OpenVPN Site to Site with OSPF

fmroeira86

Hi!

I've 3 sites (with arround 10 different networks each) that are already connected between them (with openvpn iroutes).

What I would like to achieve is to have a better redundant topology with OSPF.

I already configured quagga ospf and I can see the routes being delievered but due to the fact that it seems that openvpn need "iroutes" to connect networks BEHIND the VPN tunnels I won't be able to achieve this scenario.

NATing is not an option to me.

Has anyone tried something like this before?

Derelict

If you are running servers (SSL/TLS with a tunnel network larger than /30) you cannot run OSPF because OSPF cannot insert iroutes into OpenVPN.

You can run in point-to-point mode (set the tunnel network to /30 or use shared-key) and run OSPF between endpoints.

Advice: Pretend Quagga doesn't exist and build it using frr instead.

fmroeira86

@Derelict:

If you are running servers (SSL/TLS with a tunnel network larger than /30) you cannot run OSPF because OSPF cannot insert iroutes into OpenVPN.

You can run in point-to-point mode (set the tunnel network to /30 or use shared-key) and run OSPF between endpoints.

Advice: Pretend Quagga doesn't exist and build it using frr instead.

Isn't /30 deprecated ?

Would it work if I use Subnet topology + Shared Key?

jimp

net30 is not deprecated, it just isn't the default any longer as subnet topology is superior.

That said, subnet topology still doesn't work with FRR or Quagga for OSPF last time I tried. You have to use tap mode for that to work with multiple sites on a single server.

JKnott

Isn't /30 deprecated ?

Not for point to point links.  In fact, even /31 can be used, if supported by the systems.

net30 is not deprecated, it just isn't the default any longer as subnet topology is superior.

Not necessarily.  On point to point links, you only need addresses for the end points, so no need for anything other than a /30 or /31.  In fact, even on IPv6, where there's no shortage of addresses, point to point links are still used.  A /64 prefix for a p-p connection is no longer recommended, due to security issues.

https://tools.ietf.org/html/rfc6164

jimp

@JKnott:

net30 is not deprecated, it just isn't the default any longer as subnet topology is superior.

Not necessarily.  On point to point links, you only need addresses for the end points, so no need for anything other than a /30 or /31.  In fact, even on IPv6, where there's no shortage of addresses, point to point links are still used.  A /64 prefix for a p-p connection is no longer recommended, due to security issues.

But the OP is talking about a multi-site setup (one server, multiple clients) where the distinction is between net30 (not a /30 tunnel network) and subnet topology.

You can't use a /30 on a server with multiple clients, it's no longer a point-to-point link.

fmroeira86

Very well.

So I followed your hint of P2P with Shared Key and configured as the following:

Site A is Server for Site B
Site A is Server for Site C
Site B is Server for Site C

Site C is Client for Site A
Site C is Client for Site B
Site B is Client for Site A

Everything seems smooth in terms of route learning and inter-site connectivity.

I did some traceroutes and I was able to see that if I interrupt the direct connectivity between A and B then A goes through C to achieve B. That's what I wanted!

I had to set the same metric on quagga "Interface Settings" for all interfaces on all boxes to let OSPF decide the best paths. OSPF implementation seems to be smart enough to know the shortest path.

Question: On site C I'm using 2 PFSense with CARP. Is there any way to sync the QUAGGA configs between them? I only found the option to monitor the CARP interface…