[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn on linux, netfilter traversal

  • Subject: Re: [Openvpn-users] openvpn on linux, netfilter traversal
  • From: Christian Røsnes <csr@xxxxxxxxx>
  • Date: Wed, 29 Dec 2004 14:53:57 +0100

On Wednesday 29 December 2004 13:00, Sebastian Pein wrote:
> this is my plan: packets for openvpn will come in on eth1. openvpn does
> listen on this device only. so incoming packets should not be a problem.
> outgoing packets generated by openvpn should go out on eth1 and NOT the
> default gateway ppp0. this can be done with iproute2. i want to mark
> packets generated locally on a given port (5000 udp, the old one) with a
> iptables-mark. a kernel rule would then send packets with this mark to the
> right device with the right gateway. testing this setup with netcat works
> perfectly. but it does not with openvpn. searching with iptraf and tcpdump
> it seems like the openvpn packets vanish. but where do they go? is there
> any form of documentation how openvpn packets travel across netfilter and
> devices? for sure the setup with openvpn is not working correctly because i
> did not set it up correctly.

I think you can achieve this by using iproute2 (see example below).


Here's an example of "multihomed" routing 
on two internet lines. I use this on several linux machines to
be able to access these machines via two different internet lines,
and it works. Eg. I do this to split a several gigabyte ftp transfer
over 2 lines (half the files go over 1 line, the other half go over
the other line - cutting the transfertime in half)

I do a similar setup on our OpenVPN server (accessible via
two different internet connections), but it runs OpenBSD and 
thus uses OpenBSD's PF  to achive this.

Here a short howto on how to set it up on linux using iproute2:

1) Add two entries in /etc/iproute/rt_tables, one for each line.
("line2" and "line1" for the example below)

# cat /etc/iproute2/rt_tables
199     line2
200     line1
255     local
254     main
253     default
0       unspec

I use two internal ip-aliases (the addresses are 
natted ip-addresses as they are behind firewalls for each line).
Also, in the example below I'm only using
one interface, eth0, as this machine sits
on a LAN behind each internet connection.

nat public address on line1 to ipalias1
nat public address on line2 to ipalias2
gw1= (gateway to line1)
gw2= (gateway to line2)

Here's a shell script to set it up:

echo "Setting ip aliases for eth0 device"
# ipalias1 - incoming on line1
ip address add broadcast dev eth0

# ipalias2 - incoming on line2
ip address add broadcast dev eth0

echo "Setting up additional routing"
# ipalias1 - outgoing on line1
ip rule add from table line1
ip route add default via table line1

# ipalias2 - outgoing on line2
ip rule add from table line2
ip route add default via table line2


Openvpn-users mailing list