Redistribute openvpn remote access tunnel network in quagga ospf



  • Hi,

    I have 3 office: "A", "B", "C". I made a hub and spoke topology with ovpn site-to-site config.
    "A" is the hub. I use quagga ospf to distribute routes between sites. ("A" and "B" has 2 internet connections)
    "A" has openvpn remote access also. My plan is to only "A" has remote access vpn and from
    this location both "B", "C" is accessible. The problem is for some reason quagga do not distribute the
    ovpn remote access network, despite I added to quagga config (under interface settings). Everything
    works if I setup static route on "B", "C" office to route ovpn remote access network to the proper gateway.
    Can anyone help how I can distribute dynamically the ovpn remote access network?

    Thanks,

    klajosh



  • quagga should work fine if properly configured.

    make sure all your pf servers run quagga in the same zone, then enter all the subnet's that you wish to distribute on each server.
    also, be sure you have picked the right interface (ovpn).


  • Rebel Alliance Developer Netgate

    Try manually entering the subnet to distribute in the list on the main page for the quagga config rather than selecting the interface. The way quagga sees the interface it probably only sees the /30 that openvpn puts on the vpn interface itself, and not the whole /24 for the vpn subnet.

    If you enter it into the redistribute list manually it should work that way.



  • Hi,

    Sorry for the late feedback, but I had a workaround for this but it is ugly: I made static routes back to
    the ovpn remote access network. But since pfsense does not support floating routes I can have only one static
    routes no redundancy.  :(

    jimp: I tried your idea but did not solve the issue. The 10.0.1.0/24 is the subnet what is used
    for openvpn remote access users. And this is what the A site pfsense routing table has:

    ============ OSPF network routing table ============
    N    10.0.1.2/32          [10] area: 0.0.0.0
                              directly attached to ovpns1
    –----snip------
    K>* 10.0.1.0/24 via 10.0.1.2, ovpns1
    O  10.0.1.2/32 [110/10] is directly connected, ovpns1, 00:07:57
    C>* 10.0.1.2/32 is directly connected, ovpns1

    This is what B and C site routing table has:

    B:
    ============ OSPF network routing table ============
    N    10.0.1.2/32          [15] area: 0.0.0.0
                              via 172.16.2.65, ovpnc2
    –----snip------
    O>* 10.0.1.2/32 [110/15] via 172.16.2.65, ovpnc2, 00:11:03

    C:
    ============ OSPF network routing table ============
    N    10.0.1.2/32          [15] area: 0.0.0.0
                              via 172.16.2.1, ovpnc1
    –----snip------
    O>* 10.0.1.2/32 [110/15] via 172.16.2.1, ovpnc1, 00:11:36

    So for some reason route is not advertised. I removed the ovpn remote access
    interface from quagga interfaces.

    heper: thanks. I have already done with that.

    Any help welcomed. I am wondering if I cannot address this problem with a multiwan gateway setup?
    Still ugly but the solution has redundancy at least.

    thanks,

    klajosh



  • i have multiple sites with multi-wan doing redundant vpn tunnels using ospf (even some mixed OpenOSPF with quagga on the other end).

    if the tunnel is up correctly and there are rules that allow packets to flow in both directions , then ospf should advertise.
    Using static routes is not a good way to route an openvpn tunnel.



  • Hi,
    The problem is not with advertisements of the LAN networks but the openvpn roadwarrior's network.
    The roadwarrior's ip subnet is 10.0.1.0/24.
    Check the attachment



Locked