LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   OpenVPN struggles (http://www.linuxquestions.org/questions/linux-networking-3/openvpn-struggles-4175445099/)

junkyhlm 01-11-2013 03:36 AM

OpenVPN struggles
 
I've got some problems with my OpenVPN setup.

The Setup:
-> Ubuntu Server 12.04
-> Two active NIC's: eth0 (default): 192.168.1.0/24
eth1: x.x.x.x (external ip)

I've managed to get the routing to work so i can connect to the outside world with the eth1 NIC.

Code:

holmen@filserver:~$ ping -I eth1 -c 3 www.linuxquestions.org
PING www.linuxquestions.org (75.126.162.205) from 192.168.1.2 eth1: 56(84) bytes of data.
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=1 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=2 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=3 ttl=50 time=133 ms

--- www.linuxquestions.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 133.281/133.336/133.379/0.423 ms

One curious thing is that the "from ip #". It says "from 192.168.1.2 eth1" but that ip is the servers ip on the eth0 iface.

Netstat:
Code:

holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
0.0.0.0        192.168.1.1    0.0.0.0        UG        0 0          0 eth0
x.x.x.x    0.0.0.0        255.255.128.0  U        0 0          0 eth1
192.168.1.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0

But here comes the real problem:
When setting up openvpn with the option "local x.x.x.x (eth1 ext ip)" it still tunnels the eth0 interface. And i cant understand why.

OpenVPN settings:
Code:

client

dev tap

proto udp

local x.x.x.x

remote openvpn.anonine.net 1194
remote openvpn.anonine.net 1195
remote openvpn-2.anonine.net 1196
remote openvpn-2.anonine.net 1197
remote openvpn-3.anonine.net 1198
remote openvpn-3.anonine.net 1199
remote openvpn-4.anonine.net 1200
remote openvpn-4.anonine.net 1201

remote-random

resolv-retry infinite

auth-user-pass

persist-key
persist-tun

ca anonine.ca.crt

ns-cert-type server

comp-lzo

reneg-sec 0

verb 3

Netstat (tunnel active):
Code:

holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
0.0.0.0        46.246.20.129  128.0.0.0      UG        0 0          0 tap0
0.0.0.0        192.168.1.1    0.0.0.0        UG        0 0          0 eth0
x.x.x.x    0.0.0.0        255.255.128.0  U        0 0          0 eth1
46.246.20.128  0.0.0.0        255.255.255.128 U        0 0          0 tap0
80.67.8.222    192.168.1.1    255.255.255.255 UGH      0 0          0 eth0
128.0.0.0      46.246.20.129  128.0.0.0      UG        0 0          0 tap0
192.168.1.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0

Anyone got any ideas?

nikmit 01-14-2013 09:01 AM

Ubuntu network manager is unreliable in my experience. Last I tried using it was about 18 months ago, so it might be fixed, but I was getting errors where an interface fails to come up or isn't seen. I am running with a manual setup since then, without any issues.

On a separate note, Ubuntu is a desktop distribution and to me Ubuntu Server is an oxymoron :) I use Debian for servers, which is essentially the same OS but changed less often and more stable.

To help provide a better picture of your setup, run and post the output of:

(you might want to edit any public IP addresses, not a good idea to publish them)

ifconfig
ip route show table all
ip rule show
iptables -t nat -L -v -n

Nik

scheidel21 01-16-2013 08:21 AM

A little confused by what is going on, but I think part of it has to do with the order that the NICs are being brought up. But on reconsideration looking at your routing table it appears your default route is set to go through that interface, which would explain why it is coming from there. You've got your routes all jugged up. I would go back to basics to start shutdown the OpenVPN connections, remove any routes you've added and add a default route , then being your OpenVPN connections back up and let them write their entries to the routing table then perhaps post the out put again and go from there.

junkyhlm 01-17-2013 03:30 AM

Thank you for your post but after consulting the community support of openvpn i've concluded that this is pretty much impossible.

scheidel21 01-17-2013 06:57 AM

Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.

junkyhlm 01-17-2013 07:27 AM

1 Attachment(s)
Quote:

Originally Posted by scheidel21 (Post 4872103)
Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.

This is what i tried to accomplish:
I have a server running with apache2, rtorrent and ssh as the main applications that need connection to the outside world. I have tried for some time now to separate my applications connections over 2 separe NIC's (eth0 and eth1). My main goal in this was to have a VPN tunnel to a anonymizer service (Anonine.com) running only at one NIC, eth1 to be exact. I get 2 separate external ip's from my ISP and i have got the two NIC's to work as they should.

So my setup would look something like attached image.

And then have only rtorrent running via the VPN tunnel on eth1 since i don't want to hide the ip of my apache2 and ssh servers.

And there's my problem..

scheidel21 01-17-2013 07:35 AM

This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.

junkyhlm 01-17-2013 07:52 AM

Quote:

Originally Posted by scheidel21 (Post 4872135)
This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.

Thank you for your input but thats not the problem. The problem is that the openvpn tunnel chooses the eth0 interface to be tunneled. When getting help from the community support @ #openvpn we tried many possible solutions with --up scripts and ip variables but nothing works.

Thank you on the tip of binding rtorrent to interface. I have used "bind x.x.x.x" (eth1 ip) in my .rtorrent.rc.

scheidel21 01-17-2013 07:55 AM

Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993

junkyhlm 01-17-2013 08:00 AM

Quote:

Originally Posted by scheidel21 (Post 4872149)
Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993

Thank you! I thiught of this way back but thaought it was to simple to be true :D Will try this tonight!

scheidel21 01-17-2013 08:00 AM

If you edit interface names and use static settigns you will need to edit those as well

junkyhlm 01-17-2013 08:21 AM

Quote:

Originally Posted by scheidel21 (Post 4872153)
If you edit interface names and use static settigns you will need to edit those as well

Yeah ofc. But i'll just change eth0 -> 1 and vice versa in /etc/network/interfaces

junkyhlm 01-17-2013 02:01 PM

Quote:

Originally Posted by scheidel21 (Post 4872153)
If you edit interface names and use static settigns you will need to edit those as well

Nope tested your solution and its no good. It still tunnels eth0 since the default route on the main table is the eth0 NIC. :(

scheidel21 01-17-2013 09:23 PM

Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.

junkyhlm 01-18-2013 12:22 AM

Quote:

Originally Posted by scheidel21 (Post 4872606)
Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.

I have tried this. It does'nt work. It still chooses the NIC#1 ip. I think it worked for the other guy because he is connecting to the same gateway.

Output when starting openvpn:
Quote:

Fri Jan 18 07:20:13 2013 ROUTE default_gateway=192.168.1.1
Thats is the NIC#1 gateway.


All times are GMT -5. The time now is 10:20 AM.