Hello all:
We are users of OpenVPN, where we have sensors running linux in the field connecting to multiple OVPN instances in our datacenters. These servers run OSPF and everything works as expected, a client can randomly choose from one of twelve OVPN server targets and all this works very well. My problem is that we have some opengear devices in the field which serve as "backhauls" to other networks of sensors, such as
Code: Select all
sensornetwork <-> -- opengear-client-backhaul -- <-> ---------- ovpn-server ----------
192.168.1.0/24 <-> 192.168.1.1(LAN) 10.10.10.5(TUN) <-> 10.10.10.1(TUN) 10.200.20.1(LAN)
So we need servers in datacenter trust 10.200.20.0/24 network to see the LAN 192.168.1.0/24 network behind this backhaul. Enter route and iroute, push a static IP to the backhaul via CCD file on one of the openvpn servers, this all works perfectly fine as expected. The problem is I need to add redundancy to these backhaul devices, similar to the single connections being able to round-robin choose a server at random. It seems that you *have* to have a route command present in the ovpn server config on startup for an iroute CCD entry to work at all, so with only one openvpn server this works perfectly. This completely falls apart when you enter that same route on all 12 openvpn server config files because this ends up giving OSPF a route to the 192.168.1.0/24 network via the "potential" TUN interfaces on all 12 ovpn-servers. So when the client chooses one of the 12 targets, OSPF has 12 equal cost metric routes to the remote network but at that moment only ONE is a valid path. What I really need is when an iroute comes up, insert the kernel route to match AT THAT TIME so OSPF picks up the correct entry. When the client disconnects then the kernel route should be removed. I have researched this for days and tried everything, the only suggestion I could find was to use TAP instead of TUN, but no concrete working example.
I have network diagrams that better explain what I am trying to do, the root question is, how do I add/modify/delete the kernel route at client connection time? Why does iroute need a preexisting route command in the server file at startup time? It seems to me when iroute is fired THAT would be the appropriate time to insert the kernel route, not a server start time. Does anyone have a solution? I have also looked at TAP but I do not see how this will help either. There has to be a solution here, unfortunately there is no opportunity to run OSPF on the opengear.
