Openvpn site-to-site with default route and DualWAN

uninet · December 23, 2016, 8:04pm

Hi all,

small network

diagram
[attachment=159]

goal: all network traffic from/for 172.16.15.0/24 needs to go through the gw-ext and gw-int should work with dualwan in failover mode.
note: I have no physical access to the console of router gw-int, the only external access through the Internet
trouble: the configuration with the openvpn site-to-site tunnel + one wan or two wans without openvpn tunnel works fine but I need two wans worked in failover mode + openvpn site-to-site tunnel together

gw-ext configuration

firewall

name IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept destination { address 172.16.15.0/29 } } } name IN-local { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } limit { burst 5 rate 2/second } protocol icmp } rule 30 { action drop destination { port 22 } protocol tcp recent { count 3 time 30 } state { new enable } } rule 31 { action accept destination { port 22 } protocol tcp state { new enable } } rule 40 { action accept destination { port 11950 } protocol udp state { new enable } } }

interfaces

interfaces { ethernet eth0 { address 217.xxx.xxx.xxx/25 description inet duplex auto firewall { in { name IN } local { name IN-local } } smp_affinity auto speed auto } loopback lo { } openvpn vtun0 { encryption aes256 hash sha512 local-address 10.0.100.1 { subnet-mask 255.255.255.252 } local-host 217.xxx.xxx.xxx local-port 11950 mode site-to-site persistent-tunnel protocol udp remote-address 10.0.100.2 shared-secret-key-file /config/auth/tun0.key } }

nat destination

nat { destination { rule 10 { description "ssh to gw-ext" destination { port xxxxx } inbound-interface eth0 protocol tcp translation { address 10.0.100.1 port ssh } } rule 11 { description "ssh to gw-int-tunnel" destination { port xxxxx } inbound-interface eth0 protocol tcp translation { address 172.16.15.1 port ssh } } rule 20 { destination { port https } inbound-interface eth0 protocol tcp translation { address 172.16.15.2 port https } } rule 30 { destination { port 5222,5269 } inbound-interface eth0 protocol tcp translation { address 172.16.15.3 } } }

nat source

source { rule 10 { outbound-interface eth0 source { address 172.16.15.0/29 } translation { address masquerade } } rule 20 { outbound-interface eth0 source { address 10.0.100.0/30 } translation { address masquerade } } } }

gw-int configuration

firewall

firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name IN { default-action drop rule 10 { action accept state { established enable related enable } } } name IN-local { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } limit { burst 5 rate 2/second } protocol icmp } rule 30 { action drop destination { port 22 } protocol tcp recent { count 3 time 30 } state { new enable } } rule 31 { action accept destination { port 22 } protocol tcp state { new enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection enable }

interfaces

interfaces { ethernet eth0 { address 82.xxx.xxx.xxx/27 duplex auto firewall { in { name IN } local { name IN-local } } smp_affinity auto speed auto } ethernet eth1 { address 195.xxx.xxx.xxx/27 duplex auto firewall { in { name IN } local { name IN-local } } smp_affinity auto speed auto } ethernet eth2 { address 172.16.15.1/29 duplex auto smp_affinity auto speed auto } loopback lo { } openvpn vtun0 { encryption aes256 hash sha512 local-address 10.0.100.2 { subnet-mask 255.255.255.252 } mode site-to-site protocol udp remote-address 10.0.100.1 remote-host 217.xxx.xxx.xxx remote-port 11950 replace-default-route { } shared-secret-key-file /config/auth/tun0.key } }

dualwan

load-balancing { wan { enable-local-traffic flush-connections interface-health eth0 { failure-count 4 nexthop 82.xxx.xxx.xx0 success-count 2 test 10 { resp-time 5 target 194.25.0.125 ttl-limit 1 type ping } test 20 { resp-time 5 target 64.102.255.44 ttl-limit 1 type ping } } interface-health eth1 { failure-count 4 nexthop 195.xxx.xxx.xx3 success-count 2 test 10 { resp-time 5 target 195.244.245.25 ttl-limit 1 type ping } test 20 { resp-time 5 target 173.37.146.41 ttl-limit 1 type ping } } rule 10 { inbound-interface eth2 interface eth0 { weight 1 } protocol all } rule 20 { inbound-interface eth2 interface eth1 { weight 1 } protocol all } sticky-connections { inbound } } }

static route

protocols { static { route 0.0.0.0/0 { next-hop 82.xxx.xxx.xx0 { distance 210 } next-hop 195.xxx.xxx.xx3 { distance 210 } } route 10.0.0.0/8 { blackhole { distance 254 } } route 64.102.255.44/32 { next-hop 82.xxx.xxx.xx0 { } } route 172.16.0.0/12 { blackhole { distance 254 } } route 173.37.146.41/32 { next-hop 195.xxx.xxx.xx3 { } } route 192.168.0.0/16 { blackhole { distance 254 } } route 194.25.0.125/32 { next-hop 82.xxx.xxx.xx0 { } } route 195.244.245.25/32 { next-hop 195.xxx.xxx.xx3 { } } } }

in this configuration I have access to a router gw-int at the address 82.ххх.ххх.ххх, the openvpn tunnel is working fine but traffic to/from the network 172.16.15.0 not goes through the tunnel
as soon as I add in the config “load‐balancing wan disable‐source‐nat” I lose access to the router and the openvpn tunnel not working.

anyone can tell me what I missed?

16again · December 25, 2016, 7:32am

Why do you want “load‐balancing wan disable‐source‐nat” to begin with?
Seems to me openvpn config doesn’t push routes, try adding static interface-routes to remote networks, using tunnel interface.
Also, in EdgeOS , I’m used to exclude stuff like site2site packets from being loadbalanced. Probably, same goes here. A packet destined for remote internal network should not be sent on WAN1 or WAN2 , but on vtun interface instead

uninet · December 25, 2016, 1:34pm

Openvpn in my config normally sets a default route using tunnel interface once this interface went up.
The second line of the routing table is the result of a configuration parameter “replace-default-route”

[code]netadm@gw-int:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [210/0] via 82.xxx.xxx.xxx, eth0
K>* 0.0.0.0/1 via 10.0.100.1, vtun0
S>* 10.0.0.0/8 [254/0] is directly connected, Null0, bh
C>* 10.0.100.1/32 is directly connected, vtun0
C>* 82.xxx.xxx.xxx/27 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, lo
K>* 128.0.0.0/1 via 10.0.100.1, vtun0
S>* 172.16.0.0/12 [254/0] is directly connected, Null0, bh
C>* 172.16.15.0/29 is directly connected, eth2
S>* 192.168.0.0/16 [254/0] is directly connected, Null0, bh
K>* 217.xxx.xxx.xxx/32 via 82.xxx.xxx.xxx, eth0[/code]

With “load‐balancing wan disable‐source‐nat” I tried to make route all traffic only through the tunnel interface vtun0

About to try to add a static interface-route for remote networks …
In this configuration remote networks is 0.0.0.0/0 That is, I don’t have the remote internal network. I need to make local internal networks 172.16.15.0/29 connected directly to the router gw-int would have access to the Internet via a second router gw-ext. But still, thanks for the idea with the “exclude”.

I will try rule with exclude packets from wan load balance with source address 172.16.15.0/29

uninet · December 27, 2016, 8:42am

Many thanks to the 16again! I achieved my main goal.

In load‐balancing configuration (gw-int router) added rule:

rule 5 { exclude inbound-interface eth+ protocol all source { address 172.16.15.0/29 } }