Bug #3061

« Previous | Next »

OpenVPN roadwarrior doesn't work with MultiWan configured

Added by Nicola Rauso over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-openvpn
Target version:v6.6
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

With MultiWAN enabled, pc clients cannot connect to OpenVPN roadwarrior server.

in "/var/log/openvpn/openvpn.log" you'll find:

Wed Feb 25 17:43:18 2015 89.96.243.227:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Feb 25 17:43:18 2015 89.96.243.227:1194 TLS Error: TLS handshake failed
Wed Feb 25 17:43:18 2015 89.96.243.227:1194 SIGUSR1[soft,tls-error] received, client-instance restarting

and looking at red interfaces you'll see traffic go through all nics:

# tcpdump  -nn -p -i eth1 port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:43:21.101779 IP 2.118.245.107.1194 > 89.96.243.227.1194: UDP, length 26
17:43:23.378414 IP 2.118.245.107.1194 > 89.96.243.227.1194: UDP, length 14
17:43:23.481847 IP 2.118.245.107.1194 > 89.96.243.227.1194: UDP, length 22
17:43:27.132892 IP 2.118.245.107.1194 > 89.96.243.227.1194: UDP, length 26
17:43:35.202543 IP 2.118.245.107.1194 > 89.96.243.227.1194: UDP, length 14

# tcpdump  -nn -p -i eth2 port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
17:43:21.100602 IP 89.96.243.227.1194 > 192.168.1.2.1194: UDP, length 14
17:43:23.481575 IP 89.96.243.227.1194 > 192.168.1.2.1194: UDP, length 14
17:43:27.132638 IP 89.96.243.227.1194 > 192.168.1.2.1194: UDP, length 14
17:43:35.488057 IP 89.96.243.227.1194 > 192.168.1.2.1194: UDP, length 14
17:43:51.677835 IP 89.96.243.227.1194 > 192.168.1.2.1194: UDP, length 14
installed packages:
  • nethserver-openvpn-1.1.2-1.ns6.noarch
  • nethserver-vpn-1.1.4-1.ns6.noarch
  • openvpn-2.3.1-3.el6.x86_64

Associated revisions

Revision e11859b1
Added by Giacomo Sanchietti over 6 years ago

Client and server: fix configuration for multiwan. Refs #3061

History

#1 Updated by Nicola Rauso over 6 years ago

Adding "multihome" directive to OpenVPN configuration file solved the issue.

From "openvpn" man page:

multihome
              Configure  a  multi-homed  UDP  server.  This option can be used when OpenVPN has been configured to listen on all interfaces, and
              will attempt to bind client sessions to the interface on which packets are being received, so that outgoing packets will  be  sent
              out of the same interface.  Note that this option is only relevant for UDP servers and currently is only implemented on Linux.

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Subject changed from OpenVPN roadwarrior doesn't works with MultiWan configured to OpenVPN roadwarrior doesn't work with MultiWan configured
  • Category set to nethserver-openvpn
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30
  • Affected version set to v6.5

#4 Updated by Giacomo Sanchietti over 6 years ago

Also add the nobind option to client configuration.

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

Package in nethserver-testing:
nethserver-openvpn-1.1.2-1.10.ge11859b.ns6.noarch.rpm

Test case
  • Create a new account, download OpenvPN configuration and check the option nobind is present inside the configuration file
  • Check the bug is not reproducible

#7 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
Updated:
  nethserver-openvpn.noarch 0:1.1.2-1.10.ge11859b.ns6                                                                               

Complete!
[root@nsrv ~]# diff host-to-net.conf /etc/openvpn/host-to-net.conf
18a19
> multihome


$ tail -4 filippo\ \(1\).ovpn 
persist-key
persist-tun
nobind

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-openvpn-1.2.0-1.ns6.noarch.rpm

Also available in: Atom PDF