OpenVPN client without redirect-gateway doing triangular routing and IP spoofing not working on Ubuntu
Solution 1:
I have to admit that I do not (yet) fully understand what you are trying to achieve. But I think you want your Ubuntu (and Debian) server to be reachable by an IP you got through OpenVPN (incoming traffic) but send your own (= Ubuntu servers) traffic through the eth0 interface local to your (Ubuntu) server ("spoofing") the VPN-IP. Or along these lines. I am not sure if this is a very good idea (probably depends on why you do it) but I assume there is a reason for it and as you say it does work with Debian. So let's not elaborate on this (although it might still be important later on).
Further I wonder why the line
route-gateway a.b.28.129
included in your VPN configuration does not (seem to) lead to an entry in your routing table.
Also I am not sure what the goal/insight of the two traceroutes you show is... You seem to be trying to traceroute to 8.8.8.8
through the VPN tunnel. As this is outgoing traffic I do not really understand its relevance to your problem. And I would say (looking at your routing table) that the traffic you generate this way is not (should not be?) going through the tunnel. I see that it looks like this is the case on Debian though... But I don't see why this is the case. Looking at the routing table I would rather assume the traceroute packages you try to send out on tap0
are (should be?) "re-routed" to eth0
(default route).
Now this brings me to the guess I would take for your problem: IP forwarding. Could it be that your Debian box has it enabled while it is disabled on Ubuntu? You can find more information (how to find out if IP forwarding is enabled for example) by visiting the link above (or use your favorite search engine or the Ubuntu manual).
Your being able to reach the SSH daemon on Ubuntu suggests that you are very close :). So it might be crucial to know what you mean by
"The debian server VPN client IP is publically accessible, but on the Ubuntu server it's not!"
What are you trying to do (i.e. what service are you trying to connect to) when the Ubuntu machine "is not reachable"? Access its web server? What IP is this service listening on?
Solution 2:
Ubuntu may have a different default for reverse-path filtering. Check the various rp_filter
in /proc/sys/net/ipv4/conf/...
.
If that doesn't help, next step would be to confirm if packets are going in/out with tcpdump or wireshark. Also confirm you really don't have a firewall with iptables -vL
.