Hi I have a routing problem with the OpenVPN service running directly on the firewall itself. I have two DSL connections, one with a static IP (and my default route), the other with a dynamic IP. The first is called ISBD in the configs, the second is called SAIX. Connecting to the OpenVPN via ISBD works well, the packets route perfectly. Connecting via SAIX does not. In the attached status.txt, I try to connect to the firewall via the SAIX line (IP 165.146.107.24) from 41.245.93.27. In the Conntrack table, it''s seems that the packets try to return via ISBD (IP 196.211.31.106). For a time I had SSH open on the firewall, and I could connect to it via SAIX, so it seems to me that the return routing works for TCP if not for UDP. I don''t want to rewrite ALL OpenVPN traffic from the firewall to route via SAIX, I''d like to have the option of using ISBD if SAIX goes down. Any help (or pointers to documentation I missed) will be appreciated. ciao Charl ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
CW Möller wrote:> Hi > > I have a routing problem with the OpenVPN service running directly on > the firewall itself. I have two DSL connections, one with a static IP > (and my default route), the other with a dynamic IP. The first is > called ISBD in the configs, the second is called SAIX. > > Connecting to the OpenVPN via ISBD works well, the packets route > perfectly. Connecting via SAIX does not. In the attached status.txt, I > try to connect to the firewall via the SAIX line (IP 165.146.107.24) > from 41.245.93.27. In the Conntrack table, it''s seems that the packets > try to return via ISBD (IP 196.211.31.106).I''ve reproduced this behavior and the only solution I''ve found is to run two OpenvVPN servers; one with ''local'' set to the address of one provider''s interface and the other with ''local'' set to the other provider''s interface address. This required that I spit the local vpn subnet into two subnets (I use a routed configuration) and create separate client config directories (I use CCD to assign fixed IP addresses to my OpenVPN clients).> > For a time I had SSH open on the firewall, and I could connect to it > via SAIX, so it seems to me that the return routing works for TCP if > not for UDP.You are correct in a sense. With TCP, each connection creates a separate socket; with UDP, there is a single server socket. I''m guessing that is where the problem lies. Once a connection has occurred through one ISP, the server always responds with that server''s IP address as the source.> > I don''t want to rewrite ALL OpenVPN traffic from the firewall to route > via SAIX, I''d like to have the option of using ISBD if SAIX goes down. > > Any help (or pointers to documentation I missed) will be appreciated. >Splitting my configuration into two worked for me. YMMV. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Tom Eastep wrote:> CW Möller wrote:>> For a time I had SSH open on the firewall, and I could connect to it >> via SAIX, so it seems to me that the return routing works for TCP if >> not for UDP. > > You are correct in a sense. With TCP, each connection creates a separate > socket; with UDP, there is a single server socket. I''m guessing that is > where the problem lies. Once a connection has occurred through one ISP, > the server always responds with that server''s IP address as the source.That last bit is somewhat garbled. Hopefully this is clearer: Once a connection has occurred through one ISP, the OpenVPN server always responds with the source IP address being the address of the interface to that ISP. That happens even when the request was received through another ISP. You might also notice that Samba creates a separate UDP socket for each interface that it is servicing -- there is obviously a reason that it does that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects