From: Till N. <Til...@st...> - 2008-08-27 11:50:31
|
Hi, I connected my subnets exactly as described in the official howto and it worked fine. The problem only comes up when the second client from the same subnet connects. Some more information about the setup: The server is located in 10.10.10.0/24, the clients are in 192.168.0.0/24 Server-config: ... push "route 10.10.10.0 255.255.255.0" ... client-config-dir /etc/openvpn/ccd route 192.168.0.0 255.255.255.0 ... In the ccd-directory I have two files client1 and client2 both containing "iroute 192.168.0.0 255.255.255.0". The clients both have the same standard client-config. The 10.10.10.0-gateway has a route to 192.168.0.0/24 over the server and the 192.168.0.0-gateway has a route to 10.10.10.0/24 either through client1 or client2 (managed by ifstated). So the routing would work if openvpn wouldn't drop packets sent trough client1 from an IP that client2 claimed to be in it's subnet. Best regard Till -----Original Message----- From: Jan Just Keijser [mailto:ja...@ni...] Sent: Tuesday, August 26, 2008 11:37 PM To: Till Neudecker Cc: ope...@li... Subject: Re: [Openvpn-users] Redundant vpn-setup for connecting two networks Hi Till, Till Neudecker wrote: > Hi, > > I'm trying to set up a redundant VPN system to connect the networks of > two places. My idea was to have 2 client maschines in the first > network that both connect to the same server in the other network. The > clients both have their own ccd directive on the server that set up a > Route for the client's network on the server. > > Now I set up ifstated on the gateway(OpenBSD) of the clients network > to automatically route the traffic to the server's network through one > of the VPN-clients. The server routes the traffic to the client's > network back over the client that connected at last. The Problem is > that the clients announce IP-addresses from their local network to the > server and the server rejects packets from these IPs if they come from > the other client. ("MULTI: bad source address from client [%s], packet > dropped") > > I looked at the source and found these lines of code in multi.c (line 1627): > > -------------------------- > /* make sure that source address is associated with this client */ > else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending) > { > msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], > packet dropped", > mroute_addr_print (&src, &gc)); > c->c2.to_tun.len = 0; > } > --------------------------- > > I felt free to solve my problem by just removing the lines and it > worked fine. The server accepts every packet and it doesn't hurt if > one client fails. > > But now my question: This obviously isn't _the_ way to realize a > redundant/failover setup, is there a better one? > If not, can someone tell me, if removing these lines may cause other > problems? I only see the risk of "spoofed" packets which other clients > send to the server's network. > > > these lines are in there for a very good reason indeed ;-) read up on how to connect subnets to subnets and add a statement like route <remote-subnet> <remote-subnet-mask> to the server config file. HTH, JJK |