Home / server / Questions / 1005376
In Process
Thomas
Asked: 2020-03-04 00:17:11 +0800 CST

OpenVPN Server on a Multi-WAN Router

  • 772

I have a OpenVPN Server on a MultiWAN Router (Ubuntu Based). The Problem is, that incoming packages not leaving the same WAN interface where they entered. I tested already with iptables MARK rules in combination with ip rules, but could not fix the problem. I know, I can define on the openvpn configuration with local 79.1.2.3 the outgoing ip, but I want it more flexible if possible. The OpenVPN Port Protocol is UDP if it matters.

$ ip r s|grep default
default via 83.1.2.3 dev vlan254 metric 1 
default via 79.1.2.3 dev ppp0 metric 2 
default via 192.168.0.251 dev vlan10 metric 3 onlink 

$ ip rule s
0:      from all lookup local 
100:    from all fwmark 0x1 lookup uplink1 
101:    from 83.1.2.3 lookup uplink1 
102:    from all to 83.1.2.3 lookup uplink1 
200:    from all fwmark 0x2 lookup uplink2 
201:    from 79.1.2.3 lookup uplink2 
300:    from all fwmark 0x3 lookup uplink3 
301:    from 192.168.0.254 lookup uplink3 
302:    from all to 192.168.0.254 lookup uplink3 
32766:  from all lookup main 
32767:  from all lookup default 

# iptables -L -vn -t mangle
Chain PREROUTING (policy ACCEPT 4785K packets, 5178M bytes)
 pkts bytes target     prot opt in     out     source               destination         
4785K 5178M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
3985K 5035M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
  351 46210 MARK       all  --  vlan254 *       0.0.0.0/0            0.0.0.0/0            MARK set 0x1
 3865  242K MARK       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            MARK set 0x2
  351 46210 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1 CONNMARK save
 3865  242K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 CONNMARK save

Chain INPUT (policy ACCEPT 1658K packets, 1114M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3127K packets, 4063M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1534K packets, 1241M bytes)
 pkts bytes target     prot opt in     out     source               destination         
1534K 1241M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
 657K  103M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:55394 MARK set 0x2
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1 CONNMARK save
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2 CONNMARK save

Chain POSTROUTING (policy ACCEPT 4639K packets, 5303M bytes)
 pkts bytes target     prot opt in     out     source               destination         
4639K 5303M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
3743K 4164M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x0
   90  7560 MARK       all  --  *      vlan254  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
57161 3664K MARK       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0            MARK set 0x2
 896K 1140M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

So, the incomming packets comes from uplink2, but leaves uplink1 (the default gw).

Any Idea how I can solve my problem?

openvpn iptables iproute2

1 Answers

  1. Lets see if I can explain it a bit better:

    1. Assume you have a host somewhere on the Internet that is sending a ip package to your network. For agument sake lets say it comes from the ip address 1.2.3.4.

    2. Package arrives at your network from either vlan254 or ppp0 link. Which is forwarded to destination on your network (aka via uplink3).

    3. Now whoever received the package has to reply back, so it will send a package out with destination address 1.2.3.4.

    4. Since both uplink1 and uplink2 has a path to 1.2.3.4 either of them works as a valid path the package will then be forwarded via the link with the lowest metric, which is uplink1.

    This is basically what happens in 10.4.2. Inbound traffic Using Multiple Connections to the Internet from my link above.

    However what you wanted was:

    • If traffic entered via uplink1 then any reply will go out through uplink1.
    • Likewise any ip packages incomming from uplink2 will also be replied using uplink2.

    This means you a landing squarely in the world of multihomed networking.

    Now I am assuming you used the ability to mark a package, in order to keep track of where it came from? Alas marking only have its uses if you have ip packages that needed to be routed through different paths, depending on which port number was used inititally as either source or destination port.

    The alternative solution from my link was letting your server listen on 2 IP adresses and then do a form of reverse NAT where all traffic inbound is forwarded to one or the other ip address depending on which link was used.

    You can then forward traffic out through the correct link depending on your servers source ip address.

    You could alternatively run OpenVPN on two different ports (like 1194 and 1195) and using marking to forward any replies over either one or the other link to the Internet.

    • 0