VPN Client Routing on multiple interfaces

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
louc918
OpenVpn Newbie
Posts: 4
Joined: Sun Feb 09, 2020 5:29 pm

VPN Client Routing on multiple interfaces

Post by louc918 » Sun Feb 09, 2020 5:41 pm

I have an Ubuntu server that I want to split traffic across 2 interfaces.

My desired configuration would look something like this:
Interface 1: 10.110.1.0/24 subnet. I want to connect the VPN client on my Ubuntu machine to the VPN server on the internet and pass all vpn and internet traffic on this interface.
Interface 2: 10.110.30.0/23 subnet. I want my local lan to have access to this server via this interface and pass all local traffic on this interface.

The problem I'm having is when I bind openvpn to interface 1 and establish a connection, I'm no longer able to access the server via ssh on either interface. I'm assuming there's somewhere in the routing rules I need to modify. I'm not an expert on network routing, and have looked for some direction on the internets, but haven't found anything to help with my specific scenario.

Any assistance that anyone can offer is greatly appreciated.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: VPN Client Routing on multiple interfaces

Post by TiTex » Mon Feb 10, 2020 6:00 pm

post your routing table when you are connected to the vpn and when you are not , your network setup , vpn confings , logs and maybe we can help you

louc918
OpenVpn Newbie
Posts: 4
Joined: Sun Feb 09, 2020 5:29 pm

Re: VPN Client Routing on multiple interfaces

Post by louc918 » Tue Feb 11, 2020 5:06 pm

ip route when not connected to VPN

Code: Select all

default via 10.110.30.1 dev ens192 proto dhcp src 10.110.30.15 metric 100 
10.110.1.0/24 dev ens160 proto kernel scope link src 10.110.1.29 
10.110.30.0/23 dev ens192 proto kernel scope link src 10.110.30.15
iproute when connected to VPN.

Code: Select all

0.0.0.0/1 via 10.78.10.5 dev tun0
default via 10.110.30.1 dev ens192 proto dhcp src 10.110.30.15 metric 100
10.78.10.1  via 10.78.10.5 dev tun0
10.78.10.5 dev tun0 proto kernel scope link src 10.78.10.6
10.110.1.0/24 dev ens160 proto kernel scope link src 10.110.1.29
10.110.30.0/23 dev ens192 proto kernel scope link src 10.110.30.15
128.0.0.0/1 via 10.78.10.5 dev tun0
193.37.252.61 via 10.110.30.1 dev ens192
network

Code: Select all

ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.110.1.29  netmask 255.255.255.0  broadcast 10.110.1.255
        inet6 fe80::20c:29ff:fe16:92f0  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:16:92:f0  txqueuelen 1000  (Ethernet)
        RX packets 909  bytes 58389 (58.3 KB)
        RX errors 0  dropped 422  overruns 0  frame 0
        TX packets 102  bytes 9943 (9.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.110.30.15  netmask 255.255.254.0  broadcast 10.110.31.255
        inet6 fe80::20c:29ff:fe16:92fa  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:16:92:fa  txqueuelen 1000  (Ethernet)
        RX packets 5639  bytes 771854 (771.8 KB)
        RX errors 0  dropped 422  overruns 0  frame 0
        TX packets 5005  bytes 1279306 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 936  bytes 75212 (75.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 936  bytes 75212 (75.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTPOINT,RUNNING,NOARP,MULTICAST>   mtu 1500
	net 10.78.10.6  netmask 255.255.255.255 destination 10.78.10.5
	inet6 fe80::38c0:ec06:8f7:fe89  prefixlen 64  scopeid 0x20<link>
	unspecified 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen  100  (UNSPEC)
	RX packets 0  bytes  0  (0.0  B)
	RX errors 0  dropped 0  overruns 0  frame 0
	TX packets 2  bytes 96  (96.0  B)
	TX errors 0  dropped 0  overruns 0  carrier 0  collisions 0 
vpn config

Code: Select all

client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
ping-restart 120
Some other observations after further analysis:
  • I was unable to bind the VPN client to the 10.110.1.29 interface and successfully establish a connection, so I modified the config to nobind.
  • After the machine is connected to VPN, I am able to connect to this machine from my local network on the 10.110.1.29 interface, but not 10.110.30.15.
  • I'm unable to ping any external addresses after the vpn connection is established. When not connected to VPN, external pings are successful.
  • I'm not getting any logs in /var/log/openvpn, or nothing in syslog using grep VPN /var/log/syslog. Is there another location they are stored in?

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: VPN Client Routing on multiple interfaces

Post by Pippin » Tue Feb 11, 2020 5:21 pm

You did not specify a location to store the log.

