View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How do i route packets from one linode to another?
Log in to Ask a Question

How do i route packets from one linode to another?

I have a 3CX phone system running on a linode.

I have Cisco phones in my office that need to be able to talk to the phone system without NAT changing the source IP address of their packets.

I have an Open VPN server in my office connected to an Open VPN server on a second linode in the same data center as phone system.

Both linodes have private IP addresses and can ping one another via those private IP addresses.

I have set up routes on my office router, on the office Open VPN server, on the linode Open VPN server and on the linode 3CX server to ensure traffic created in the office destined for the 3CX server will travel through the VPN and over the private linode network and back.

I am finding, however, that packets leaving the linode Open VPN server that originated from the office, never reach the 3CX server.

Here's how I would expect the traffic to travel, and it does, except for the last hop:

(device in office) 192.168.1.110 eth0 ->
(Open VPN server in office) -> 192.168.1.105 eth1 -> 10.8.0.2 tun0 ->
(linode Open VPN server) -> 10.8.0.1 tun0 -> 192.168.148.28 eth0:1 ->
(linode 3CX server) -> 192.168.131.76 eth0:1

I have /proc/sys/net/ipv4/ip_forward set to 1 on both Open VPN servers and iptables are empty with INPUT, FORWARD and OUTPUT policy set to ACCEPT.

I used scapy to create some packets on the Open VPN linode and used tcpdump to watch that traffic arriving on the 3CX linode:

Open VPN linode:

root@localhost:~# scapy
x = IP()
x.src = '192.168.148.28'
x.dst = '192.168.131.76'
send(x/ICMP())
.
Sent 1 packets.

3CX linode:

root@localhost:~# tcpdump -n icmp -i eth0:1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0:1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:56:01.313548 IP 192.168.148.28 > 192.168.131.76: ICMP echo request, id 0, seq 0, length 8
21:56:01.313615 IP 192.168.131.76 > 192.168.148.28: ICMP echo reply, id 0, seq 0, length 8

But when I change the src address to 192.168.1.110 (which is what I'd expect if the traffic is coming from my office), the packet never arrives to the 3CX linode:

Open VPN linode:

root@localhost:~# scapy
x = IP()
x.src = '192.168.1.110'
x.dst = '192.168.131.76'
send(x/ICMP())
.
Sent 1 packets.

3CX linode:

root@localhost:~# tcpdump -n icmp -i eth0:1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0:1, link-type EN10MB (Ethernet), capture size 262144 bytes

Has anyone had experience with using one linode with Open VPN to route traffic to another linode? If so, can you see what I'm doing wrong?

7 Replies

Linodes have filtering applied to them that will drop any outgoing traffic that does not have a source address that is assigned to the Linode (certain very narrow exceptions are made so that certain necessary protocols work, like DHCP and IPv6 NDP). You would need to use some sort of VPN or tunnel (like OpenVPN, ipip, or gre) between your OpenVPN Linode and your PBX Linode to encapsulate the traffic from your office that you want to send to the PBX Linode. No NAT is required, but you would need to add static routes to the PBX Linode to tell it that the office IP space is on the other end of the VPN or tunnel (and then your OpenVPN Linode would take care of passing that traffic down your OpenVPN tunnel to your office).

Edit: Clarified where the VPN/tunnel needs to exist

Many thanks for your reply dwfreed,

I did some more Googling after posting the question and found that the linode filtering was dropping the packets that were leaving the linode Open VPN server. (which my scapy tests seemed to indicate).

I only raised the question because the linode support staff replied to a support request saying that their infrastructure doesn't drop network packets on their private network.

Unfortunately I can't put an Open VPN server directly on the 3CX server (that was the first thing I tried) because as soon as Open VPN brings up the tun0 interface, 3CX segfaults.

It looks like I'll have to give up on the SIP phones I have and buy some others that support STUN and NAT.

Should see if you can get 3CX to fix that bug; it shouldn't segfault like that. Alternately, try another tunnel method, like ipip or gre, to see if it's happier with that. Nobody (except Linode) can sniff traffic on the network, so even though ipip and gre have no security, you don't have to worry about others observing your traffic (and if your phones support SIP-TLS and SRTP, you can use that to encrypt your traffic at that level).

Thanks for your suggestion. I've used ip l2tp to create a tunnel between the two linodes and all is now working as expected.

Hi,

Think that I have similar situation that you described, we manage multiple linode and now we created an openvpn linode and I can connect to this machine and make ping to private address, now we are trying to make same ping to internal ipv4 from other lindoe but it doesn't work!!

Can you give detail how do you solved this issue?

Thanks

@erst
I use https://www.zerotier.com/ for all my server, works great.

Thank you Stacey for this post. I would like to report that I just went through the exact same experience with 3CX and OpenVPN last night. They haven't fixed it yet. I will try the l2tp. Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct