[Chilli] Why does CoovaChilli keep getting issue with VPN, How to debug/troubleshoot this issue?

Steffen Dettmer steffen.dettmer at nomadrail.com
Fri Dec 20 09:15:22 UTC 2013


Hi,

> I have been working with CoovaChilli for the past 3 months and I am getting
> used to it. However, I am always get trouble with VPN connection.

what kind of VPN is it? For PPTP/GRE, did you load the kernel
modules nf_conntrack_pptp, nf_nat_pptp, nf_conntrack_proto_gre
and nf_nat_proto_gre? I've read about NOTRACK, but I'm not sure
why they sometimes seem to be needed (to avoid conntrack getting
confused about resent packets?).

> I know what I am describing here is so vague since I have no idea why
> CoovaChilli has this issue. I hope anyone in the list who had managed to solve
> this problem might give me some hints to debug/troubleshooting this issue.

If you meet a NAT issue it could happen that one VPN connection
works but no other, this sometimes make testing difficult and may
lead to misleading observations. I'd also recommend to check the
VPN traffic before Coova to see if it has IP fragmented packets,
which are dropped by Coova for a reason I don't know. If you see
fragments, I think it is most likely causing your problems.

> Currently, what I am doing is just keep changing iptables rules
> until I can connect to the VPN server. Anyway, I have no idea
> how to debug it, which log I should look into or what I should
> do to trace down the issue.

To troubleshoot I think a good start could be using tcpdump at
each interface one at at time and follow the packets. Start at
DHCPIF, then the tun dev, output dev, remote side and way back.
You might use ping -s to generate packets of specified size to
have at least an idea what packets are about your ping (if you
ping -s 700 and then suddenly seeing e.g. 730 byte UDP packets,
it is most likely that they contain the ping). Starting Coova
with --debug of course. When packets are not forwarded by Coova,
sometimes even strace -p <coova_pid> may help determining if
really Coova is an issue or if you have some routing/firewalling
issue (there are a lot of potential pitfalls).

Steffen


More information about the Chilli mailing list