Remove routes when tunnel is down
-
I would like OpenVPN to remove the remote routes when there are no clients connected.
I found this post on OpenVPN forums:
https://forums.openvpn.net/viewtopic.php?t=8539
I tried messing with the custom options and reviewing OpenVPN documentation. I have not been able to figure out how to implement these settings.
My use case is building redundant VPN servers at different locations on a network and using OSPF (FRR) to distribute the routes. The problem is when the primary pfsense box running OpenVPN loses its internet connection it continues to advertise the remote route (which has a better metric than the secondary OpenVPN server). If the primary is powered off, it works fine -- no longer advertising the route.
-
My use case is building redundant VPN servers at different locations on a network and using OSPF (FRR) to distribute the routes. The problem is when the primary pfsense box running OpenVPN loses its internet connection it continues to advertise the remote route (which has a better metric than the secondary OpenVPN server). If the primary is powered off, it works fine -- no longer advertising the route.
Are you using same Tunnel Network in primary and secondary pfSense ? if yes, ospf will advertise the same network even if no clients connected , use different Tunnel Network subnet in 2nd openvpn server , that will make ospf to advertise different subnet , if the users connected to the 2nd vpn , you will be able to reach them.
-
@Zawi thank you for your reply.
No, I have a different tunnel network for each OpenVPN server. It is the remote network that continues to be advertised, even after the tunnel comes down.
For example:
Primary and secondary OpenVPN servers have site-to-site VPNs configured for a remote site and the remote site’s subnet is 192.268.1.0/24.
OSPF on both primary and secondary advertise the remote subnet of 192.168.1.0/24 to the local network.
When the remote site connects to the primary, all is good because the route advertised has a lower metric. If the client connects to the secondary OpenVPN server, the primary is still advertising its route at a lower metric meaning traffic comes in the secondary but tries to return via the primary.
What I need is for the OpenVPN servers to only add their routes to the routing table when the tunnel is up and remove them when the tunnel is down. This way OSPF will similarly add/remove the routes from its advertisements.
Note. I can make this work if I put OSPF on the remote pfSense box. It will handle the advertisement of the remote LAN. The advertisements will only reach the local OSPF routers when the tunnel is up. For various reasons, this is not ideal to put OSPF on the remote network.
-
Thank you. I am trying to solve the issue from networking perspective.
No, I have a different tunnel network for each OpenVPN server. It is the remote network that continues to be advertised, even after the tunnel comes down.
so Virtual ip that assigned to each tunnel are different , this is important, so OSPF will advertise different subnet from each box as Connected Networks , that is good.
OSPF on both primary and secondary advertise the remote subnet of 192.168.1.0/24 to the local network.
OSPF advertises remote network because you redistribute pfSense Kernel Routes. right?
if yes try:
option1 : uncheck pfSense Kernel Routes to stop redistributing it.
option2: use FRR Access list to block remote network to be advertised .then OSPF in your local network will know about the next hob only which is pfSense 1 or 2 and nothing after them. once the traffic reach one of them it will follow openvpn routes.
What I need is for the OpenVPN servers to only add their routes to the routing table when the tunnel is up and remove them when the tunnel is down.
still looking how to stop adding route when openvpn is down.
-
OSPF advertises remote network because you redistribute pfSense Kernel Routes. right?
if yes try:
option1 : uncheck pfSense Kernel Routes to stop redistributing it.Correct, when this is unchecked, OSPF does not learn about the route. It will work when pfsense1 is up and its link works because it is the default gateway. Once it loses its connection, it no longer works because the remote site traffic arrives on pfsense2 over the VPN but tries to return via pfsense1 (the default route).
then OSPF in your local network will know about the next hob only which is pfSense 1 or 2 and nothing after them. once the traffic reach one of them it will follow openvpn routes.
This is exactly the issue. Somehow, I need the local network to learn that pfsense2 is now the gateway for the remote site VPN traffic.
still looking how to stop adding route when openvpn is down
This would be great as it would mean everything would work.