Re: [Openvpn-users] Answering on the same interface where the request came from

[Christian <chr...@ce...>]

On Monday 21 February 2005 17:44, Vincent Bernat wrote:
> OoO Lors de la soir=E9e naissante  du lundi 21 f=E9vrier 2005, vers 17:10,
>
> Christian R=F8snes <chr...@ce...> disait:
> >> Therefore, when I connect through ssh to 82.67.232.xxx, all is working
> >> fine, even if the default route uses another IP. ICMP and UDP are also
> >> working  fine  (I   don't  know  the  magic  behind   since  they  are
> >> connection-less).    However,   with   OpenVPN,   if  I   connect   to
> >> 82.67.232.xxx, OpenVPN always answers with the other IP and therefore,
> >> the answer is sent via the default interface.
> >>
> >> I use OpenVPN 2.0rc12 (from Debian). Any idea ?
> >
> > Assuming that iproute2 setup is working correctly, try running
> > two openvpn servers and bind each server (local parameter in
> > openvpn server configuration) to the ip address for each
> > internet connection.
> >
> > Actually, when using TCP as openvpn carrier this should not necessary,
> > but when using UDP as carrier I have found that I had to use two openvpn
> > servers (one for each line) bound to the apropriate ip address to
> > get traffic to return out the corresponding line.
>
> Thanks for your answer. May those two OpenVPN instances share the same
> pool  config file and  the same  range. I  mean, may  I have  the same
> server directive and the same ifconfig-pool-persist directive ?

I would think that it would be advisable to use different pools
for each openvpn server, so that there's not any chance of=20
concurrently handing out the same ip address on both servers=20
(to two different clients connections).

I use e.g pools:

   10.91.0.0/24 for server1 (tun1), and=20
   10.92.0.0/24 for server2 (tun2)

On the openvpn server I also source nat the 10.91.0.0/24 and 10.92.0.0/24=20
addresses to local lan addresses (openvpn server lan), eg 192.168.1.11 and=
=20
192.168.1.12, respectively.=20

That way the surrounding firewalls, routers, other servers,
and what have you on the openvpn server side, do not need to=20
know about routing for the  10.91.0.0 and 10.92.0.0 addresses=20
because they only see the natted addreses 192.168.1.11 and 192.168.1.12.

Christian