Code: Select all

log /path/to/log.txt
See --log and log-append in manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

louc918
OpenVpn Newbie
Posts: 4
Joined: Sun Feb 09, 2020 5:29 pm

Re: VPN Client Routing on multiple interfaces

Post by louc918 » Wed Feb 12, 2020 12:11 am

Another update. Someone suggested adding defaults routes to split traffic on the 2 interfaces. I've included the new ip route info with those changes.

ip route with default route changes, not connected to vpn

Code: Select all

default via 10.110.30.1 dev ens192 proto dhcp src 10.110.30.15 metric 100 
default via 10.110.1.1 dev ens160 proto dhcp src 10.110.1.29 metric 100 
10.110.1.0/24 dev ens160 proto kernel scope link src 10.110.1.29 
10.110.1.1 dev ens160 proto dhcp scope link src 10.110.1.29 metric 100 
10.110.30.0/23 dev ens192 proto kernel scope link src 10.110.30.15 
10.110.30.1 dev ens192 proto dhcp scope link src 10.110.30.15 metric 100
ip route with default route changes, connected to vpn

Code: Select all

0.0.0.0/1 via 10.98.10.5 dev tun0
default via 10.110.30.1 dev ens192 proto dhcp src 10.110.30.15 metric 100
default via 10.110.1.1 dev ens160 proto dhcp src 10.110.1.29 metric 100
10.98.10.1 via 10.98.10.5 dev tun0
10.98.10.5 dev tun0 proto kernel scope link src 10.98.10.6
10.110.1.0/24 dev ens160 proto kernel scope link src 10.110.29
10.110.1.1 dev ens160 proto dhcp scope link src 10.110.1.29 metric 100
10.110.30.0/23 dev ens192 proto kernel scope link src 10.110.30.15
10.110.30.1 dev ens192 proto dhcp scope link src 10.110.30.15 metric 100
128.0.0.0/1 via 10.98.10.5 dev tun0
197.37.25282 via 10.110.30.1 dev ens192
logs @ veb level 3. Do I need to go higher?

Code: Select all

Tue Feb 11 23:36:57 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Feb 11 23:36:57 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Feb 11 23:36:57 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.252.82:1198
Tue Feb 11 23:36:57 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Feb 11 23:36:57 2020 UDP link local: (not bound)
Tue Feb 11 23:36:57 2020 UDP link remote: [AF_INET]193.37.252.82:1198
Tue Feb 11 23:36:57 2020 TLS: Initial packet from [AF_INET]193.37.252.82:1198, sid=fd688cd7 73534109
Tue Feb 11 23:36:57 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 11 23:36:57 2020 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Tue Feb 11 23:36:57 2020 VERIFY KU OK
Tue Feb 11 23:36:57 2020 Validating certificate extended key usage
Tue Feb 11 23:36:57 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Feb 11 23:36:57 2020 VERIFY EKU OK
Tue Feb 11 23:36:57 2020 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=bba82d92fc251c99e6f21ce29c9b8011, name=bba82d92fc251c99e6f21ce29c9b8011
Tue Feb 11 23:36:57 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb 11 23:36:57 2020 [bba82d92fc251c99e6f21ce29c9b8011] Peer Connection Initiated with [AF_INET]193.37.252.82:1198
Tue Feb 11 23:36:58 2020 SENT CONTROL [bba82d92fc251c99e6f21ce29c9b8011]: 'PUSH_REQUEST' (status=1)
Tue Feb 11 23:36:58 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.98.10.1,topology net30,ifconfig 10.98.10.6 10.98.10.5,auth-token'
Tue Feb 11 23:36:58 2020 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb 11 23:36:58 2020 OPTIONS IMPORT: compression parms modified
Tue Feb 11 23:36:58 2020 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb 11 23:36:58 2020 OPTIONS IMPORT: route options modified
Tue Feb 11 23:36:58 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb 11 23:36:58 2020 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Feb 11 23:36:58 2020 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 11 23:36:58 2020 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Feb 11 23:36:58 2020 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 11 23:36:58 2020 ROUTE_GATEWAY 10.110.30.1/255.255.254.0 IFACE=ens192 HWADDR=00:0c:29:16:92:fa
Tue Feb 11 23:36:58 2020 TUN/TAP device tun0 opened
Tue Feb 11 23:36:58 2020 TUN/TAP TX queue length set to 100
Tue Feb 11 23:36:58 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Feb 11 23:36:58 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Feb 11 23:36:58 2020 /sbin/ip addr add dev tun0 local 10.98.10.6 peer 10.98.10.5
Tue Feb 11 23:36:58 2020 /sbin/ip route add 193.37.252.82/32 via 10.110.30.1
Tue Feb 11 23:36:58 2020 /sbin/ip route add 0.0.0.0/1 via 10.98.10.5
Tue Feb 11 23:36:58 2020 /sbin/ip route add 128.0.0.0/1 via 10.98.10.5
Tue Feb 11 23:36:58 2020 /sbin/ip route add 10.98.10.1/32 via 10.98.10.5
Tue Feb 11 23:36:58 2020 Initialization Sequence Completed
Tue Feb 11 23:54:12 2020 event_wait : Interrupted system call (code=4)
Tue Feb 11 23:54:12 2020 /sbin/ip route del 10.98.10.1/32
Tue Feb 11 23:54:12 2020 /sbin/ip route del 193.37.252.82/32
Tue Feb 11 23:54:12 2020 /sbin/ip route del 0.0.0.0/1
Tue Feb 11 23:54:12 2020 /sbin/ip route del 128.0.0.0/1
Tue Feb 11 23:54:12 2020 Closing TUN/TAP interface
Tue Feb 11 23:54:12 2020 /sbin/ip addr del dev tun0 local 10.98.10.6 peer 10.98.10.5
Tue Feb 11 23:54:12 2020 SIGHUP[hard,] received, process restarting
Tue Feb 11 23:54:12 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Feb 11 23:54:12 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Feb 11 23:54:12 2020 Restart pause, 5 second(s)
Tue Feb 11 23:54:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.252.125:1198
Tue Feb 11 23:54:17 2020 TLS: Initial packet from [AF_INET]193.37.252.125:1198, sid=5651ccf8 46d77438
Tue Feb 11 23:54:18 2020 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Tue Feb 11 23:54:18 2020 VERIFY KU OK
Tue Feb 11 23:54:18 2020 Validating certificate extended key usage
Tue Feb 11 23:54:18 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Feb 11 23:54:18 2020 VERIFY EKU OK
Tue Feb 11 23:54:18 2020 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=e8f285fe11ae1b3cddbe937013ff5e9b, name=e8f285fe11ae1b3cddbe937013ff5e9b
Tue Feb 11 23:54:18 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Feb 11 23:54:18 2020 [e8f285fe11ae1b3cddbe937013ff5e9b] Peer Connection Initiated with [AF_INET]193.37.252.125:1198
Tue Feb 11 23:54:19 2020 SENT CONTROL [e8f285fe11ae1b3cddbe937013ff5e9b]: 'PUSH_REQUEST' (status=1)
Tue Feb 11 23:54:19 2020 AUTH: Received control message: AUTH_FAILED
Tue Feb 11 23:54:19 2020 SIGTERM[soft,auth-failure] received, process exiting

