651
Comment:
|
1314
Add script
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
Setup of OpenVpn on multihome box. * Problem is Openvpn answers udp packets back using default Gw, and selects different ip than incoming ip. |
=== Setup of OpenVpn on multihome box. === Problem is Openvpn answers udp packets back using default Gw, and selects different ip than incoming ip. |
Line 8: | Line 8: |
2. OpenVpn: Bind to lo:127.0.0.2, use nat to nat incoming on udp:1194 to 127.0.0.2. * Kernel bug ? Still selecting wrong source 3. OpenVpn: Multiple instances each bound to specific ext ip. |
1. OpenVpn: Bind to lo:127.0.0.2, use nat to nat incoming on udp:1194 to 127.0.0.2. * X-( Kernel bug ? Still selecting wrong source 1. OpenVpn: Multiple instances each bound to specific ext ip. |
Line 12: | Line 12: |
* (!) Setup OpenVpn to add host routes as they activate ? 1. OpenVpn: Solution - :-) bind to a real interface * '''Solution''' :-) bind to singel ip real inside int. (loop does not work ? bug X-( ) * Nat external to real int. * Tested can connect to any of the external ip's e.g. bash script to setup nat. {{{ #!/bin/bash iplist_FWext="e1=196.1.1.1 e2=196.2.1.1 e3=196.3.1.1" iphost_FWint="10.0.0.1" for i in ${iplist_FWext}; do fw_ip=${i##*=} fw_int=${i%%=*} nat to-destination "${iphost_FWint}" dport 1194 proto udp dst "${fw_ip}" done; }}} |
Linux multihome openvpn
Setup of OpenVpn on multihome box.
Problem is Openvpn answers udp packets back using default Gw, and selects different ip than incoming ip.
OpenVpn: Bind to all interfaces.
- Linux selects int/ip based on routing. Local gen packets select int before mangle can replace fwmark.
OpenVpn: Bind to lo:127.0.0.2, use nat to nat incoming on udp:1194 to 127.0.0.2.
Kernel bug ? Still selecting wrong source
OpenVpn: Multiple instances each bound to specific ext ip.
- WORKS! but need separate subnet for each instance, thus client ip changes when re-connects.
Setup OpenVpn to add host routes as they activate ?
OpenVpn: Solution - bind to a real interface
Solution bind to singel ip real inside int. (loop does not work ? bug )
- Nat external to real int.
- Tested can connect to any of the external ip's e.g. bash script to setup nat.
#!/bin/bash iplist_FWext="e1=196.1.1.1 e2=196.2.1.1 e3=196.3.1.1" iphost_FWint="10.0.0.1" for i in ${iplist_FWext}; do fw_ip=${i##*=} fw_int=${i%%=*} nat to-destination "${iphost_FWint}" dport 1194 proto udp dst "${fw_ip}" done;