1

I have an OpenVPN server and two clients,

I can ping clients from each other, but when I do so, I don't see any packets on the server using tcpdump

Server

is running on 192.168.0.1

and I try to capture traffic using tcpdump -i tun0 icmp --immediate-mode -l -n

Clients

is running on 192.168.0.2

and I can ping client2 ping 192.168.0.3 which resolves fine:

PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data. 64 bytes from 192.168.0.3: icmp_seq=1 ttl=128 time=32.4 ms

TCP Dump

but I can't see anything from tcpdump:

0 packets captured 0 packets received by filter 0 packets dropped by kernel

Although if I ping the openvpn server directly ping 192.168.0.1, I can see packets being captured there:

18:05:04.022747 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 5, seq 5, length 64 18:05:04.022801 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 5, seq 5, length 64

How can I capture inter-client communication packets on the server?

Improve this question

1 Answer 1

Reset to default
5

If you use client-to-client option, there is no way to see it with tcpdump. In this case OpenVPN doesn't forward any traffic to the kernel. It receives a packet, processes it and sends to another client, but since it is not destined for the server system nor routed through it, there is no need to emit it to the tun device.

You can see if traffic is inside OpenVPN by using a management console and a high verbosity level (6):

In server config file:

... management localhost 7505 ...

Use:

$ telnet localhost 7505 ... >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info log on SUCCESS: real-time log notification set to ON verb 6 SUCCESS: verb level changed >LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX UDPv4 READ [XXX] from [AF_INET]XXX.XXX.XXX.XXX:XXXXX (via [AF_INET]XXX.XXX.XXX.XXX%XXX): P_DATA_V2 kid=2 DATA len=XXX >LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX TUN WRITE [XXX] >LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX TUN READ [XXX] >LOG:1612639797,D,XXXX/XXX.XXX.XXX.XXX:XXXXX UDPv4 WRITE [XXX] to [AF_INET]XXX.XXX.XXX.XXX:XXXXX (via [AF_INET]XXX.XXX.XXX.XXX%XXX): P_DATA_V2 kid=2 DATA len=XXX ... log off SUCCESS: real-time log notification set to OFF verb 3 SUCCESS: verb level changed exit $

(In this case I had to write 'log off' blindly, because output was completely disturbed by the real time log. I've done this on busy server. But it worked anyway.)

See man openvpn for details. Note, everything will also reach a server log file if it's used, and for a high amount of traffic there will be very large log. AFAIK you can even made it to log packet data in hex form.

Improve this answer
2
  • so if I want to see this traffic and apply some advanced routing with iptables I would have to create two servers and forward traffic from one to another in order to hit kernel (and apply ip tables rules)? Commented Feb 6, 2021 at 19:46
  • I just tested that and it works like a charm :) thanks a lot for clarification about packets not hitting kernel with client-to-client option Commented Feb 6, 2021 at 20:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.