OpenVPN Net2Net routing issues

Post Reply
GrueMaster
Posts: 22
Joined: December 28th, 2017, 2:46 pm

OpenVPN Net2Net routing issues

Post by GrueMaster » January 5th, 2019, 1:44 am

Ok, I have been struggling with this for a week now. Not getting anywhere, and google has not been my friend in this (how setting up a roadwarrior ipsec connection on PFSense is related to IPFire openvpn net2net escapes me).

My situation: OfficeA in USA, OfficeB in India (can't get much further apart). Need to have Net2Net working between sites, primarily for a license server instance (OfficeA), but also for ldap (will have mirrors at both sites once this is working), and file transfers.

OfficeA:
Red: Static IP directly on internet at a colo datacenter
Green: bridged network (ldap is running in a VM on ipfire server - low overhead); 222.10.0.0/24 (ipfire 222.10.0.1)

OfficeB:
Red: Static IP directly on internet at Bangalor office
Green: 222.20.0.0/24 (ipfire 222.20.0.1) - will make bridge when ready to xfer ldap VM clone.

OpenVPN Configurations:
OfficeA:

Code: Select all

# IPFire n2n Open VPN Client Config by ummeegge und m.a.d
# 
# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote <officeB red IP>
float
# IP adresses of the VPN Subnet
ifconfig 10.20.0.1 10.20.0.2
# Server Gateway Network
route 222.20.0.0 255.255.255.0
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/india-n2n 10
# Port and Protokol
port 2000
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
# Auth. Server
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
# Cipher
cipher AES-256-CBC
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon Indian2n
writepid /var/run/Indian2n.pid
# Activate Management Interface and Port
management localhost 2000
OfficeB:

Code: Select all

# IPFire n2n Open VPN Client Config by ummeegge und m.a.d
# 
# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote 216.151.17.234
float
# IP adresses of the VPN Subnet
ifconfig 10.20.0.2 10.20.0.1
# Server Gateway Network
route 222.10.0.0 255.255.255.0
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/-n2n 10
# Port and Protokoll
port 2000
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
remote-cert-tls server
# Auth. Client
tls-client
# Cipher
cipher AES-256-CBC
pkcs12 /var/ipfire/ovpn/certs/India.p12
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon Indian2n
writepid /var/run/Indian2n.pid
# Activate Management Interface and Port
management localhost 2000
# remsub 222.20.0.0/255.255.255.0
With this, I get connection between the two, but that is it. I can't ping 222.10.0.* (4 systems currently) from any system on 222.20.0.0/24 (2 currently). I've tried adding 'redirect gateway def1' but that will cause the connections to fail to start with
ERROR: Linux route delete command failed: external program exited with error status: 2
I'd like to get this up and running soon, as we have new developers coming online and will need to share licenses between sites (hence the license server). We're a small startup, so we can't just buy more licenses (~$10K/seat).

I don't need internet traffic to route between sites, that can just hit the local firewall and go out. But I do need to route between sites.

GrueMaster
Posts: 22
Joined: December 28th, 2017, 2:46 pm

Re: OpenVPN Net2Net routing issues

Post by GrueMaster » January 5th, 2019, 5:28 pm

Additional info.

Routes:
OfficeA:

Code: Select all

[root@ipfire ~]# route |fgrep -v red0   # No need to post external IP, that part works
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.0.2       *               255.255.255.255 UH    0      0        0 tun1
10.25.16.0      10.25.16.2      255.255.255.0   UG    0      0        0 tun0
10.25.16.2      *               255.255.255.255 UH    0      0        0 tun0
222.10.0.0      *               255.255.255.0   U     0      0        0 green0
222.20.0.0      10.20.0.2       255.255.255.0   UG    0      0        0 tun1
OfficeB:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.0.1       *               255.255.255.255 UH    0      0        0 tun1
10.182.78.0     10.182.78.2     255.255.255.0   UG    0      0        0 tun0
10.182.78.2     *               255.255.255.255 UH    0      0        0 tun0
222.10.0.0      10.20.0.1       255.255.255.0   UG    0      0        0 tun1
222.20.0.0      *               255.255.255.0   U     0      0        0 green0

GrueMaster
Posts: 22
Joined: December 28th, 2017, 2:46 pm

Re: OpenVPN Net2Net routing issues

Post by GrueMaster » January 5th, 2019, 7:14 pm

Just ran an additional test. Since my home is very close to OfficeA (45 minute drive), I made a N2N connection between OfficeA and my home ipfire system. Same settings as above (Home subnet 222.30.0.0/24, VPN 10.20.10.0/24, port 1492) and everything just works. I can ssh to any system in the office from any system in my house, and any office system can ssh to any system at home.

