LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-11-2013, 04:36 AM   #1
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Rep: Reputation: Disabled
Question OpenVPN struggles


I've got some problems with my OpenVPN setup.

The Setup:
-> Ubuntu Server 12.04
-> Two active NIC's: eth0 (default): 192.168.1.0/24
eth1: x.x.x.x (external ip)

I've managed to get the routing to work so i can connect to the outside world with the eth1 NIC.

Code:
holmen@filserver:~$ ping -I eth1 -c 3 www.linuxquestions.org
PING www.linuxquestions.org (75.126.162.205) from 192.168.1.2 eth1: 56(84) bytes of data.
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=1 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=2 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=3 ttl=50 time=133 ms

--- www.linuxquestions.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 133.281/133.336/133.379/0.423 ms
One curious thing is that the "from ip #". It says "from 192.168.1.2 eth1" but that ip is the servers ip on the eth0 iface.

Netstat:
Code:
holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
x.x.x.x     0.0.0.0         255.255.128.0   U         0 0          0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
But here comes the real problem:
When setting up openvpn with the option "local x.x.x.x (eth1 ext ip)" it still tunnels the eth0 interface. And i cant understand why.

OpenVPN settings:
Code:
client

dev tap

proto udp

local x.x.x.x

remote openvpn.anonine.net 1194
remote openvpn.anonine.net 1195
remote openvpn-2.anonine.net 1196
remote openvpn-2.anonine.net 1197
remote openvpn-3.anonine.net 1198
remote openvpn-3.anonine.net 1199
remote openvpn-4.anonine.net 1200
remote openvpn-4.anonine.net 1201

remote-random

resolv-retry infinite

auth-user-pass

persist-key
persist-tun

ca anonine.ca.crt

ns-cert-type server

comp-lzo

reneg-sec 0

verb 3
Netstat (tunnel active):
Code:
holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         46.246.20.129   128.0.0.0       UG        0 0          0 tap0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
x.x.x.x     0.0.0.0         255.255.128.0   U         0 0          0 eth1
46.246.20.128   0.0.0.0         255.255.255.128 U         0 0          0 tap0
80.67.8.222     192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       46.246.20.129   128.0.0.0       UG        0 0          0 tap0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
Anyone got any ideas?

Last edited by junkyhlm; 01-15-2013 at 01:44 AM.
 
Old 01-14-2013, 10:01 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
Ubuntu network manager is unreliable in my experience. Last I tried using it was about 18 months ago, so it might be fixed, but I was getting errors where an interface fails to come up or isn't seen. I am running with a manual setup since then, without any issues.

On a separate note, Ubuntu is a desktop distribution and to me Ubuntu Server is an oxymoron I use Debian for servers, which is essentially the same OS but changed less often and more stable.

To help provide a better picture of your setup, run and post the output of:

(you might want to edit any public IP addresses, not a good idea to publish them)

ifconfig
ip route show table all
ip rule show
iptables -t nat -L -v -n

Nik
 
Old 01-16-2013, 09:21 AM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
A little confused by what is going on, but I think part of it has to do with the order that the NICs are being brought up. But on reconsideration looking at your routing table it appears your default route is set to go through that interface, which would explain why it is coming from there. You've got your routes all jugged up. I would go back to basics to start shutdown the OpenVPN connections, remove any routes you've added and add a default route , then being your OpenVPN connections back up and let them write their entries to the routing table then perhaps post the out put again and go from there.
 
Old 01-17-2013, 04:30 AM   #4
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Thank you for your post but after consulting the community support of openvpn i've concluded that this is pretty much impossible.
 
Old 01-17-2013, 07:57 AM   #5
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.
 
Old 01-17-2013, 08:27 AM   #6
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.
This is what i tried to accomplish:
I have a server running with apache2, rtorrent and ssh as the main applications that need connection to the outside world. I have tried for some time now to separate my applications connections over 2 separe NIC's (eth0 and eth1). My main goal in this was to have a VPN tunnel to a anonymizer service (Anonine.com) running only at one NIC, eth1 to be exact. I get 2 separate external ip's from my ISP and i have got the two NIC's to work as they should.

So my setup would look something like attached image.

And then have only rtorrent running via the VPN tunnel on eth1 since i don't want to hide the ip of my apache2 and ssh servers.

And there's my problem..
Attached Images
File Type: png config.png (10.7 KB, 9 views)
 
Old 01-17-2013, 08:35 AM   #7
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.
 
Old 01-17-2013, 08:52 AM   #8
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.
Thank you for your input but thats not the problem. The problem is that the openvpn tunnel chooses the eth0 interface to be tunneled. When getting help from the community support @ #openvpn we tried many possible solutions with --up scripts and ip variables but nothing works.

Thank you on the tip of binding rtorrent to interface. I have used "bind x.x.x.x" (eth1 ip) in my .rtorrent.rc.
 
Old 01-17-2013, 08:55 AM   #9
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993
 
Old 01-17-2013, 09:00 AM   #10
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993
Thank you! I thiught of this way back but thaought it was to simple to be true Will try this tonight!
 
Old 01-17-2013, 09:00 AM   #11
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
If you edit interface names and use static settigns you will need to edit those as well
 
Old 01-17-2013, 09:21 AM   #12
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
If you edit interface names and use static settigns you will need to edit those as well
Yeah ofc. But i'll just change eth0 -> 1 and vice versa in /etc/network/interfaces
 
Old 01-17-2013, 03:01 PM   #13
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
If you edit interface names and use static settigns you will need to edit those as well
Nope tested your solution and its no good. It still tunnels eth0 since the default route on the main table is the eth0 NIC.
 
Old 01-17-2013, 10:23 PM   #14
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.
 
Old 01-18-2013, 01:22 AM   #15
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.
I have tried this. It does'nt work. It still chooses the NIC#1 ip. I think it worked for the other guy because he is connecting to the same gateway.

Output when starting openvpn:
Quote:
Fri Jan 18 07:20:13 2013 ROUTE default_gateway=192.168.1.1
Thats is the NIC#1 gateway.
 
  


Reply

Tags
networking, openvpn, ubuntu 12.04


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client dgonzalezh Linux - Networking 6 07-18-2010 10:50 AM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 03:20 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 10:23 AM
mouse struggles ksk Linux - Hardware 2 12-03-2002 06:06 PM


All times are GMT -5. The time now is 11:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration