Re: [Openvpn-users] Problem (Bug?) with OpenVPN on multiple interfaces server

  • Subject: Re: [Openvpn-users] Problem (Bug?) with OpenVPN on multiple interfaces server
  From: Mathias Sundman <mathias@xxxxxxxxxx>
  Date: Fri, 25 Nov 2005 12:28:55 +0100 (CET)

On Fri, 25 Nov 2005, Stefano Garavaglia wrote:

I've had a problem (now solved) with OpenVPN 2.0.5, and I don't know if
it's a bug in OpenVPN handling of multiple interfaces or just a wrong

I've installed OpenVPN server on a firewall with 4 NICs, 3 bound to
ADSL and 1 on the internal net (eth0).

For the initial testing I used ADSL1 (eth1) and a computer connected
directly to the adsl router switch, and it worked well. At this time
in the server config there wasn't a "local a.b.c.d" line and the router
wasn't conencted to the interned due to a ISP problem.

Being this test successful I moved the client computer to a remote
office, and the VPN couldn't start at all.  I tried also form a windows
computer as a client, but nothing worked.
This time I was trying to connect to my firewall trough ADSL2 (eth2).
After some thinkering about, I just added a line to server config:
local 217.60.x.x  (the ip of eth2 connected to ADSL2)
and now it works.

This is a known problem with OpenVPN 2.0.x running on a multihomed system with "multiple ways out" when using UDP. Per default when sending a UDP packet it will use a source IP address of the interface that matches the route that will be used to reach the destination and no concern is taken to what destination address the original incomming packet had. This has historically been a common problem in other UDP based applications as well.

If you use TCP instead this is not a problem.

In the OpenVPN 2.1 series a "multihome" patch has been applied that solves this problem at least on linux systems, not sure about other OSs though as there was some discussion about there not beeing any portable way of solving this...

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://openvpn.se/               / \   NO Word docs in e-mail

