Linux – Tough routing problem with Linux, Quagga and OpenVPN

linuxopenvpnospfquaggarouting

The Setup

I have an OpenVPN server that acts as a central router. It is configured with "topology subnet" command. Clients are Debian Linux nodes and each have one (or more) subnets directly connected to them.

The objective is for any client connected to the VPN to be able to access the subnets connected behind each other client.

In order to spread the routing information, we have installed Quagga on the clients and on the server. This works fine using the OSPF daemon. Routing is enabled on all the clients and the server as well.

Routing table

The routing table on the server is the following :

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.10.1       10.8.0.4        255.255.255.255 UGH   20     0        0 tun0
192.168.100.0   10.8.0.4        255.255.255.0   UG    20     0        0 tun0
192.168.1.0     10.8.0.4        255.255.255.0   UG    20     0        0 tun0

The subnet I want to access is 192.168.100.0/24. The gateway in question responds perfectly fine and I can connect to it alright.

I don't think this will be of any use but here is part of the client routing table :

10.2.10.1       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Where things start going south

Pinging from the server (10.8.0.1) to any hosts (including the VPN client interface) in the 192.168.100.0/24 subnet fails. If I tcpdump the tun interface on the VPN client, I see no relevant package. If I tcpdump the tun interface on the VPN server, I see the package in question being sent out.

The real edgy thing is that when I traceroute to a valid IP in the 192.168.100.0 subnet, it doesn't discover any hops (there should be just one). If I traceroute directly to the next hop (10.8.0.4), it responds fine.

I really hope I am being clear as this is quite a complex problem. I'll be happy to provide extra information at your request.

Best Answer

What I find strange is it that client's routing tables are pointing to nowhere (0.0.0.0). It is ok for local networks but for 10.2.10.1 that passes trough a tunnel it might be a problem.

Creating a new IP rule table

Begin by inspecting iproute2's table definition file. We want to make sure we don't use the name or number of any existing rule tables.

cat /etc/iproute2/rt_tables

You'll likely see something along these lines:

# reserved values
255      local 
254      main
253      default   
0        unspec
#
# local
#
#1      inr.ruhep

Pick an arbitrary number and name for your new rule table -- anything not used above. I will use number 201 and name novpn for the remainder of this answer.

Append a definition directly to the definition file or edit it in the text editor of your choice:

echo "201 novpn" >> /etc/iproute2/rt_tables

Add a new IP rule to lookup the no-VPN table

Check for any existing ip rules that deal with netfilter masks:

ip rule show | grep fwmark

If grep turns up nothing, you're in the clear. If it does print some lines, take note of the hexadecimal number to the right of the word fwmark in each line. You will need to pick a number that is not currently in use. Since I had no existing fwmark rules, I chose the number 65.

ip rule add fwmark 65 table novpn

What this does is cause any packets with netfilter mask 65 to lookup our new novpn table for instructions on how to route the packets.

Direct all traffic in our new table to use the Ethernet interface

ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn

The important thing to note here is dev eth0. This forces all traffic that passes through the novpn table to only use the hardware Ethernet interface, instead of the virtual tunnel interface that your VPN creates.

Now would be a good time to flush your iproute cache, to make sure your new rules and routes take immediate effect:

ip route flush cache

Instruct firewall rule to mark all SSH traffic with the designated netfilter mask

iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65

There are too many options here for me to explain in any great depth. I strongly encourage you to read the manual page for iptables to get a sense of what's going on here:

man iptables

In a nutshell: we are appending an output rule to the firewall's mangle table (for specialized packet handling) that instructs it to mark any TCP packets originating from source port 22 with our designated netfilter mask 65.

What next?

At this point, you should be ready to test SSH. If all goes well, you should be met with the happy "login as" prompt.

For security's sake, I recommend you instruct your firewall to drop any incoming SSH requests from the tunnel interface:

iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP

Note that the all of the instructions above are transient (except for the creation of the rule table ID) -- they will clear the next time you restart your computer. Making them permanent is an exercise I leave to you.

Linux – OpenVPN tun routing (can ping tun interfaces) with mikrotik and NAT on both ends

Solution

On Mikrotik nat for OPVN was missing:

srcnat -o OPVN -acction masquerade

This fix the problem on Mikrotik site