Menu
▾
▴
Re: [Openvpn-users] Answering on the same interface where the request came from
|
From: James Y. <ji...@yo...> - 2005-02-23 19:53:46
|
On Wed, 23 Feb 2005, Doncho N. Gunchev wrote: > On 2005 02 22 (Tuesday) 00:50, James Yonan wrote: > > > > On Mon, 21 Feb 2005, Doncho N. Gunchev wrote: > > > > > On 2005-02-21 (Monday) 17:49, Vincent Bernat wrote: > > > > Hello ! > > > > > > > > I have a box with two Internet connections and I have an OpenVPN > > > > listening to all interfaces. I have a default route to one of the > ... > > > I had similar problem, it was saying it can not send. My setup is a > > > bit more complicated - [ISPs] <=> [Firewalls] <-- DNAT --> [Server]. In > > > this situation I DNAT connections to "virtual" IPs on the server and > > > use iproute2 rules to get the replies back. This was working great with > > > anything using TCP, DNS (UDP+TCP) and even GRE (yes, PPTP, I don't use > > > it any more) and so on, but failed with openvpn2's UDP mode. Since I'm > > > not sure if it's not my mistake I'll give this one more try when I have > > > some free time, but can someone give some light on this? > > > > Someone wrote a patch to try to solve this, see the openvpn-devel > > archives. > > > > I haven't merged the patch yet as I was hoping there might be a more > > portable and/or simpler way of doing this. > > > > The problem is that the recvfrom syscall, which OpenVPN uses to read UDP > > packets, doesn't portably indicate which interface the packet came from. > > And the sendto syscall doesn't allow an interface or source address to be > > specified, only a dest address. So the sockets API doesn't seem to think > > through the ramifications of UDP-sendto via an INADDR_ANY bound socket. > > > > What about running two OpenVPN instances, one on each interface? > > > > While possible, this leads to other problems - I can not monitor my VPN > clients (can't say this host has one of these IPs to Nagios), have to write > every firewall rule multiple times (and if we get connected to one more > IPS/Partner...) and must guess/check last client's IP if I need to ssh there. > Is it possible to bind openvpn (maybe 2.1) to multiple addresses like > BIND, SQUID, Apache and many others can? (btw: is that the reason DHCPD and > BIND do bind to all interfaces?) SQUID and Apache are TCP servers. OpenVPN can also be a TCP server on multiple interfaces without issues. The problem is with UDP + INADDR_ANY (OpenVPN uses INADDR_ANY as a wildcard --local address when --local is not specified). It's possible that listening for UDP on multiple interfaces won't work correctly with INADDR_ANY, because the sendto syscall can't specify the interface or source address. The solutions is probably to allow a single OpenVPN process to listen on multiple sockets (2.1 wishlist). For now, it's best to just run multiple daemons. James |
