Since verizon blocks port 80 inbound on their broadband connections, I thought I'd use port 80 on my linode and forward it through the openvpn tunnel to my home system. The iptables config was fairly simple (possibly too much so). I used DNAT to push packets arriving on eth0 into tun0, rewriting the destination to the private IP of the webserver at home. I also used SNAT to rewrite the source IP to the linode's tun0 IP so the return packets know where to go. Works fine (at first.) I use a webmail application which periodically refreshes the screen, and I noticed that after awhile (10 minutes or so?) there would be an error page the browser put up "Connection timed out". An attempt to connect to port 80 from an external shell account would hang. After awhile longer, it would just start working again. I don't think it's a conntrack issue, since this also happens for new connection attempts. Any ideas where to look? I can post my iptables rules if needed...

This is a real bummer. I caught it doing it just now, so I did a grep for dport=80 on the linode and saw:

tcp 6 114 SYN_SENT src=A.B.C.D dst=P.Q.R.S sport=32899 dport=80 packets=2 bytes=96 [UNREPLIED] src=10.8.0.2 dst=10.8.0.1 sport=80 dport=32899 packets=0 bytes=0 mark=0 secmark=0 use=1

I don't have it in my cut&paste buffer, but on the real server (at the other end of the openvpn tunnel), the matching entry showed up as FIN_WAIT.

Update: I was running a script that connects on port 80 and then disconnects. I tried running two at the same time, and when the freeze happened, both processes were stuck, and doing cat on the conntrack pseudofile, showed two entries in SYN_SENT state. I'm mystified as to why one entry can get stuck, but even more mystified as to why this would prevent any new connections on that port.

How did you do that ? I've tried to set up OpenVPN on a server with apache. I want to connect using OpenVPN and then see the webserver.

I think I need to take incoming tun0 packets at route to lo, but I can't work out how to do this. IPTABLES appears to route packets but when I check the apache access_log it still shows incoming IP address as the remote client not as from the local machine.

So what you did above, sounds similar to what I need to do.

I don't suppose you've hard-coded the source port (32899?) in your script? Or that something else is causing the same source port to be reused? Because that would explain your symptoms. TCP identifies connections based on the source/destination address/port quadruple, and it doesn't like duplicates.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net

No, it's just a simple DNAT iptables command. And the failure would happen after doing N connects in a row from the remote host. No idea what the problem was...