You are not logged in.

Pages: 1

#1 2024-03-17 10:10:21

produnis
Member
From: Germany
Registered: 2014-09-29
Posts: 50

[SOLVED] clients route to wrong tunnel when connecting to two openVPN

Hi there,
I have configured two OpenVPN servers on my ArchLinux system, along with multiple clients connecting to them
My first VPN uses 10.4.4.0/24 on port 1194, this is the config file

port 1194
proto udp
dev tun
ca /etc/openvpn/server/hsp/ca.crt
cert /etc/openvpn/server/hsp/hoerspiel.crt
key /etc/openvpn/server/hsp/hoerspiel.key  # This file should be kept secret
dh /etc/openvpn/server/hsp/dh.pem
tls-crypt /etc/openvpn/server/hsp/ta.key

server 10.4.4.0 255.255.255.0
client-to-client
ifconfig-pool-persist /etc/openvpn/server/hsp/ipp.txt
client-config-dir /etc/openvpn/server/hsp/ccd
keepalive 10 120
cipher AES-256-CBC
max-clients 5
persist-key
persist-tun
status /etc/openvpn/server/hsp/openvpn-status.log
verb 3
;mute 20
explicit-exit-notify 1

And all my clients can connect to this server using a client config like this:

client
dev tun
proto udp
remote MYSERVER.spdns.org 1194
ca /etc/openvpn/client/hsp/ca.crt
cert /etc/openvpn/client/hsp/terry.crt
key /etc/openvpn/client/hsp/terry.key
tls-crypt /etc/openvpn/client/hsp/ta.key
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1350
verb 3

All clients can ping an ssh each other via 10.4.4.x, using the clients IPs.
This works just nice.

My second vpnserver uses 10.5.5.0/24 on port 11904 with a similar config, but different port

port 11904
proto udp
dev tun

ca /etc/openvpn/server/produnis/ca.crt
cert /etc/openvpn/server/produnis/produnis.crt
key /etc/openvpn/server/produnis/produnis.key  # This file should be kept secret
dh /etc/openvpn/server/produnis/dh.pem
tls-crypt /etc/openvpn/server/produnis/ta.key

server 10.5.5.0 255.255.255.0
client-to-client # damit sich die clients untereinander sehen können
ifconfig-pool-persist /etc/openvpn/server/produnis/ipp.txt
client-config-dir /etc/openvpn/server/produnis/ccd
keepalive 10 120
cipher AES-256-CBC
max-clients 7
persist-key
persist-tun
status /etc/openvpn/server/produnis/openvpn-status.log
verb 3
explicit-exit-notify 1

and all clients use a similar config like this

client
dev tun
proto udp
remote MYSERVER.spdns.org 11904 
ca /etc/openvpn/client/produnis/ca.crt
cert /etc/openvpn/client/produnis/terri.crt
key /etc/openvpn/client/produnis/terri.key
tls-crypt /etc/openvpn/client/produnis/ta.key
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1350 # Unitymedia/Vodafone
verb 3

The problem is, that all clients can ping and ssh the server on 10.5.5.1, but cannot ping and ssh each others.

ifconfig shows that all tunnels are up:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.4.4.3  netmask 255.255.255.255  destination 255.255.255.255
        inet6 fe80::689a:949e:35dd:fc7c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 39496  bytes 8174239 (7.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 47965  bytes 7924099 (7.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.5.5.3  netmask 255.255.255.255  destination 255.255.255.255
        inet6 fe80::7t40:dh02:426b:7f21  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 176  bytes 112958 (110.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 161  bytes 83002 (81.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

But if I do a 

ip route show

on the clients, I see

10.4.4.0/24 via 255.255.255.255 dev tun0 
10.5.5.0/24 via 255.255.255.255 dev tun0

So, the clients all have a wrong route for 10.5.5.0, as it should be tun1 and not tun0.

I can manually fix that by typing in:

sudo ip route del 10.5.5.0/24 dev tun0
sudo ip route add 10.5.5.0/24 dev tun1

But I dont want to manually fix it every time.


I would appreciate any insights or suggestions on how to troubleshoot and resolve this problem. Specifically, I am interested in understanding why the clients are selecting the incorrect tunnel interface and how to correct this behavior.

Thank you in advance for your help.

Last edited by produnis (2024-03-17 16:44:21)

Offline

#2 2024-03-17 10:42:41

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: [SOLVED] clients route to wrong tunnel when connecting to two openVPN

Since I use up to four routed OpenVPN connections simultaneously (to different servers without ccd) and their routes are always set correctly I suspect the contents of your client-config-dirs.

Offline

#3 2024-03-17 13:04:59

produnis
Member
From: Germany
Registered: 2014-09-29
Posts: 50

Re: [SOLVED] clients route to wrong tunnel when connecting to two openVPN

is it because the two vpn networks are on the same server?
Because, if I start the 10.5.5.0./24 vpn first, than that network will ping and ssh to all clients,
and if I start up the 10.4.4.0/24 vpn second, than this one's route is set to the tunnel of the first startet vpn....
I don't know how to solve that...:/

EDIT:
I even set a fix tun69 and tun99 for both VPNs. The problem is the same, routing both via tun69 or tun99, depending which VPN I start first...
My ccd directories have a file for each client, giving them a fix IP-address, like

ifconfig-push 10.4.4.2 255.255.255.255

or

ifconfig-push 10.5.5.2 255.255.255.255

Last edited by produnis (2024-03-17 13:43:05)

Offline

#4 2024-03-17 14:47:40

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: [SOLVED] clients route to wrong tunnel when connecting to two openVPN

Give it a try and remove the ccd's for testing.

If the problem persists, try the "verb N" (with 4 as the highest "normal" log level, 5 and above log every packet...) command on server and client and check the log files.

Offline

#5 2024-03-17 16:43:47

produnis
Member
From: Germany
Registered: 2014-09-29
Posts: 50

Re: [SOLVED] clients route to wrong tunnel when connecting to two openVPN

thx, -thc, you were right!

I had to change from

ifconfig-push 10.4.4.2 255.255.255.255

to 

ifconfig-push 10.4.4.2 10.4.4.1

So, instead of 255.255.255.255 i had to point to the server's IP 10.4.4.1

The same goes for all files of ccd with my second VPN at 10.5.5.0/24.

Now it works.

And, to be honest, the logfile also told me about it, I found in journalctl:

WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.255) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)

So, thx again for your help, it all works now!

Offline

Pages: 1

Board footer

Powered by FluxBB