[solved] Running OSPF on tun OpenVPN



  • Hi,

    this issue scratches different topics but I wanna put it in OpenVPN because I think there might be the trouble.

    I have two routers running 2.3.4 AMD64. Both systems are directly connected via igb1:
    fw1 192.168.141.2 <–> 192.168.141.1 fw2

    There is also a VPN link both routers have setup over WAN. This is a tun VPN with mode Peer to Peer (SSL/TLS). I chose this mode because when I setup the tunnel with Shared Secret I didn't get IP addresses on the openvpn interfaces.
    fw1 10.12.252.1 <–> 10.12.252.2 fw2

    Over those two links I run OSPF. The idea behind it is that if the physical link goes down data can still run over the VPN link.
    OSPF doesn't seem to be my problem because the routes are set fine. Since I set the metric to 50 for the VPN link all data between the routers run over the physical igb1. When I disconnect igb1 ospf set the routes so that data should run over the tunnel. The OSPF states are ok (Full) and the routes I checked manually.

    Now comes the strange thing:
    Of course there are regular clients connected to every firewall. fw1 is in 192.168.149.0/24 while fw2 is running 192.168.144.0/24.
    I want to ping pc1 to pc2:
    pc1 192.168.144.50 <–> 192.168.144.100 fw2 10.12.252.2 <–> 10.12.252.1 fw1 192.168.149.100 <–> 192.168.149.50 pc2
    When the icmp packet arrives fw2 it's being send into the tunnel. I verified that via tcpdump. When I look at the other side of the tunnel on fw1 I do NOT receive the ICMP packet on that device. Still talking about the echo request packet.
    That's why communication breaks down when traffic ought to run over VPN.  :-[

    Could someone point in into the right direction?
    The Firewall is configured that all packets on the vpn links should pass. There is also no packet shown in filter.log.
    I've also tried to create openvpn interfaces via interfaces -> assign and to use them in the quagga config, but that didn't work either.

    fw1 ospfd.conf
    [code]password test1234
    interface igb1
    interface ovpns1
      ip ospf network point-to-point
      ip ospf cost 50
    router ospf
      ospf router-id 192.168.141.2
      redistribute connected
      network 192.168.141.0/24 area 0.0.0.0
      network 10.12.252.0/24 area 0.0.0.0
    fw1 openvpn.conf

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth RSA-SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local <<public ip="">>
    tls-server
    server 10.12.252.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    ifconfig 10.12.252.1 10.12.252.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 1
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.4096
    topology subnet</public>
    

    fw2 ospfd.conf

    password test1234
    interface igb1
    interface ovpnc1
      ip ospf network point-to-point
      ip ospf cost 50
    router ospf
      ospf router-id 192.168.141.1
      redistribute connected
      network 10.12.252.0/24 area 0.0.0.0
    
    

    fw2 openvpn.conf

    dev ovpnc1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth RSA-SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local <<public ip="">>
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote <<public ip="" server="">> 1194
    ifconfig 10.12.252.2 10.12.252.1
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    resolv-retry infinite
    topology subnet</public></public>
    


  • I switched to Shard Secret mode and now it's working just fine.


Log in to reply