I also deleted and recreated the config for OfficeB (India) with the same settings as home (subnet 222.20.0.0/24, VPN 10.20.0.0/24, port 1947) and other than ipfire<>ipfire connection, nothing. No traffic either way.

Is it a global network routing issue? I'm able to vpn to India (RW) no problem, and they vpn to our servers (again, RW). Should I create some hops on AWS? I'm at a loss here.

User avatar
UAW-Chrysler NTC
Posts: 16
Joined: October 23rd, 2018, 10:29 am

Re: OpenVPN Net2Net routing issues

Post by UAW-Chrysler NTC » January 9th, 2019, 6:26 pm

I do these configs all the time.
From your description I can say this.

1. You speak of a bridge network
Your GREEN should be a private IP network address
Make sure your Office B uses a different private IP address
This ensures no conflict when you setup the VPN site to site
Also check that the generated IP for the VPN on each side is different

Since you set it up at home between office and home you know the right framework.
So just check the B office and see what is different about that network.

Show the gui config setup and perhaps I can spot something
UAW-Chrysler NTC |Warren, Michigan, USA
IPFire 2.21 (x86_64) - Core Update 126

GrueMaster
Posts: 22
Joined: December 28th, 2017, 2:46 pm

Re: OpenVPN Net2Net routing issues

Post by GrueMaster » January 15th, 2019, 3:29 am

Not really much to show. The two firewalls (OfficeA & OfficeB) show connections. Both have separate internal subnets (OfficeA: 222.10.0.0/255.255.255.0, OfficeB: 222.20.0.0/255.255.255.0, Home: 222.30.0.0/255.255.255.0). I verified that the UDP ports I am using are not used by anything else, based on this list. 1194 is for roadwarrior VPN on all firewalls, tried UDP 1492 (no one better be playing civ at work anyway) and UDP 1947 (India independence - thought it would be a nice touch). Home is on UDP 1716 (America's Army MMO - again, no one is playing on my networks). I also verified the ports I tried on the India site with my home setup, works each time.

I have not updated OfficeA ipfire from 125 to 126, but that shouldn't make a difference as home is on 126.

GUI won't show much (and I really don't feel like editing/masking jpegs for external stuff to keep it from being exploited). The config files only differ in the external ip addresses and internal ranges, nothing out of the ordinary.

User avatar
Roberto Peña
Posts: 650
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: OpenVPN Net2Net routing issues

Post by Roberto Peña » January 15th, 2019, 8:45 am

+1 with UAW-Chrysler NTC.

IP 222.10.0.1, corresponds to:
IP - 01.jpg
IP 222.20.0.1, corresponds to:
IP - 02.jpg
IP 222.30.0.1, corresponds to:
IP - 03.jpg
The private ranges are:
Private.jpg
By setting public ranges to private networks, you will always have routing problems. I explain. The problem is always the return of the package, since the routers will determine that it is a public IP and they will send it not to your private network, they will send it to Japan or to China.

Maybe someone with more knowledge can explain it better.

Regards.
Image
Image

GrueMaster
Posts: 22
Joined: December 28th, 2017, 2:46 pm

Re: OpenVPN Net2Net routing issues

Post by GrueMaster » January 15th, 2019, 11:33 pm

While I understand with your assessment on the public/private routing, I don't believe that is the case here. Here is why:
  • OfficeA to Home works both ways
  • The previous company I worked for also had similar ranges for their internal networks (which were far larger than all of the private ranges combined and doubled).
  • The traffic is routed through the gateways, which should change the routing accordingly so that it goes from client->gateway->interwebs->gateway->client. A friend of mine that is far more experienced with this setup (and former poster here) had given me this guidance when our startup was just starting.
Last point aside, the first two points are physical examples that this should just work.

Post Reply