Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Any networking/openvpn gurus?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Any networking/openvpn gurus?

ricardoricardo Member
in General

Aim:

- As a client, to use various VPN providers simultaneously, but only 1 active at any time from each provider
- Various programs that I run will use these connections
- Separate ip routing table per provider 
- Use route-nopull so the main network interface remains the default
- Route traffic based on guid of user using a program

Here is what I have just now

# My vars
TUNID=11
TABLE=overplaynet
IP=10.12.1.102
MARK=123
GID=1000

# Make the interface usable
echo $TUNID $TABLE >> /etc/iproute2/rt_tables
ip route add default via $IP dev tun$TUNID table $TABLE
ip rule add from $IP lookup $TABLE prio 1000

# route based on guid
iptables -t mangle -A OUTPUT -m owner --gid-owner $GID -j MARK --set-mark $MARK
iptables -t nat -A POSTROUTING -m mark --mark $MARK -j MASQUERADE
ip rule add fwmark $MARK table $TABLE
echo 2 > /proc/sys/net/ipv4/conf/tun$TUNID/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
ip route flush cache

Problems:

- I'd like to predetermine $IP if possible and if not, what'd be the best approach of acquiring the address of the newly created interface? 
- Dedicating a local /24 so I know which /24 belongs to which provider.

That's the rough gist of my issue just now. I thought i'd share it here as the experience here seems to be predominantly networking. I have rtfm'ed but tbh this is not my bread and butter so I'm not looking to know the whole shebang inside out.

Thanked by 1Nyr

Comments

  • agentsmithagentsmith Member

    Openvpn should know $IP. You can use 'up' script there.

    Thanked by 1ricardo
  • ricardoricardo Member

    Thanks I'll take a look at up scripts which I'm vaguely familiar with.

  • ricardoricardo Member

    It seems --up and --down will take care of a lot of my questions. One thing I'm not sure of... say if I have connections to 100 different VPN's, how can I guarantee that they don't have overlapping local addresses, is that already taken care of?

  • flricharflrichar Member

    Ricardo, sounds like you want something like mpls. Where the customers are not routed by network, but rather by their tags. So customer A has tag "red" and customber B has tag "blue" and it doesn't matter if they have the same network addresses, as they would also have their own routing tables.

    I'm familiar with iproute2 and general mpls (mostly cisco) but I'm not sure if it's in the feature set. I know Linux can do mpls, (ie, Mikrotik routers can do it), I've just never implemented it.

  • ricardoricardo Member

    I'll take a look at mpls, thanks.

    All the 'clients' are going to be on the same machine as the server. I'm making good progress using the up/down scripts, after figuring out the argv's of them I'm just working out when to apply rules... i.e. one offs, reboots, per invocation, per new connection. Going well so far. Thanks for the help to you both.

Sign In or Register to comment.