Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
fryzoy
Sep 21, 2005
What.

This is probably going to end up being a dumb question, but I am out of ideas:

The situation is that I want to connect to multiple OpenVPN servers and then be able to open sockets going through any of the VPN connections by bind()-ing on the TUN-device's local IP address.
The thing is I can't let OpenVPN add routes, because the server is PUSHing a request to set up a default route - I don't want normal traffic to go through any of the VPNs/TUN devices.
So let's say OpenVPN sets up a TUN POINTOPOINT device with the local IP of 10.10.11.6 and a remote IP of 10.10.11.5. Aside from the default route the following routes would be added:
code:
route add -net <the public IP of the OpenVPN server> netmask 255.255.255.255 gw <my network's router>
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.10.11.5
the default route(s) would have been going out over 10.10.11.5, too:
code:
route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.11.5
route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.11.5
Now my understanding is that I would not need any of the routes if I were to bind() my socket to the TUN device's local ip (.6).

As a testcase I have a "netcat -v -v -l -p 12345" running on a remote server and try to connect to it with "telnet -b 10.10.11.6 <server> 12345".

The first case is the above two routes plus the default route(s) and everything works, the server receives the connection from the VPN's endpoint. But I wouldn't need the bind() for that due to the default routes.

Now the second case, the one I want, is just the first two routes without the default route. Nothing arrives at the server and checking with wireshark tells me that the packets are not going through the TUN device but instead get sent directly through the default ethernet device, with a source IP of 10.10.11.6. Obviously that won't work because 10.10.11.6 is not a public IP.

It's as if the bind() is completely ignored and I have no idea anymore how to accomplish this without the default routes (in which case I can't have multiple VPN connections). This is my understanding of things:
- the routing table is only used for outgoing packets
- OpenVPN handles the "wire-side" of the TUN device, rewriting and packaging packets in the SSL VPN stream and then sending them off over the public ethernet device, and also receiving responses and unpackaging them and then writing them into the TUN device
- bind()-ing a socket to a IP should make the packets go through the associated network device (in this case the TUN device) if it is successful.

I hope these are all the necessary details. I must be misunderstanding some things about the effect of the routing rules, hopefully someone can figure out where my path of thought goes wrong and enlighten me or if there is some other way to accomplish what I want.

Adbot
ADBOT LOVES YOU

fryzoy
Sep 21, 2005
What.

Ninja Rope posted:

On FreeBSD I'd use pf to set next-hop and reply-to based on source IP. On Linux I'd do the same thing with iptables marking packets and ip rule matching them and assigning them a different routing table with a different default gateway set.

Thank you so much! source-based routing was the keyword and using a different routing table works perfectly! This was driving me crazy, thanks again!

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply