CW Möller wrote: > Hi > > I have a routing problem with the OpenVPN service running directly on > the firewall itself. I have two DSL connections, one with a static IP > (and my default route), the other with a dynamic IP. The first is > called ISBD in the configs, the second is called SAIX. > > Connecting to the OpenVPN via ISBD works well, the packets route > perfectly. Connecting via SAIX does not. In the attached status.txt, I > try to connect to the firewall via the SAIX line (IP 165.146.107.24) > from 41.245.93.27. In the Conntrack table, it's seems that the packets > try to return via ISBD (IP 196.211.31.106).
I've reproduced this behavior and the only solution I've found is to run two OpenvVPN servers; one with 'local' set to the address of one provider's interface and the other with 'local' set to the other provider's interface address. This required that I spit the local vpn subnet into two subnets (I use a routed configuration) and create separate client config directories (I use CCD to assign fixed IP addresses to my OpenVPN clients). > > For a time I had SSH open on the firewall, and I could connect to it > via SAIX, so it seems to me that the return routing works for TCP if > not for UDP. You are correct in a sense. With TCP, each connection creates a separate socket; with UDP, there is a single server socket. I'm guessing that is where the problem lies. Once a connection has occurred through one ISP, the server always responds with that server's IP address as the source. > > I don't want to rewrite ALL OpenVPN traffic from the firewall to route > via SAIX, I'd like to have the option of using ISBD if SAIX goes down. > > Any help (or pointers to documentation I missed) will be appreciated. > Splitting my configuration into two worked for me. YMMV. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
