MULTI mode and dynamic routing?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 16, 2018 4:12 pm

MULTI mode and dynamic routing?

Post by xvdessel » Tue Jan 16, 2018 4:55 pm

My configuration covers 5 sites, where multiple servers on these sites set up openvpn links with server on the other sites. This effectively creates a mesh covering the whole. To reduce single point of failure, most of these sites have multiple machines acting a OpenVPN nodes, both in server and in client roles. Because some nodes work with dynamic public IP addresses, it happens a site could connect to the others but incoming trafic was lost because DynDNS-like services need to adapt to the new address (ddclient). Hence, on some cases, there can be 2 links between 2 sites, one in each direction.
Up to some months ago, I only used static key point-to-point (with /30 addresses) connections.
To ensure fault tolerance, all servers use Quagga and ospf (all within 1 zone), and the weights of OpenVPN routing is set based on the bandwidth of the respective links or ISP connections.
This worked rather fine: I could cut out one OpenVPN link without a problem, as OSPF would see that (link-detect option), and reroute traffic via the other nodes. If one server went down, other servers on that site would still have some OpenVPN links, and OSPF reroutes all trafic correctly within seconds.
The drawback of the above is the high number of configurations to manage and many openvpn instances running. Therefore, I tried to switch to MULTI mode, where I can bundle all incoming connections in 1 configuration and 1 running instance.

But that is where I run into trouble. As I'm using tun interfaces, such a multi link server apparently cannot route trafic to the correct client node if the respective iroute command is not allowing it.
But using iroute statements in my setup makes no sense, as it breaks the whole mesh approach using OSPF!

Is it correct an OpenVPN server in using tun device in multi mode cannot forward packets to clients unless the target address is advertised in an iroute statement?

How would an OpenVPN server react if 2 clients are connected that both have an iroute for a common subdomain (e.g. because the client connections come from 2 machines on the same physical site (redundant links) and thus share a common subnet they are able to forward to)? Would OpenVPN forward IP packets to both clients?

Is it advised that I should go back to point-to-point (the /30 subnets) where OpenVPN just forwards the packets over the link and routing can be managed by OSPF?

Is it an option to use tap instead of tun? I'm not interested in Bridging, only in complex routing managed by ospf that copes with changes in the OpenVPN mesh. Would that allow the routing to dynamically change? What are the drawbacks of such a setup, compared to the tun one?

I hope the above is a bit clear. If not, please tell me where I should clarify (or make a drawing).

Post Reply