On Mon, 24 Sep 2012 19:20:18 +0200, Krzysztof Witek <net...@witek.fr> wrote:
> From: Krzysztof Witek <krzysz...@witek.fr> > > If multiple ip addresses of the same subnet are configured on an > interface, openvpn may not send udp datagrams to the peer > using the correct source ip address. > > If a host sends the udp datagrams to the ip address A, then it > should receive the answer from A even if the its peer has multiple > ip addresses and the default routing selects a different one. > > The issue can be reproduced with the following scenario: > > Host A is connected to two gateways each on the same subnet: > gw1 with ip address 10.0.0.254 > gw2 with ip address 10.0.0.253 > > Host A has two ip addresses: 10.0.0.1 and 10.0.0.2. > It receives DNAT-ed traffic from gw1 via 10.0.0.1 > and DNAT-ed traffic from gw2 via 10.0.0.2. > > Two ip rules are set up on the host A: > ip rule add from 10.0.0.1 table 1 > ip rule add from 10.0.0.2 table 2 > > and three default routes: > ip route add default via 10.0.0.254 table 1 > ip route add default via 10.0.0.253 table 2 > ip route add default via 10.0.0.254 > > This way all traffic from 10.0.0.1 will go via 10.0.0.254 > and all traffic from 10.0.0.2 will go via 10.0.0.253. > > The current openvpn server doesn't work if it receives a connection > from the router gw2 because it will send its udp datagrams via gw1. > > Saving the destination ip address on which the udp datagram arrived and > then using it as the source ip address solves this issue. I haven't checked, but doesn't --multihome work in this case? -- D.
