[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] redundant openvpn solution and internal ospf

  • Subject: [Openvpn-users] redundant openvpn solution and internal ospf
  • From: Marco Fretz <mailinglist@xxxxxxx>
  • Date: Mon, 10 Sep 2007 14:25:49 +0200

i've got the following situation:

- 2 openbsd boxes as firewall with CARP enabled on alls physical interfaces
- openvpn server running on both firewalls
- vpn clients are connection to carp (fail-over) ip address which is 
normaly on the master box (Firwall 1)

openvpn clients have to be able to reach Firewall1 and Firewall2 over 
ssh through the VPN tunnel
- so i implemented ospf on my crosslink ( net with 
crossover-cable between the two firewalls)
- and i advertise my vpn network ( with ospf to my ospf 
neighbour (Firwall2)

my openvpn server is pushing the net to my vpn clients and 
they can reach now and (the 2 firewalls) over ssh. 
thats working very well!

and now my problem:

- openvpn adds the route GW to my routing table
- ospfd wants to add the route GW to my routing 
table, too

if the ospf route exists when openvpn deamon is started, then openvpn 
 >> add ned gateway File exists
(because, the ospf route with same network exists)

thats no problem while the master firewall is running. but as soon as 
master firewall is down, the carp ip is going over to Firewall2 and the 
vpn connections are incoming on Firewall2, then the connections are 
established but no destination is reachable from my vpnclients because 
the route for the opevpn net is pointing to the dead master firewall 

after ospf dead timer is on zero, the (dead) route is deleted but 
openvpn doesn't add the local (now valid) route GW again...

any solutions?

OpenVPN mailing lists