Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    still struggling with 2nd VPN fallback - strange routing effect

    OpenVPN
    1
    1
    132
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gwaitsi
      last edited by gwaitsi

      So I have the following setup which works perfectly with a single VPN.

      • WAN allows few exceptions to pass i.e. China GeoIPs, work laptop VPN,
      • default route is set to VPN Gateway Group with member down, VPN1 Tier 1, VPN 2 Tier 2
      • static route for the pfsense packages over the WAN (so package manager works with VPN up or down)
      • VPN directs all WAN traffic to the VPN Gateway Group (with exception of above to goes through WAN)
      • 2 x DNS is configured for each WAN, VPN1, VPN2 interfaces
      • DNS is redirected to pfsense box, DNS Resolver used
      • google safe search is forced redirect

      with only VPN1 enabled, everything works as it should i.e.

      • no browser traffic passes if VPN1 is down, but all works if VPN is up
      • work laptop can still reach its own VPN if VPN1 is down but can't not browse, etc if its own VPN is down

      Here is where the problem begins;

      • if i bring VPN2 up, even though it is Tier 2, Member Down in the gateway group, strange routing issues occur.
        i.e. Linux Mint client can not do its own package refresh anymore.

      VPN client Config

      Tolopogy = subnet One IP
      Don't Pull Routes = unchecked
      Don't Add/Remove Routes = unchecked
      Compression LZO
      UDP Fast IO = checked
      Send/Receive Buffer 512Kb
      
      Custom Options
      remote-random;
      pull;
      verify-x509-name Server name-prefix;
      remote-cert-tls server;
      key-direction 1;
      route-method exe;
      route-delay 2;
      tun-mtu 1500;
      fragment 1300;
      mssfix 1450;
      auth-nocache;
      

      below is the apt-get update with only VPN1 enabled

      Ign:1 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease
      Hit:2 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa Release                                                                   
      Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease                                                                 
      Hit:4 http://archive.canonical.com/ubuntu bionic InRelease                                                                                  
      Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease                                                                                 
      Hit:6 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease                                                                      
      Hit:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease                                                                         
      Hit:8 http://security.ubuntu.com/ubuntu bionic-security InRelease                                                                           
      Hit:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease                                                                       
      Hit:10 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease                                                                     
      Hit:11 https://repo.skype.com/deb stable InRelease                                                                                   
      Hit:12 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease                                  
      Hit:14 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease   
      Hit:15 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease                 
      Hit:16 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease
      Hit:17 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease       
      Hit:18 https://updates.signal.org/desktop/apt xenial InRelease                        
      Reading package lists... Done 
      

      below is the apt-get update with both VPN1 and 2 enabled.

      I don't understand why the routing is being effected, as the path is not even supposed to be available unless VPN1 is down.

      I should also mention, it doesn't matter which VPN is up or down, so long as only one is for it to work correctly.

      Hit:1 http://archive.canonical.com/ubuntu bionic InRelease
      Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]                                                                 
      Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease                                                                 
      Hit:4 https://repo.skype.com/deb stable InRelease                                                                                           
      Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease                                                                                 
      Get:6 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease [88.7 kB]                                                               
      Get:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease [74.6 kB]                                                             
      Hit:8 https://updates.signal.org/desktop/apt xenial InRelease                                                                               
      Get:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main amd64 Packages [682 kB]                                                      
      Get:10 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main i386 Packages [559 kB]                                                      
      Get:11 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main Translation-en [251 kB]                                                     
      Get:12 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe amd64 Packages [970 kB]                                                 
      Get:13 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe i386 Packages [954 kB]                                                  
      Get:14 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe Translation-en [293 kB]                                                 
      Err:15 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease                                                                
        Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out
      Err:16 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease                                          
        Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80]
      Err:17 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Err:18 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Err:19 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Err:20 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Err:21 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Err:22 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease
        Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      Fetched 3,960 kB in 31s (127 kB/s)                 
      Reading package lists... Done
      W: Failed to fetch http://ppa.launchpad.net/jtaylor/keepass/ubuntu/dists/xenial/InRelease  Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80]
      W: Failed to fetch http://ppa.launchpad.net/libreoffice/ppa/ubuntu/dists/bionic/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Failed to fetch http://ppa.launchpad.net/obsproject/obs-studio/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Failed to fetch http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages/dists/tessa/InRelease  Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out
      W: Failed to fetch http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Failed to fetch http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/bionic/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Failed to fetch http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Failed to fetch http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
      W: Some index files failed to download. They have been ignored, or old ones used instead.
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post