On Wed, 23 Feb 2005, Doncho N. Gunchev wrote:
> On 2005 02 22 (Tuesday) 00:50, James Yonan wrote:
> > On Mon, 21 Feb 2005, Doncho N. Gunchev wrote:
> > > On 2005-02-21 (Monday) 17:49, Vincent Bernat wrote:
> > > > Hello !
> > > >
> > > > I have a box with two Internet connections and I have an OpenVPN
> > > > listening to all interfaces. I have a default route to one of the
> > > I had similar problem, it was saying it can not send. My setup is a
> > > bit more complicated - [ISPs] <=> [Firewalls] <-- DNAT --> [Server]. In
> > > this situation I DNAT connections to "virtual" IPs on the server and
> > > use iproute2 rules to get the replies back. This was working great with
> > > anything using TCP, DNS (UDP+TCP) and even GRE (yes, PPTP, I don't use
> > > it any more) and so on, but failed with openvpn2's UDP mode. Since I'm
> > > not sure if it's not my mistake I'll give this one more try when I have
> > > some free time, but can someone give some light on this?
> > Someone wrote a patch to try to solve this, see the openvpn-devel
> > archives.
> > I haven't merged the patch yet as I was hoping there might be a more
> > portable and/or simpler way of doing this.
> > The problem is that the recvfrom syscall, which OpenVPN uses to read UDP
> > packets, doesn't portably indicate which interface the packet came from.
> > And the sendto syscall doesn't allow an interface or source address to be
> > specified, only a dest address. So the sockets API doesn't seem to think
> > through the ramifications of UDP-sendto via an INADDR_ANY bound socket.
> > What about running two OpenVPN instances, one on each interface?
> While possible, this leads to other problems - I can not monitor my VPN
> clients (can't say this host has one of these IPs to Nagios), have to write
> every firewall rule multiple times (and if we get connected to one more
> IPS/Partner...) and must guess/check last client's IP if I need to ssh there.
> Is it possible to bind openvpn (maybe 2.1) to multiple addresses like
> BIND, SQUID, Apache and many others can? (btw: is that the reason DHCPD and
> BIND do bind to all interfaces?)
SQUID and Apache are TCP servers. OpenVPN can also be a TCP server on
multiple interfaces without issues.
The problem is with UDP + INADDR_ANY (OpenVPN uses INADDR_ANY as a
wildcard --local address when --local is not specified). It's possible
that listening for UDP on multiple interfaces won't work correctly with
INADDR_ANY, because the sendto syscall can't specify the interface or
source address. The solutions is probably to allow a single OpenVPN
process to listen on multiple sockets (2.1 wishlist). For now, it's best
to just run multiple daemons.