Topic: OpenVPN: routing UDP packets through non-default gateway.

[kohne]

Situation:
OpenVPN (Par Sven Knudsen) running on SME server, to connect home-workers to the office. This is server is connected to the internet with the eth1 interface throug 4096/512 ADSL. This ADSL connection's primary use is gateway for internet browsing and e-mail: fast download, slow upload.

We run a secondary SDSL 2048/2048 router to connect the branche offices. I want to use this SDSL router being used as OpenVPN gateway, because of the stability and the upload capacity.

On the SDSL router I configured a NAT entry for UDP 1194 to be forwarded to the SME OpenVPN server. From the OpenVPN logs its appears that incoming UDP packets are received throug the SDSL router, however packets are sent back through the default gateway, i.e. the slow ADSL uplink. Moreover: they are not being accepted by the OpenVPN client:

Fri Apr 14 14:08:35 2006 us=867941 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov  2 2005
Fri Apr 14 14:08:43 2006 us=980396 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 14 14:08:43 2006 us=986644 LZO compression initialized
Fri Apr 14 14:08:43 2006 us=986861 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Apr 14 14:08:43 2006 us=995125 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Apr 14 14:08:43 2006 us=995219 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Apr 14 14:08:43 2006 us=995252 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Apr 14 14:08:43 2006 us=995316 Local Options hash (VER=V4): 'd79ca330'
Fri Apr 14 14:08:43 2006 us=995362 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Apr 14 14:08:43 2006 us=995424 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 14 14:08:44 2006 us=1245 UDPv4 link local (bound): [undef]:1194
Fri Apr 14 14:08:44 2006 us=1282 UDPv4 link remote: xx.yyy.zzz.202:1194
Fri Apr 14 14:08:44 2006 us=28750 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Apr 14 14:08:44 2006 us=893236 TCP/UDP: Incoming packet rejected from xx.yyy.zzz.117:1194[2], expected peer address: xx.yyy.zzz.202:1194 (allow this incoming source address/port by removing --remote or adding --float)

How could I make OpenVPN work using the non-default SDSL gateway?

[kohne]

This seems more complicated than I thougt. I found some directions to get a solution on the web however. Read a lot about iptables, iptroute2 and 'policy based routing'.  For the interested:

http://www.clintoneast.com/articles/multihomed.php
http://www.debian-administration.org/articles/379
http://tldp.org/HOWTO/Adv-Routing-HOWTO/index.html

I'll keep you posted about the results.