subnet tunnel all traffic via OpenVPN

Use this forum to share your network setup and what's been working for you.
Post Reply
loffovyl
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 12, 2022 12:30 am

subnet tunnel all traffic via OpenVPN

Post by loffovyl » Mon Sep 12, 2022 12:51 am

Hi All,

Seeking your expert advise for probably unusual type of configuration needed.
In simple terms - LAN hosts have set default gateway to OpenVPN server, which has connected OpenVPN client which is to be used as exit point towards internet for these LAN hosts behind OpenVPN server.


LAN<--->OpenVPN server<---_tunnel_to_client--->OpenVPN client <----> internet.

In exact configuration, the OpenVPN server is Docker container and more exact configuration looks like below, though it doesn't probably change anything for the problem am facing:

LAN<--->Docker Host<--->OpenVPN server (in container)<---_tunnel_to_client_via_internet_--->OpenVPN client <----> router <---> internet.

There is subnet connected to OpenVPN client which is already reachable for LAN hosts (push entries, etc.)

What works:
- LAN hosts have Docker Host set as default gateway.
- Docker Host has set using iproute2 (custom routing table) default gateway for LAN hosts to be OpenVPN server (source based routing /rule targeting specific table and that table has default gateway entry set on OpenVPN server).

What doesn't work:
- OpenVPN server has set routing in same way as above with the only difference being default gateway IP to be in this case remote OpenVPN client - same logic as all other subnets exposed by OpenVPN client and to which traffic works.
- Traffic gets up to OpenVPN server and seems to be going through "FORWARDING" though probably being dropped by OpenVPN code.

Feeling is that since dst IP is anything in internet, packets are dropped as some configuration entry is missing on OpenVPN side allowing to forward the traffic.
For sake of try, I did also SNAT traffic on Docker Host which reaches OpenVPN Server (container) to be on container subnet - did't help.


Why am I trying to get through OpenVPN client to internet and why it is not that LAN is behind client and remote internet GW/behind tunnel is the OpenVPN server? This layout comes out of situation that OpenVPN server is server for multiple locations and in this case, for only specific hosts in LAN traffic needs to be pushed out via different egress point to internet.
Is this possible at all with OpenVPN?

I'd prefer to avoid setting up additional pair of OpenVPN client/server to have server at remote location and local client to allow traffic.

I want to KISS (keep it stupid simple) and any suggestion re how to simplify it - are more than welcome.

Thank you in advance for help.

loffovyl
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 12, 2022 12:30 am

Re: subnet tunnel all traffic via OpenVPN

Post by loffovyl » Thu Sep 15, 2022 9:59 pm

After long hours of scratching my head and troubleshooting via different approaches, like taking it via ipip tunnel between default gateway for whole LAN doing source based routing and pushing it via ipip tunnel to the OpeVPN client, terminated on other interface - it did happen that problem could be due to rp_filtering being enabled on that OpenVPN host. Given the complexity of setting up dedicated routing table on routers between src in LAN and OpenVPN gateway (I've skipped above for the sake of clear picture of the logic), it happen that using ipip tunnel is the KISS approach - the least of modifications in routing and easiest to troubleshoot.
The downside is the increased packet size but this I might accept - I'll see in next days.

Should one run into troubles that packets arrive on interface but are not forwarded, outside of FW rules, ttl, etc. it's worth checking rp_filter setting. In my case I had it strict ("1") and that was causing packets to be silently dropped.
Options around are:
a) adding more specific routing for revers traffic (in my case I had same IP from LAN host going out of the ipip tunnel as is accessible via OpenVPN) - preferred solution as is clean,
b) switching to loose rp_filter ("2"), as I wouldn't advise to disable rp_filtering. Even with loose option one exposes itself to DDoS.

Good luck!

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: subnet tunnel all traffic via OpenVPN

Post by TinCanTech » Thu Sep 15, 2022 11:39 pm

loffovyl wrote:
Mon Sep 12, 2022 12:51 am
Seeking your expert advise for probably unusual type of configuration
Your Openvpn configuration files are still missing. This thread has little context without them.

loffovyl
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 12, 2022 12:30 am

Re: subnet tunnel all traffic via OpenVPN

Post by loffovyl » Tue Sep 27, 2022 1:48 pm

TinCanTech wrote:
Thu Sep 15, 2022 11:39 pm
loffovyl wrote:
Mon Sep 12, 2022 12:51 am
Seeking your expert advise for probably unusual type of configuration
Your Openvpn configuration files are still missing. This thread has little context without them.
Thanks, the question was theoretical - if that logic is possible within OpenVPN at all - if yes, then what's required to be in the configuration?
I can set it then accordingly to advisory. Testing with iroute/push didn't seem to help, given the "reverse" direction for the traffic I needed.
The KISS approach with IPIP tunnel resolved the problem as it seemed like packets were dropped at OpenVPN logic level, probably due to IP Spoofing logic (or maybe because I didn't manually relax it for OpenVPN interface). By default I have strict as default for all interfaces.

User avatar
ordex
OpenVPN Inc.
Posts: 331
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: subnet tunnel all traffic via OpenVPN

Post by ordex » Tue Sep 27, 2022 9:00 pm

Do you have a "iroute" for the VPN client saying that "everything" has to go through it?
iroutes are used to tell the OpenVPN server process which client to route traffic to.

Post Reply