Routing issues while setting up OpenVPN chaining

Question

I am trying to setup openvpn chaining in the following configuration.

Laptop --> server1 --> server2 --> Internet

The VPN links individually work between laptop and server1 and server1 and server2. However, when I bring them both up together, the link between laptop and server1 always breaks. I tried debugging the connectivity issues, and found that the packets from laptop are being dropped after reaching server1's eth0 interface, and not reaching tun0. Below is the output of ifconfig and the output of ip route show on server1

eth0      Link encap:Ethernet  HWaddr 8e:9b:25:9e:a7:56  
          inet addr:X.X.X.6  Bcast:159.89.143.255  Mask:255.255.240.0
          inet6 addr: fe80::8c9b:25ff:fe9e:a756/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4185 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3403 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:923402 (923.4 KB)  TX bytes:797425 (797.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:11987 (11.9 KB)  TX bytes:11987 (11.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1524 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1072 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:141416 (141.4 KB)  TX bytes:263278 (263.2 KB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.1.6  P-t-P:10.8.1.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ip route output:

0.0.0.0/1 via 10.8.1.5 dev tun1 
default via X.X.X.1 dev eth0 onlink
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
10.8.1.1 via 10.8.1.5 dev tun1
10.8.1.5 dev tun1  proto kernel  scope link  src 10.8.1.6
128.0.0.0/1 via 10.8.1.5 dev tun1 
X.X.X.0/20 dev eth0  proto kernel  scope link  src X.X.X.6 
Y.Y.Y.Y via X.X.X.1 dev eth0

Could anyone please help me debug this issue?

Answer 1

You haven't posted any client/server configs. But I suspect it is likely that both of your configs are trying to change the default gateway. This is going to be a problem, when you connect to the second VPN, since it will wipe out the routes that permitted you to access that server2.

Without configs, or a good network diagram including all the addresses of all the systems I can't really give you specifics, but my best guess is that you need to have your VPN to server one have a route define specifically for the subnet between server1 and server2 via the server1 VPN tunnel interface, though you might want to expand that to include routes for all the subnets that are local to to any of the server1 interfaces.

P.S. Not really related to the answer, but you seem to be using the net_30 topology for both VPNs. Which is an annoying feature only needed for backwards compatibility for really old clients. Consider switching everything over to topology subnet.