OpenVPN routing

This site is best viewed in a modern browser with JavaScript enabled.

OpenVPN routing

voja

Hi,
assume I have a server with two connected OpenVPN site-to-site tunnels and both tunnels would be able to reach the same subnet, e.g. 192.168.2.0/24.
Would the linux kernel choose which tunnel to use? If one of the remote servers goes down, would the tunnel collapse and Linux route packages through the second tunnel?

Background: I currently have one pfSense that is the central hub for all OpenVPN sites. I want to add redundancy if the pfSense goes down for e.g. maintenance, that the VPN still works.

hornetmadness

voja "central hub for all OpenVPN sites" pretty much says it all. You could setup a second hub and I think using a weighted route might get what you want.

I would use tinc which is a fully meshed, so its decentralized by nature.

voja

hornetmadness Thanks for your reply.

I had a look at weight routes, it should solve the problem. Especially if the OpenVPN tunnel goes down and the route to the remote site would disappear in that step.

Using tinc raises two issues:
1) It's hard to understand how to setup tinc behind a NAT router with dynamic IP. Did not understand how this should work in the configuration. It would be possible for me to forward the tinc port from the router to the local tinc server in the LAN.
2) There is no regular iOS client. This would require an additional OpenVPN server. At least pfSense can serve tinc in addition to OpenVPN.

Regarding the tinc configuration: I would give all hosts an IP from the same subnet e.g. 10.0.1.0/24. This would be the "transfer" VPN. Also tinc server will have an additional Subnet entry for the LAN site it's in. Tinc would then know with tinc client is able to reach the requested LAN. Did I understand this correct?

I think I might need to test both setups. I'll setup the local VPN server later today, add OpenVPN site-to-site to the existing setup and establish a tinc VPN to a not yet connected remote site.

voja

hornetmadness I was able to fire up tinc and connect all the Linux hosts. I failed with FreeBSD. When using pfSense I wasn't able to figure out how to setup everything correct like on linux. The plugin also "forgot" some configuration I made.
I then tried to deploy tinc on a regular FreeBSD machine, but I did not manage to get the subnets routed. Wasn't able to solve this issue and stopped.

Will try the OpenVPN approach next with pfSense HA setup.

voja

Okay, I failed with OpenVPN. Did not get it running. Tried tinc then. Well... After noticing that systemd is just lying about tinc is running (it was not! The process just died due to errors and was not running), I was able to setup the mesh VPN between three nodes, one behind the router. systemd made me very angry again for not beeing able to start tinc. It's only working when I start it on console. Systemd is just lying everything is okay, it's not.

However there is still the problem, that tinc does not propagate any of the other site subnets to the mesh members. It apears that I need to setup the routing on my own. The examples I read only told to route the subnets via the tinc interface, but this does not seem to be enough. I need to figure out how to setup this properly.

And I need to figure out why systemd does not start tinc, but tells me it's running. Switching to initd is sadly not an option, I can't do this on the host systems.

voja

voja Note regarding my systemd issues: systemd told in green font: active (exited)
It did not say: active (running)

I just misinterpreted the green color, plus missing log Information that the process has terminated.

I also found a Debian bug report stating that with systemd tinc needs to be activated different and that some config options will no longer work. Migration from old to new format only takes place when upgrading from defined versions. Wasn't the case for me.

E.g. you need to use "systemctl enable tinc@networkname" for auto start.

sokratisg

How about just deploy 2 pfsense nodes in HA setup (active-standby)?

We do have it set like that and OpenVPN addresses are all CARP enabled. That way if primary goes down secondary takes over and users just have to reconnect. Most OpenVPN clients just re-connect automatically so they barely see any error, even during planned maintenance (e.g: rolling restart for pfsense upgrades)

voja

sokratisg I had a problem with the openvpn behind my router. I was able to solve it, it was a firewall issue where the port was blocked. Did not see that.
So far I could try to setup openvpn on the other nodes, too and see if this works with routing.
The CARP should be a failover IP that can be switched between hosts, right? I could do that. The HA setup for pfSense does not read to heavy to deploy.

sokratisg

voja What I understand is that CARP is the equivalent of VRRP in the BSD world. Pfsense is based on FreeBSD

hbos

My suggestion would be to take it to layer 3.

Run the openvpn tunnels in point to point and start routing.
If you have multiple tunnels and want some control over how traffic flows you can use bgp.

this way you could even build more complex setup fairly easy (e.g. if you hook up more sites).

You would want to give each subnet its own prefix. e.g. 192.168.1.0/24, 192.168.2.0/24, etc.
And when using BGP you can just give each router a private ASN.

voja

I'm currently testing the OpenVPN approach with BGP. I have found some routing issues already that not all required subnets were routed at all endpoints. BGP will help supply some routers automated with the available prefixes. Setting routes to the interal networks via VPN should then do the rest.

CARP will be added later.