Configuration Question on multiple servers and lans

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
palladin9479
OpenVpn Newbie
Posts: 3
Joined: Wed Oct 27, 2010 4:20 pm

Configuration Question on multiple servers and lans

Post by palladin9479 » Wed Oct 27, 2010 4:47 pm

This has been a side project of mine for a couple of years now. I'm trying to create a network of routers that interconnect using openvpn. I know how to get client -- server, lan -- server --server -- lan type connections but am wondering how Openvpn handles multiple links / paths to the same destination. I'm using Quagga + OSPF for the dynamic routing tables so that hasn't been a problem. This project is based on my experience working on DoD secure networks and how they tunnel trusted network connections across untrusted networks without cross talk. Its a civilian version of the HAIPE / TACLANE device. I'm using topology subnet for my connections.

The general idea is,

Gateway Router #1
eth0 => Internet / untrusted network x.x.x.x
eth1 => Lan / trusted network 192.168.10.0/24
tun0 => WAN VPN connection 10.1.10.0/24
tun1 => VPN UDP client connection 10.1.11.0/24
tun2 => VPN TCP port 433 client connections (stealth) 10.1.12.0/24

Gateway Router #2
eth0 => x.x.x.x
eth1 => 192.168.20.0/24
tun0 => WAN VPN connection 10.1.20.0/24
tun1 => VPN UDP, 10.1.21.0/24
tun2 => VPN TCP:433, 10.1.22.0/24
tun3 => client connection to Router #1 tun0

Gateway Router #3
eth1 => 192.168.30.0/24
tun0 => WAN VPN 10.1.30.0/24
tun1 => VPN UDP 10.1.31.0/24
tun2 => VPN TCP:433 10.1.32.0/24
tun3 => client connection to Router #1 tun0

Gateway Router #4
eth1 => 192.168.40.0/24
tun0 => WAN VPN 10.1.40.0/24
tun1 => VPN UDP 10.1.41.0/24
tun2 => VPN TPC:433 10.1.42.0/24
tun3 => client connection to Router #3 tun0

Now the above configuration works although I need to do magic with the iroute entry and tell it to just accept from 10.1.0.0/16 and 192.168.0.0/16 because there are entirely too many subnets involved to be listing individually. Also I want this network to be instantly reconfigurable. If RGW#3 went offline RGW#4 could be redirected to RGW#1/2 to reestablish connective with the rest of the network. On this same line I'd like to be able to establish multiple paths to the same destination.

Gateway Router #4 (modified)
eth1 => 192.168.40.0/24
tun0 => WAN VPN 10.1.40.0/24
tun1 => VPN UDP 10.1.41.0/24
tun2 => VPN TPC:433 10.1.42.0/24
tun3 => client connection to Router #3 tun0
tun4 => client connection to Router #1 tun0

How does OpenVPN handle this types of setups with respect to iroute and deciding to forward / drop packets? I'm can configure OSPF with preferred routes and it can easily handle the kernel routing tables for the Linux machines involved but I'm worried about OpenVPN getting confused or trying to play traffic cop. Also I want to be able to expand this setup to include dozens of RGW's in a hybrid mesh / web type configuration. Is this remotely possible or is there limitations within the software that would prevent it?

Sorry for the complicated questions and WoT, not sure how to best present this set of questions.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Configuration Question on multiple servers and lans

Post by krzee » Wed Oct 27, 2010 6:52 pm

http://www.secure-computing.net/wiki/in ... RIPRouting

There is also a patch in the works that will allow for dynamic iroute entries... but until that is done, you need something like the above wiki post

palladin9479
OpenVpn Newbie
Posts: 3
Joined: Wed Oct 27, 2010 4:20 pm

Re: Configuration Question on multiple servers and lans

Post by palladin9479 » Thu Oct 28, 2010 1:48 am

He basically did the same thing I was already doing except he's using RIP while I'm using OSPF. OSPF has a requirement that it can directly reach area 0 to broadcast its route table into, if area 0 isn't directly connected you have to configure a virtual link to something that does have area 0 directly connected. I found it best to use topology subnet and set the VPN subnet for tun0 (the router connection VPN) as Area 0 in a point to multi-point OSPF configuration.

I was more concerned with out OpenVPN treats the iroute statement in the ccd directory. I don't actually need OpenVPN to do anything with the kernel routing table because OSPF already does all the magic to get the routes right. I only want OpenVPN to pass the packet to the distant end. In the past when I ran into the "unknown source IP" error message I got rid of it my making the iroute statement in each ccd encompass the entire network.

/etc/openvpn/ccd/rgw2
iroute 10.1.0.0 255.255.0.0
iroute 192.168.0.0 255.255.0.0

But what happens if two files in the ccd both have the same iroutes and are connected at the same time?

Like RGW2 and 3 both being connected to tun0 on RGW 1 and both their ccd files having those ambiguous statements? Will Openvpn vomit another error message or will it send the packet to its destination based on the routing table?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Configuration Question on multiple servers and lans

Post by krzee » Tue Nov 02, 2010 8:46 am

palladin9479 wrote:Will Openvpn vomit another error message or will it send the packet to its destination based on the routing table?
The need to ask this question comes down to you not knowing why iroute is needed...
the kernel is unable to point to an openvpn client, it can only point to the openvpn process.
For a client, this is fine (because clients know they only have 1 server). But for a server, how could the openvpn process know what client to send traffic to when the kernel said it goes to openvpn? The solution to this problem is iroute.
iroute adds a route to an internal routing table for an openvpn server. it is ONLY needed when you have a foreign subnet behind a client. It is needed because routing tables have no understanding of what client behind the openvpn process traffic needs to go to.

Someone is currently coding a solution for your issue (adaptive iroute specifically for people in your situation) but i do not think it is done yet.
For now you must use ptp links for a setup like this... no client/server, because then you get the iroute issue

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Configuration Question on multiple servers and lans

Post by krzee » Tue Nov 02, 2010 8:57 am

according to cron2 you may have better luck with tap
he says by using tap but not even bridging you can get around needing an iroute

Post Reply