I have a program which writes packets (destination address 10.3.0.2
) to the TUN/TAP interface.
Network:
host1|tun0----eth1(10.3.0.1)|-------------------host2|eth1(10.3.0.2)|
Wireshark captures these packets from interface tun0
but they are not forwarded to interface eth1
.
Commands:
sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
/etc/init.d/networking restart
/etc/init.d/openvpn restart
Are you using a tun or a tap ?
If you want your remote hosts to be in the same subnet, you should use tap instead of tun, remove 10.3.0.1 from eth1, create a bridge between eth1 and tap0, and assign 10.3.0.1 to the bridge interface.
This is slightly less efficient than a tun, but will allow non-IP and broadcast traffic between your vpn hosts and the local network. (and consequently, allow your vpn hosts to use a dhcp server on the local net, or spoof their addresses if they want to).
If you want a separate network for your vpn hosts, you should dedicate a pair of addresses for the tunnel (or more if you are using openvpn in multi-client server mode instead of in p2p mode), and you should make sure these addresses are bound to the tun interface, and that the tun is up. In your drawing there is no address for the tunnel.
Depending on your distribution, restarting the networking service may be destroying the changes you made to iptables.
You need to setup bridging between your two interfaces (tun0 and eth0), here is some documentation about how to setup bridges:
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
the problem you are having is due to not having enabled the gre module in kernel: sudo modprobe ip_gre