Gateway IP for openVPN gets duplicated
-
I am using multiple openVPN clients to do load-balancing with NordVPN. The crenditials and ports used to connect are the same for all clients, only the server IP is different. This seems to cause the gateways ending up having the same Gatway IP. NordVPN sadly provides only 1194 port for UDP.
Anyway to make the Gateway IPs unique?
-
I tried to follow the instructions here https://forum.netgate.com/topic/22921/how-to-load-balance-multiple-openvpn-clients.
Even with "Don't Pull Routes" and adding my own "route 10.8.3.2 255.255.255.0", the server seems to be pushing its own route. Does anyone have an instruction on setting up my own static route? -
The gateway IP assignment is not on your side, it's preset by the server.
If you want to have redundant VPN connections ask your VPN provider for proper servers, find it out by yourself or use different VPN providers. -
Thanks for your input. Really appreeciate that.
My VPN provider does provide multiple servers but as I am connecting to several of them, the subnets are overlapping.
I might be completely wrong here, but here is what I tried.
With the following I could prevent the VPN server pushing paths to me.
pull-filter ignore "ifconfig ";
pull-filter ignore "redirect-gateway ";
pull-filter ignore "route-gateway ";I wrote this filter based on the PUSH below which the sever does when it pushes the routes.
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS xxx.xxx.xxx.xxx dhcp-option DNS xxx.xxx.xxx.xxx,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.0.21 255.255.255.0,peer-id 20,cipher AES-256-GCM'
Now I added the following to the "Advanced Options" to set a static route.
ifconfig 10.8.0.2 255.255.255.0;
route 10.8.0.0 255.255.255.0 10.8.0.1;
route-gateway 10.8.0.1;With the above the routing table looking exactly as when the provider was pushing the routes (just that it is now static).
Somehow the gateway (10.8.0.1) is still down.
(Maybe some of the above are completely foolish. Sorry for that. This is simply based on the several threads and documentation I tried to understand as a novice)
If the server is pushing the routes, everything works fine, with the static route which looks exactly the same, it doesn't.
Is this right way to setup a route on my own if I deny the server route push?
-
@nirmalts said in Gateway IP for openVPN gets duplicated:
pull-filter ignore "ifconfig ";
I'm in doubt that this might ever work.
You may be able to ignore the route or redirect-gateway, but not ifconfig. This would mean, you choose you virtual IP by yourself. How do you think, should that work?
The server provides a /24 VPN tunnel pool, i.e. it allows up to 253 client to connect to it. If the clients set the tunnel IPs by themselves there would be some address conflicts, I think.Therefor the tunnel settings are strictly given by the server and you cannot change it. These are
- your virtual IP
- the server virtual IP (your gateway)
- tunnel network (mask)
If you want to learn more about OpenVPN check the Reference manual for OpenVPN.
@nirmalts said in Gateway IP for openVPN gets duplicated:
Is this right way to setup a route on my own if I deny the server route push?
To prevent get pushed the route from the server, check "Don't pull routes".
Then enter the network you want to route over the VPN into the "Remote network(s)" box.
However, I'm not sure what you really want to route here. -
Ah! I guess I am getting it now.
I thought the public IP (185.220.xxx.xxx) that the server provides me is enough for the server to communicte with me and that the Virtual IP and Gateway IP are something purely local to me and I can set it myself. I now understand that these IPs are something that the VPN Server hands out to its clients and is the way for the server to communicate with the client (and back). Is this right?
So it absolutely does not make sense that I set it and expect that the server will "find me". I noticed that, after I setup the routing table, Virtual IP and Gateway IP with the above steps, data was going out into the tunnel but never coming back. This explains why the gateway was down.
What I am trying to do, as I mentioned in my initial post, is to prevent duplicate Gateway IPs when I connect to different servers (of the same provider). As of now, after a pfSense restart, I connect and disconnect the VPN clients with the duplicated IPs and after 2-3 tries it gets an IP from a different subnet. I guess I will have to live with this workaround.
@viragomann said in Gateway IP for openVPN gets duplicated:
To prevent get pushed the route from the server, check "Don't pull routes".
Then enter the network you want to route over the VPN into the "Remote network(s)" box.
However, I'm not sure what you really want to route here.I see that I can only stop pulling the routes that the server pushes . I thought this option prevents setting the Virtual IP and Gateway IP and therefore thought this option isn't working for me and tried the pull-filter ignores where it appeared as if it is working for me.
With my newly, self-learnt background of networking, I was trying out stuff expecting it to work. Thanks for explaining the fundamentals to me.
On the other hand, I did see some discussions where it was mentioned that the duplicated Gateway IPs should not be an issue for pfSense loadbalancing as it does not do it with IPs and does not use the routing table. Is this true?