[solved] Running OSPF on tun OpenVPN

junicast · Jul 7, 2017, 8:22 AM

Hi,

this issue scratches different topics but I wanna put it in OpenVPN because I think there might be the trouble.

I have two routers running 2.3.4 AMD64. Both systems are directly connected via igb1:
fw1 192.168.141.2 <–> 192.168.141.1 fw2

There is also a VPN link both routers have setup over WAN. This is a tun VPN with mode Peer to Peer (SSL/TLS). I chose this mode because when I setup the tunnel with Shared Secret I didn't get IP addresses on the openvpn interfaces.
fw1 10.12.252.1 <–> 10.12.252.2 fw2

Over those two links I run OSPF. The idea behind it is that if the physical link goes down data can still run over the VPN link.
OSPF doesn't seem to be my problem because the routes are set fine. Since I set the metric to 50 for the VPN link all data between the routers run over the physical igb1. When I disconnect igb1 ospf set the routes so that data should run over the tunnel. The OSPF states are ok (Full) and the routes I checked manually.

Now comes the strange thing:
Of course there are regular clients connected to every firewall. fw1 is in 192.168.149.0/24 while fw2 is running 192.168.144.0/24.
I want to ping pc1 to pc2:
pc1 192.168.144.50 <–> 192.168.144.100 fw2 10.12.252.2 <–> 10.12.252.1 fw1 192.168.149.100 <–> 192.168.149.50 pc2
When the icmp packet arrives fw2 it's being send into the tunnel. I verified that via tcpdump. When I look at the other side of the tunnel on fw1 I do NOT receive the ICMP packet on that device. Still talking about the echo request packet.
That's why communication breaks down when traffic ought to run over VPN. :-[

Could someone point in into the right direction?
The Firewall is configured that all packets on the vpn links should pass. There is also no packet shown in filter.log.
I've also tried to create openvpn interfaces via interfaces -> assign and to use them in the quagga config, but that didn't work either.

fw1 ospfd.conf
[code]password test1234
interface igb1
interface ovpns1
ip ospf network point-to-point
ip ospf cost 50
router ospf
ospf router-id 192.168.141.2
redistribute connected
network 192.168.141.0/24 area 0.0.0.0
network 10.12.252.0/24 area 0.0.0.0
fw1 openvpn.conf

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth RSA-SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <<public ip="">>
tls-server
server 10.12.252.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
ifconfig 10.12.252.1 10.12.252.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 1
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.4096
topology subnet</public>

fw2 ospfd.conf

password test1234
interface igb1
interface ovpnc1
  ip ospf network point-to-point
  ip ospf cost 50
router ospf
  ospf router-id 192.168.141.1
  redistribute connected
  network 10.12.252.0/24 area 0.0.0.0

fw2 openvpn.conf

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth RSA-SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <<public ip="">>
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote <<public ip="" server="">> 1194
ifconfig 10.12.252.2 10.12.252.1
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
resolv-retry infinite
topology subnet</public></public>

junicast · Jul 7, 2017, 11:47 AM

I switched to Shard Secret mode and now it's working just fine.