Question about Routing

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
sunflare
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 01, 2020 11:34 am

Question about Routing

Post by sunflare » Tue Sep 01, 2020 11:59 am

Hey, newbie here :)

I'm setting up an OVPN server for IoT devices to connect to over LTE: many clients and every kb counts.
I was investigating earlier why I was getting so many 'ICMP Redirects': meaning the VPN server is saying 'That's great but here's a better route for you'. I found out that the client (10.8.0.4) was sending data to a server (10.8.0.2) on the VPN, using itself as a gateway (10.8.0.4), instead of the actual gateway (10.8.0.1). So I added a line to explicitly say what the gateway should be (push "route 10.8.0.0 255.255.0.0 10.8.0.1").

HOWEVER, that did not fully fix my issue. It turns out that the OVPN server still tells the client bot 'To reach 10.8.0.0/10.8.255.255, use 10.8.0.4 as gateway' AND it says 'To reach 10.8.0.0/10.8.255.255, use 10.8.0.1 as gateway'; both with the same metric.

When routes have the same metric, the route will 'sometimes' route over one, sometimes over the other. (Round robin)

So, I either need to:
  • Remove/reconfigure the default route that says the client is its own gateway (which is wrong)
  • Have a lower 'metric' value of the true gateway route
Image

Server

port 1194
proto udp
explicit-exit-notify 0
dev tun
ca ca.crt
cert pmserver.crt
key pmserver.key
dh dh.pem

------------ Relevant ↓ ------------
topology subnet
route-gateway 10.8.0.1
mode server
tls-server
push "topology subnet"
ifconfig 10.8.0.1 255.255.0.0
ifconfig-pool 10.8.0.2 10.8.253.253
push "route-gateway 10.8.0.1"
push "route 10.8.0.0 255.255.0.0 10.8.0.1"
ifconfig-pool-persist /var/log/openvpn/ipp.txt
------------ End of relevant part ------------

keepalive 10 60
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2


Client

client
dev tun
proto udp
remote ---.---.---.--- 1194
mssfix 1200
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Question about Routing

Post by TinCanTech » Tue Sep 01, 2020 12:22 pm

Use --server and this is done correctly.

Don't use --server and you make a mess .. as you have seen for yourself.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Question about Routing

Post by TinCanTech » Tue Sep 01, 2020 12:25 pm

sunflare wrote:
Tue Sep 01, 2020 11:59 am
many clients and every kb counts
And then you go and do something useless and expensive like this:
sunflare wrote:
Tue Sep 01, 2020 11:59 am
auth SHA256

Code: Select all

SHA1(tping)= e6e31478a2b5f7233126ca0e82391543d075d9c9
tct@home:~$ openssl sha256 tping
SHA256(tping)= 7ed3743769f8efb1bf4537075bd14de13fdaaadd537eaaf468f5512c24ff8ffd
When you mess about with things without understanding what you are doing ...

User avatar
sunflare
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 01, 2020 11:34 am

Re: Question about Routing

Post by sunflare » Wed Sep 02, 2020 8:43 am

TinCanTech wrote:
Tue Sep 01, 2020 12:22 pm
Use --server and this is done correctly.

Don't use --server and you make a mess .. as you have seen for yourself.
Actually, I expanded to the non-shorthand version (as is available in the documentation) because –server wasn't doing it either.
I can confirm that changing it back to –server has the same results.

Changes

topology subnet
server 10.8.0.0 255.255.0.0
push "route 10.8.0.0 255.255.0.0 10.8.0.1"
ifconfig-pool-persist /var/log/openvpn/ipp.txt


It might actually be a Windows client thing.
The Ubuntu client actually does seem to do it right `ip route`: `10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.0.1`

I also checked NordVPN's (which uses OpenVPN) routes in Windows. It appears that it's standard for an OpenVPN Windows client to set the Gateway to its own IP address... (OpenVPN GUI 11.15.0.0/2.4.9)

When I test with a Linux client, and just run 'ping -c 1 10.8.0.1' on the client and `tshark -i tun0 -f "host 10.8.0.2"` on the server, it shows two packets every time for a single PING. Contrary to the Windows client, which would often show two, four or five packets (the ICMP Redirect does not always get sent).

It doesn't matter that much because the clients with metered connections will be Linux.

And then you go and do something useless and expensive like this:
Thanks for the tip. Just copied it from some guide, so tweaks are welcome.



I'll monitor the data usage with these two changes. The most important thing is that the client isn't receiving/sending duplicate TCP packages. It might not be a routing issue at all then...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Question about Routing

Post by TinCanTech » Wed Sep 02, 2020 9:58 am

sunflare wrote:
Tue Sep 01, 2020 11:59 am
I was investigating earlier why I was getting so many 'ICMP Redirects': meaning the VPN server is saying 'That's great but here's a better route for you'.
OpenVPN does not generate ICMP redirects.
sunflare wrote:
Wed Sep 02, 2020 8:43 am
I can confirm that changing it back to –server has the same results.
Logs at verb 4.

viewtopic.php?f=30&t=22603#p68963

Post Reply