Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Running OSPF on tun OpenVPN

    OpenVPN
    1
    2
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ
      junicast
      last edited by

      Hi,

      this issue scratches different topics but I wanna put it in OpenVPN because I think there might be the trouble.

      I have two routers running 2.3.4 AMD64. Both systems are directly connected via igb1:
      fw1 192.168.141.2 <–> 192.168.141.1 fw2

      There is also a VPN link both routers have setup over WAN. This is a tun VPN with mode Peer to Peer (SSL/TLS). I chose this mode because when I setup the tunnel with Shared Secret I didn't get IP addresses on the openvpn interfaces.
      fw1 10.12.252.1 <–> 10.12.252.2 fw2

      Over those two links I run OSPF. The idea behind it is that if the physical link goes down data can still run over the VPN link.
      OSPF doesn't seem to be my problem because the routes are set fine. Since I set the metric to 50 for the VPN link all data between the routers run over the physical igb1. When I disconnect igb1 ospf set the routes so that data should run over the tunnel. The OSPF states are ok (Full) and the routes I checked manually.

      Now comes the strange thing:
      Of course there are regular clients connected to every firewall. fw1 is in 192.168.149.0/24 while fw2 is running 192.168.144.0/24.
      I want to ping pc1 to pc2:
      pc1 192.168.144.50 <–> 192.168.144.100 fw2 10.12.252.2 <–> 10.12.252.1 fw1 192.168.149.100 <–> 192.168.149.50 pc2
      When the icmp packet arrives fw2 it's being send into the tunnel. I verified that via tcpdump. When I look at the other side of the tunnel on fw1 I do NOT receive the ICMP packet on that device. Still talking about the echo request packet.
      That's why communication breaks down when traffic ought to run over VPN.  :-[

      Could someone point in into the right direction?
      The Firewall is configured that all packets on the vpn links should pass. There is also no packet shown in filter.log.
      I've also tried to create openvpn interfaces via interfaces -> assign and to use them in the quagga config, but that didn't work either.

      fw1 ospfd.conf
      [code]password test1234
      interface igb1
      interface ovpns1
        ip ospf network point-to-point
        ip ospf cost 50
      router ospf
        ospf router-id 192.168.141.2
        redistribute connected
        network 192.168.141.0/24 area 0.0.0.0
        network 10.12.252.0/24 area 0.0.0.0
      fw1 openvpn.conf

      dev ovpns1
      verb 1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth RSA-SHA512
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local <<public ip="">>
      tls-server
      server 10.12.252.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server1
      ifconfig 10.12.252.1 10.12.252.2
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      max-clients 1
      ca /var/etc/openvpn/server1.ca 
      cert /var/etc/openvpn/server1.cert 
      key /var/etc/openvpn/server1.key 
      dh /etc/dh-parameters.4096
      topology subnet</public>
      

      fw2 ospfd.conf

      password test1234
      interface igb1
      interface ovpnc1
        ip ospf network point-to-point
        ip ospf cost 50
      router ospf
        ospf router-id 192.168.141.1
        redistribute connected
        network 10.12.252.0/24 area 0.0.0.0
      
      

      fw2 openvpn.conf

      dev ovpnc1
      verb 1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth RSA-SHA512
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local <<public ip="">>
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client1.sock unix
      remote <<public ip="" server="">> 1194
      ifconfig 10.12.252.2 10.12.252.1
      ca /var/etc/openvpn/client1.ca 
      cert /var/etc/openvpn/client1.cert 
      key /var/etc/openvpn/client1.key 
      resolv-retry infinite
      topology subnet</public></public>
      
      1 Reply Last reply Reply Quote 0
      • junicastJ
        junicast
        last edited by

        I switched to Shard Secret mode and now it's working just fine.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.