Hiyas, On Monday 21 January 2008 11:32:34 Peter Warasin wrote:
> Kate Kretz wrote: > > > we tried to use OpenVPN Server on two-nic (both are internet-connected) > > > server. > > > udp packets always go out on default gateway, even if they came from > > > another nic. > > I have the same problem. > Was not able to go more in depth into this problem, but i will (need to) > soon. > In the meantime, i thought about using --float on the clients. This should > work. here it works with iptables connection marking and iproute2. iptables marks incomming connections for each uplink and based on the mark it is decided which device should be used to send the answer. Here is some pseudo code: # mark the connections for each interface (does also work with stateful # filtering, but I omitted it here iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark # give names to the iproute tables 1, 2 and 3 echo -e "1 eth0.uplink\n2 eth1.uplink\n3 loopback.default" >> /etc/iproute2/rt_tables # packets with mark 1 should go out via eth0.uplink ip rule add prio 40001 fwmark 1 lookup eth0.uplink # mark2 -> eth1 ip rule add prio 40002 fwmark 2 lookup eth1.uplink # In case only the routing table is queried but not package # really send, this provides still a dummy route ip rule add prio 60000 dev lo lookup loopback.default # Information about the different gateways for the different uplinks ip route add table eth0.uplink default via XXX.XXX.XXX.XXX ip route add table eth1.uplink default via XXX.XXX.ZZZ.XXX ip route table loopback.default to default via 127.0.0.1 OpenVPN runs on a separate dummy device and the traffic from all interfaces where it should listen on is forwarded via a DNAT and also for every outgoing device SNAT is done with iptables. Maybe this is useful for you, too. Regards, Till
signature.asc
Description: This is a digitally signed message part.
