Dear Luca We forwarded your issue to Trento & Spain node helpdesk teams in order to provide help. Kind regards IWAVE team, on behalf of helpdesk team > Hello Fiware Lab help. > > We are setting up a VPN between our resources in Trento node and Spain > node > using OpenVPN. > > We have a OpenVPN server running on Spain node and a OpenVPN client on > Trento node connected to Spain server. > Everything works fine between client and server: they can ping each other > through VPN tunnel (interface TUN0). > > When we want to ping machines between the two subnets the packets are > dropped as they leave the client/server connected through TUN0. > We have set up static routes consistent to the VPN: > Spain LAN --> Trento Lan use the OpenVPN Server on Spain lan as a gateway > Trento Lan --> Spain Lan use the OpenVPN Client on Trento lan as a > gateway. > > It seems that there is a firewall rule on nodes that blocks trafic coming > from a different private network than the one set up in the node itself. > So > when we ping a machine on Spain from Trento LAN. the ping reaches the > SpainOPENVPN server and drops immediately after, probably because SPAIN > node firewall it sees trafic coming from our Trento LAN which has a > different network addres than our Spain LAN. > The same if we do the contrary. > > A strong evidence that a node firewall rule could be the cause is found if > we use IP Masquerading on SpainOPENVPN Server on trafic coming from Trento > Lan, faking as if they come from SpainOPENVPN Server. > With masquerading they aren't dropped anymore on Spain, but they get lost > on the way back, when Trento see answers coming from Spain node, dropping > as they leave the Trento OPENVPN client. > Double masquerading (Spain and Trento OPENVPN tunnel endopints) isn't a > solution, cause it violates the Same Origin Policy and consequently the > answering packets are dropped cause they are seen as if they come from a > Man In The Middle (TRENTO01 ping request --> SPAIN Server Masquerading --> > SPAIN01 ping reply ---> SPAIN Server UNMasquerading -- > Trento Client > MASQUERADING --> SOP policy on TRENTO01 --> drop.) > > We are clueless. > Can you give us some insights to elaborate a workaround? Is it possible to > accept packets from a different private network on a node? > > > My FWLa account is: > *luca.silvestri at ecogriddy.com <luca.silvestri at ecogriddy.com>* > > Many thanks, > > > -- > *Luca Silvestri - Founder & CEO @ Ecogriddy* > _______________________________________________ > Fiware-lab-help mailing list > Fiware-lab-help at lists.fi-ware.org > https://lists.fi-ware.org/listinfo/fiware-lab-help >
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy