I have two node servers running Xen 4.2 -- I'll call them Node A and Node B.
Node A is running OpenVPN as the server. Node B is running OpenVPN as the client. Both nodes host a number of Xen guest VMs. Node A and Node B are connected together via OpenVPN such that Node A is 10.0.0.1 and Node B is 10.0.0.2.
Here's where the problems start:
If I connect to a guest VM on Node B via SSH and issue the who command, it correctly reports back that I am logged in from my home Comcast IP address.
However, if I cconnect to a guest VM on Node A and issue the who command, it says that I am logged in, but not from my Comcast IP -- rather from the primary IP address of Node A.
This is problematic not only because guest VMs are incorrectly recording where logins are coming from, but we also have brute force detection. Five failed logins in a row and you get banned. Since all logins now appear to be coming from the primary IP address of node A, node A gets blocked by the firewall and the VM drops offline.
Does anyone know why this is happening?
route -n output from node A:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 204.XX.60.65 0.0.0.0 UG 0 0 0 em1
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 em1
204.XX.60.0 0.0.0.0 255.255.255.0 U 0 0 0 em1
Contents of /etc/openvpn/server.conf from node A:
port 1194
proto tcp-server
dev tun0
# 10.0.0.1 is server-vpn
# 10.0.0.2 is backup-vpn
ifconfig 10.0.0.1 10.0.0.2
# Our pre-shared static key
secret static.key
# LZO compression
comp-lzo
tun-mtu 64800
mssfix 1440
# 3 -- medium output, good for normal operation.
verb 3
Solved this one, there was an errant POSTROUTING MASQUERADE rule in the iptables unrelated to the OpenVPN installation.
I removed the rule with:
Where
1is the rule number retrieved fromservice iptables status.