Struggling to Configure Policy Based Routing

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
0xC0FFEE
OpenVpn Newbie
Posts: 1
Joined: Sat Mar 20, 2021 12:50 am

Struggling to Configure Policy Based Routing

Post by 0xC0FFEE » Sat Mar 20, 2021 3:58 am

These are the interfaces on the OpenVPN server, which should match the diagram linked here:
https://viewer.diagrams.net/?highlight= ... 3Ddownload

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.10  netmask 255.255.255.0  broadcast 172.16.1.255
        inet6 fe80::c809:85ff:fe5d:d107  prefixlen 64  scopeid 0x20<link>
        ether ca:09:85:5d:d1:07  txqueuelen 1000  (Ethernet)
        RX packets 2468  bytes 1144662 (1.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 287  bytes 31342 (30.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.4  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::b8b9:1eff:fe02:87dc  prefixlen 64  scopeid 0x20<link>
        ether ba:b9:1e:02:87:dc  txqueuelen 1000  (Ethernet)
        RX packets 64  bytes 11934 (11.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27  bytes 2241 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10  bytes 1120 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 1120 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::2361:e946:1703:c30  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 24  bytes 3548 (3.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 67  bytes 15267 (14.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
At first, I am unable to ping any hosts in 10.9.9.0/24
I run the command ip route add 10.9.9.0/24 via 10.0.0.1 dev eth1
I can now ping hosts in that subnet
At this time, the OpenVPN server networking seems to suffice.
However, when I test a client connection from my phone, I am unable to ping 10.9.9.0/24 hosts.

I am at a loss here as to what I need to do to enable VPN clients to be able to ping hosts in that subnet.
At the current time, when I connect to the VPN from my phone, I can only ping hosts in the 172.16.1.0/24 subnet
Below are the routes when I run ip route show

Code: Select all

default via 172.16.1.1 dev eth0 
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.4 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.9.9.0/24 via 10.0.0.1 dev eth1 
172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.10
I've tried the push route "IP NETMASK" directives from the server
The Android client does not accept gateways in the push directives that differ from the default.

I've tried -- albeit a bit haphazardly -- to craft some policy based networking using a custom table name in /etc/iproute2
And, even if I add a particular subnet lookup to a routing table, I still can't get it to work on the mobile client.

I would appreciate any help configuring the setup such that connecting clients could reach hosts in the designated subnets as pictured in the diagram. Thank you for reading and for your time.
Top
ultramage
OpenVpn Newbie
Posts: 4
Joined: Wed Mar 24, 2021 8:03 am

Re: Struggling to Configure Policy Based Routing

Post by ultramage » Wed Mar 24, 2021 3:36 pm

I took a look at your diagram and routing table for the server and several things seem off.

Why are you including the 'pfSense VM' in the diagram?

Can your server even talk to 10.9.9.0/24? You are pushing packets out across the 10.0.0/24 interface into the LAN, to a completely separate subnet that seems to also be On-Link. Assuming this is working...

Have you used tcpdump or wireshark to record packets from your phone coming in on eth0 and leaving on eth1? If I'm not mistaken, OpenVPN does not by default do NAT when shoveling packets from one inteface to another. The note on your secret subnet says "only 10.0.0.4" (the vpn server), but without NAT those phone packets will be arriving with source IP 172.16.1.x. If this is what is indeed happening, you'll need to add a NAT rule either to the system, or use OpenVPN's nat options if it has any (not sure). Or allow those IPs.

Also, your phone by default does not know where 10.9.9.x is. You'll either have to push a route that goes through the server, and hope it is accepted, or, make your phone route everything through the vpn interface towards the vpn server and let it handle the routing.
Top
300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: Struggling to Configure Policy Based Routing

Post by 300000 » Sat Mar 27, 2021 12:20 pm

You need to have this line into you server config

push " route 10.9.9.0 255.255.255.0 10.0.0.4 "

so you connect client it route destination to 10.0.0.0 /24 via 10.0.0.4
Top
Post Reply

Return to “Server Administration”