[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]
[Openvpn-users] How to connect 3 sites

Subject: [Openvpn-users] How to connect 3 sites
From: Alain Williams <addw@xxxxxxxxxxxx>
Date: Thu, 19 Oct 2006 11:49:33 +0100
Hi,

Summary:
I have 3 sites that I need to connect. I have done this with TUN interfaces over UDP.
I can connect between the 3 OpenVPN machines, but have problems routing beyond them.

I am starting to suspect that I should be using TAP rather than 2 TUN interfaces.

All 3 sites have a VPN controller machine which is Centos 4 (== Linux RedHat enterprise 4).
I am running openvpn 2.0.7.

Topology:

London acts as a server for TUN1
Leeds is a client for TUN1 and server for TUN2
Manchester is a client for both TUN1 and TUN2

		London		Leeds		Manchester
External IP	1.2.3.4		3.4.5.6		5.6.7.8
Internal IP	10.0.0.3	10.0.0.67	10.0.0.33
Local Network	10.12.32.0/19	10.1.32.0/19	10.5.32.0/19

TUN1		server		client		client
 TUN1 end point	192.168.254.1	192.168.254.2	192.168.254.3

TUN2		not connected	server		client
 TUN2 end point	-		192.168.254.33	192.168.254.34

(The External IPs are not the real ones, security reasons to protect my client, sorry.
 The connection to the external IP is via the Internal IP, ie the machines only use one
 physical ethernet connection.)

The internal network at each site is reached via the Internal IP which is in a /27
DMZ that is local to the site.

What happens, connections over the VPN:

London <=> Leeds	works
London <=> Manchester	works
Leeds  <=> Manchester	does not work

Routing tables & network config as reported by the OS:

 London:
	# ifconfig tun1
	tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
	          inet addr:192.168.254.1  P-t-P:192.168.254.2  Mask:255.255.255.255
	          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	          RX packets:1343 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:1349 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:100
	          RX bytes:97087 (94.8 KiB)  TX bytes:93872 (91.6 KiB)
	# netstat -rn
	Kernel IP routing table
	Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
	192.168.254.2   0.0.0.0         255.255.255.255 UH        0 0          0 tun1
	10.0.0.0        0.0.0.0         255.255.255.224 U         0 0          0 eth0
	192.168.254.0   192.168.254.2   255.255.255.224 UG        0 0          0 tun1
	10.5.32.0       192.168.254.2   255.255.224.0   UG        0 0          0 tun1
	10.1.32.0       192.168.254.2   255.255.224.0   UG        0 0          0 tun1
	0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 eth0

 Leeds:
	# ifconfig tun1
	tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
	          inet addr:192.168.254.2  P-t-P:192.168.254.1  Mask:255.255.255.255
	          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	          RX packets:6290 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:6349 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:100
	          RX bytes:555169 (542.1 KiB)  TX bytes:455584 (444.9 KiB)
	# ifconfig tun2
	tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
	          inet addr:192.168.254.33  P-t-P:192.168.254.34  Mask:255.255.255.255
	          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	          RX packets:1004 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:1020 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:100
	          RX bytes:208542 (203.6 KiB)  TX bytes:209881 (204.9 KiB)
	# netstat -rn
	Kernel IP routing table
	Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
	192.168.254.34  0.0.0.0         255.255.255.255 UH        0 0          0 tun2
	192.168.254.1   0.0.0.0         255.255.255.255 UH        0 0          0 tun1
	192.168.254.32  192.168.254.34  255.255.255.224 UG        0 0          0 tun2
	10.0.0.64       0.0.0.0         255.255.255.224 U         0 0          0 eth0
	10.12.32.0      192.168.254.1   255.255.224.0   UG        0 0          0 tun1
	10.5.32.0       192.168.254.34  255.255.224.0   UG        0 0          0 tun2
	0.0.0.0         10.0.0.65       0.0.0.0         UG        0 0          0 eth0

