one routing table. See [here](http://linux-ip.net/html/routing-tables.html) for more. – David Schwartz Apr 05 '17 at 17:07