I have a functionning openvpn connection to a digital ocean debian server.
Here's my routing table, ip route :
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.1.1 dev eth0 onlink
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
128.0.0.0/1 via 10.8.0.5 dev tun0
159.203.40.61 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.132
All is fine.
If I traceroute my debian machine (159.203.40.61), the first hop is immediately the default gateway, because of rule 159.203.40.61 via 192.168.1.1 dev eth0. No question there.
If I traceroute an external IP, like 8.8.8.8, the first hop is 10.8.0.1.
That's because of rule 0.0.0.0/1 via 10.8.0.5 dev tun0 and unicast rule 10.8.0.1 via 10.8.0.5 dev tun0 . So, traffic is encrypted locally using tun0 interface (first hop 10.8.0.1). I think it's going to 10.8.0.1 (and not .5) because of the unicast rule (correct me if I'm wrong).
However, the second hop (when tracerouting an external IP), is 159.203.24.253. That's a digital ocean IP, but it's not my digital ocean debian machine's IP. Why is that ?
2 159.203.24.253 (159.203.24.253) 117.230 ms 116.918 ms 159.203.24.254 (159.203.24.254) 117.266 ms
(there's also a .254, for load balancing I guess)
I thought that since it needs to go outside, it's switching from interface tun0 to interface eth0 where the default gateway is (192.168.1.1). Then, since there's the unicast rule 159.203.40.61 via 192.168.1.1 dev eth0, I'm expecting the second hop to be 159.203.40.61, but it's not (instead it's 159.203.24.253).
Update : On the digital ocean debian machine, there's this routing rule :
159.203.24.0/20 dev eth0 proto kernel scope link src 159.203.40.61
So, 159.203.24.253 and .254 is on the same network as my digital ocean machine.
And the default gateway there is 159.203.24.1
Maybe there's a rule on the 159.203.24.1 router that is sending the packet to 159.203.24.253 et .254
Update 2, and maybe the answer :
Requesting 8.8.8.8 on my local machine. Data encryption on tun0. First hop is 10.8.0.1 (not .5 because of unicast rule) To go there, need to switch to eth0 : using default gateway 192.168.1.1 to go to 159.203.40.61 (unicast rule).
The digital ocean machine receives the packet. It first goes to 10.8.0.1, data decryption on tun0. Then, since the final destination is 8.8.8.8, it switches to eth0 : default gateway is 159.203.24.1, which is a router that sends the packet to the second hop which is 159.203.24.253/254
Seems that gateways involved between two hops is not shown in a traceroute.