Manchester:
	# ifconfig tun1
	tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
	          inet addr:192.168.254.3  P-t-P:192.168.254.1  Mask:255.255.255.255
	          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	          RX packets:6491 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:6588 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:100
	          RX bytes:643222 (628.1 KiB)  TX bytes:646178 (631.0 KiB)
	# ifconfig tun2
	tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
	          inet addr:192.168.254.34  P-t-P:192.168.254.33  Mask:255.255.255.255
	          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	          RX packets:1022 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:1007 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:100
	          RX bytes:209959 (205.0 KiB)  TX bytes:210035 (205.1 KiB)
	# netstat -rn
	Kernel IP routing table
	Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
	192.168.254.1   0.0.0.0         255.255.255.255 UH        0 0          0 tun1
	192.168.254.33  0.0.0.0         255.255.255.255 UH        0 0          0 tun2
	10.0.0.32       0.0.0.0         255.255.255.224 U         0 0          0 eth0
	10.12.32.0      192.168.254.1   255.255.224.0   UG        0 0          0 tun1
	10.1.32.0       192.168.254.33  255.255.224.0   UG        0 0          0 tun2
	0.0.0.0         10.0.0.33       0.0.0.0         UG        0 0          0 eth0

Config files:
Certificate stuff stripped, that is not the problem; most comments also stripped.

 London:
   Server.conf:
	local 10.0.0.3
	port 1194
	proto udp
	dev tun1
	server 192.168.254.0 255.255.255.224
	reneg-sec 300
	keepalive 10 120
	client-config-dir Clients
	# Push a route through to our clients, this tells them about the local London network:
	push "route 10.12.32.0 255.255.224.0"
	# Route to the Leeds & Manchester local networks:
	route 10.1.32.0 255.255.224.0 192.168.254.2
	route 10.5.32.0 255.255.224.0 192.168.254.2
   Clients/leeds:
	ifconfig-push 192.168.254.2 192.168.254.1
	# Route through to Leeds local network:
	iroute 10.1.32.0 255.255.224.0
   Clients/manchester:
	ifconfig-push 192.168.254.3 192.168.254.1
	iroute 10.5.32.0 255.255.224.0

 Leeds:
   Server.conf:
	local 10.0.0.67
	port 1194
	proto udp
	dev tun2
	server 192.168.254.32 255.255.255.224
	reneg-sec 300
	keepalive 10 120
	client-config-dir Clients
	# Push a route through to our clients, this tells them about the local Leeds network:
	push "route 10.5.32.0 255.255.224.0"
	# Route to the Manchester local networks:
	route 10.5.32.0 255.255.224.0 192.168.254.34
   Clients/manchester:
	ifconfig-push 192.168.254.34 192.168.254.33
	# For all of Manchester:
	iroute 10.5.32.0 255.255.224.0
   Client_lonServer.conf:
	client
	dev tun1
	proto udp
	remote 1.2.3.4 1194
	nobind
	user nobody
	group nobody
	persist-tun
	persist-key

 Manchester:
   Client_lonServer.conf:
	client
	dev tun1
	proto udp
	remote 1.2.3.4 1194
	nobind
	user nobody
	group nobody
	persist-tun
	persist-key

   Client_ldsServer.conf:
	client
	dev tun2
	proto udp
	remote 3.4.5.6 1194
	nobind
	user nobody
	group nobody
	persist-tun
	persist-key


Here is what happens when 2 things in Leeds tried to talk to something in Manchester:
In Leeds, tcpdump -i eth0 host 10.1.36.18:
	09:27:48.803416 IP 10.0.0.67 > 10.1.36.18: icmp 100: time exceeded in-transit
	09:27:48.813578 IP 10.1.36.18 > 10.5.36.45: icmp 72: echo request seq 10280
	09:27:48.813594 IP 10.0.0.67 > 10.1.36.18: icmp 100: time exceeded in-transit
	09:27:48.824497 IP 10.1.36.18 > 10.5.36.45: icmp 72: echo request seq 10536
	09:27:48.824510 IP 10.0.0.67 > 10.1.36.18: icmp 100: time exceeded in-transit


Will openvpn work like this or should I use TAP rather than TUN.
The reason that I did not use TAP is because I get the impression that it will (from London) send 
packets for Leeds to both Leeds & Manchester and I wanted to avoid that for bandwidth reasons.

Sorry for the huge volume of stuff .... 

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Follow-Ups:
- Re: [Openvpn-users] How to connect 3 sites
  - From: Alain Williams
Prev by Date: [Openvpn-users] Very confused - cannot ping client lan ...
Next by Date: [Openvpn-users] Please Explain 10.8.0.0/24
Previous by thread: Re: [Openvpn-users] Very confused - cannot ping client lan ...
Next by thread: Re: [Openvpn-users] How to connect 3 sites
Index(es):
- Date
- Thread