Re: [Openvpn-users] Answering on the same interface where the request came from

[James Y. <ji...@yo...>]

On Mon, 21 Feb 2005, Doncho N. Gunchev wrote:

> On 2005-02-21 (Monday) 17:49, Vincent Bernat wrote:
> > Hello !
> > 
> > I  have a  box with  two Internet  connections and  I have  an OpenVPN
> > listening to  all interfaces.  I  have a default  route to one  of the
> > connections and  I use iproute2 to  ensure that what is  sent with the
> > address  of  the  second  connection  is really  sent  to  the  second
> > connection :
> > 
> > 200: from 82.67.232.xxx lookup ADSL 
> > 
> > And in table ADSL :
> > 
> > default via 82.67.232.254 dev eth2 
> > 
> > Therefore, when I connect through ssh to 82.67.232.xxx, all is working
> > fine, even if the default route uses another IP. ICMP and UDP are also
> > working  fine  (I   don't  know  the  magic  behind   since  they  are
> > connection-less).    However,   with   OpenVPN,   if  I   connect   to
> > 82.67.232.xxx, OpenVPN always answers with the other IP and therefore,
> > the answer is sent via the default interface.
> > 
> > I use OpenVPN 2.0rc12 (from Debian). Any idea ?
> 
>     I had similar problem, it was saying it can not send. My setup is a
> bit more complicated - [ISPs] <=> [Firewalls] <-- DNAT --> [Server]. In
> this situation I DNAT connections to "virtual" IPs on the server and
> use iproute2 rules to get the replies back. This was working great with
> anything using TCP, DNS (UDP+TCP) and even GRE (yes, PPTP, I don't use
> it any more) and so on, but failed with openvpn2's UDP mode. Since I'm
> not sure if it's not my mistake I'll give this one more try when I have
> some free time, but can someone give some light on this?

Someone wrote a patch to try to solve this, see the openvpn-devel 
archives.

I haven't merged the patch yet as I was hoping there might be a more
portable and/or simpler way of doing this.

The problem is that the recvfrom syscall, which OpenVPN uses to read UDP
packets, doesn't portably indicate which interface the packet came from.
And the sendto syscall doesn't allow an interface or source address to be
specified, only a dest address.  So the sockets API doesn't seem to think 
through the ramifications of UDP-sendto via an INADDR_ANY bound socket.

What about running two OpenVPN instances, one on each interface? 
  
James