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: VPN Client Routing on multiple interfaces

Post by TiTex » Wed Feb 12, 2020 1:53 pm

both of your interfaces have separate internet access , or why do you have these in your route table ?

Code: Select all

default via 10.110.30.1 dev ens192 proto dhcp src 10.110.30.15 metric 100 
default via 10.110.1.1 dev ens160 proto dhcp src 10.110.1.29 metric 100 
if not , you should remove the one that's only for local LAN

There are also some inconsistencies with your VPN network, did you change the subnet used for VPN clients on the server ?

The reason you are not able to ping remote (internet) hosts while you are connected to the vpn , is probably a NAT and/or firewall issue, also check that you enabled forwarding on the vpn server.

If your VPN server is also your internet gateway for the remote site set up a NAT rule for your VPN subnet and make sure your firewall rules allow the traffic to-from the VPN subnet

If the vpn server is just that , you have two options , either add a static route on your gateway for your VPN subnet via the VPN Server LAN IP or NAT your VPN subnet through your Server LAN IP so the gateway will see the traffic originating from the VPN server and can send replies, and check your firewall (iptables/nftables rules if the server is linux)

louc918
OpenVpn Newbie
Posts: 4
Joined: Sun Feb 09, 2020 5:29 pm

Re: VPN Client Routing on multiple interfaces

Post by louc918 » Wed Feb 12, 2020 3:27 pm

There are also some inconsistencies with your VPN network, did you change the subnet used for VPN clients on the server ?
The VPN server is not maintained by me. It's an external VPN service / server I want internet traffic on my server to route through. Could my use of class A network addresses and the VPN providers use of class A network addresses be causing a conflict?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: VPN Client Routing on multiple interfaces

Post by TiTex » Wed Feb 12, 2020 8:55 pm

as far as i can tell from your posts above , the subnets are not colliding but i can't be sure
if you want you can filter out options/routes pushed by the vpn server to your client and add them manually in your client config

since this is a hosted service , wouldn't be easier to ask them about your issues ?
they would know what's going on since they can see the server part too.

Post Reply