Re: [rlug] OpenVPN + iproute2

Mon, 13 Feb 2017 14:33:44 -0800 

--multihome
Configure a multi-homed UDP server. This option can be used when OpenVPN
has been configured to listen on all interfaces, and will attempt to bind
client sessions to the interface on which packets are being received, so
that outgoing packets will be sent out of the same interface. Note that
this option is only relevant for UDP servers and currently is only
implemented on Linux.
Note: clients connecting to a --multihome server should always use the
--nobind option.


2017-02-13 22:09 GMT+00:00 Catalin Bucur <c...@geniusnet.ro>:

> On 13/02/2017 19:28, Catalin(ux) M. BOIE wrote:
> > Un tcpdump pe ambele interfete, ar putea sa-ti arate chestii interesante:
> > conexiunea din exterior vine pe un IP, dar pleaca cu o sursa incorecta.
> >
> > Astept cu nerabdare exact configuratia pe care ai facut-o si trace-urile
> > de tcpdump.
>
>
> N-am vrut sa insir vreun cearsaf pe aici, dar se pare ca n-am incotro
> :-) Eu am facut deja cam toate lucrurile pe care le-ai spus. O sa incerc
> sa le expun si aici si sa minimizez cat pot.
>
> Am "float" in configuratia de openvpn, altfel nu mergea in varianta cu
> default route setat.
>
> Configuratia de iproute2:
> ----------------------------------------------------
> IF0="enp4s0"
> IF1="enp0s25"
> IF2="enp4s2"
> IP0="172.24.100.1"
> IP1=“1.1.1.1”
> IP2=“2.2.2.2”
> P1=“1.1.1.254”
> P2=“2.2.2.254”
> P0_NET="172.24.100.0/24"
> P1_NET=“1.1.1.0/24"
> P2_NET=“2.2.2.0/24”
>
> ip route flush table T1
> ip route flush table T2
> ip rule del from $IP1 table T1
> ip rule del from $IP2 table T2
>
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
>
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
>
> ip route add $P0_NET dev $IF0 table T1
> ip route add $P2_NET dev $IF2 table T1
> ip route add 127.0.0.0/8 dev lo table T1
> ip route add $P0_NET0 dev $IF0 table T2
> ip route add $P1_NET dev $IF1 table T2
> ip route add 127.0.0.0/8 dev lo table T2
> ----------------------------------------------------
>
> Cred ca e destul de clar, IF0 e interfata interna, celelalte 2 catre cei
> 2 provideri.
>
> Cu ruta default setata prin P2 ma conectez la openvpn prin P1:
>    Mon Feb 13 18:45:20 2017 UDPv4 link local: [undef]
>    Mon Feb 13 18:45:20 2017 UDPv4 link remote: [AF_INET]1.1.1.1:1194
>    Mon Feb 13 18:45:20 2017 TLS: Initial packet from
> [AF_INET]2.2.2.2:1194, sid=d2a8840d f02fe16c
> Dupa cum vezi asta spune si in loguri, n-are rost sa mai dau detalii din
> tcpdump, intra pachetele pe o interfata, se intorc pe cealalta (default
> route) - cu 'float' setat.
>
> Acum sterg ruta default si ma conectez in acelasi mod la openvpn prin P1
> (de la ip-ul public 9.9.9.9):
>
> # tcpdump -i enp0s25 -nn port 1194
> 23:41:58.709140 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42
> 23:42:00.892050 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42
> 23:42:04.166071 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42
> 23:42:12.880868 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42
> 23:42:28.337031 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42
> 23:43:00.184881 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42
> 23:43:02.307497 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42
> 23:43:06.552837 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42
> 23:43:15.045645 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42
> 23:43:31.338430 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42
> [etc]
>
> Ascultand si pe celelalte interfete - chiar si pe cea interna :-)) - pe
> portul 1194 nu apare niciun pachet in toata perioada asta.
>
> In schimb daca de exemplu fac un test pe portul 25 (tot fara default
> route):
> # telnet 1.1.1.1 25
> Trying 1.1.1.1...
> Connected to 1.1.1.1.
> Escape character is '^]'.
> 220 mail.localhost.localdomain ESMTP Postfix
>
> # tcpdump -i enp0s25 -nn port 25
> 00:02:27.365936 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [S], seq
> 3989728965, win 29200, options [mss 1460,sackOK,TS val 3423415060 ecr
> 0,nop,wscale 7], length 0
> 00:02:27.365959 IP 1.1.1.1.25 > 9.9.9.9.35082: Flags [S.], seq
> 794810362, ack 3989728966, win 28960, options [mss 1460,sackOK,TS val
> 92128016 ecr 3423415060,nop,wscale 7], length 0
> 00:02:27.409897 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [.], ack 1, win
> 229, options [nop,nop,TS val 3423415104 ecr 92128016], length 0
> 00:02:27.434864 IP 1.1.1.1.25 > 9.9.9.9.35082: Flags [P.], seq 1:37, ack
> 1, win 227, options [nop,nop,TS val 92128085 ecr 3423415104], length 36
> 00:02:27.479003 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [.], ack 37, win
> 229, options [nop,nop,TS val 3423415173 ecr 92128085], length 0
>
>
> Sper sa nu fi scurtat prea mult povestea asta, mai dau detalii daca mai
> trebuie. Rezolvare alternativa probabil ca este, de exemplu sa pun un
> script care sa schimbe default route pe celelalt provider cand pica cel
> initial. In cazul asta ar merge openvpn tot timpul. Dar daca teoria
> spune ca ar trebui sa mearga fara default route (si asa poate ar fi si
> logic) atunci ce e in neregula?
>
>
> Mersi de ajutor,
> Catalin Bucur
>
> _______________________________________________
> RLUG mailing list
> RLUG@lists.lug.ro
> http://lists.lug.ro/mailman/listinfo/rlug
>
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Raspunde prin e-mail lui