search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.75k stars 2.99k forks source link

openvpn can not use keepalived vip #476

Closed bobz965 closed 9 months ago

bobz965 commented 9 months ago

IMPORTANT NOTE Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net

Describe the bug A clear and concise description of what the bug is.

if OpenVPN listening to 0.0.0.0, it only replies with eth0's primary IP, if i use keepalive VIP, it still replies with eth0's primary IP.

# 192.168.7.200 my OpenVPN client IP
# 10.1.0.21 is OpenVPN server eth0's primary IP
#  10.1.0.2 is keepalive VIP

root@keepalived01-1:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1279 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.240.0.1 peer 10.240.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
259: eth0@if260: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default
    link/ether 00:00:00:a9:4d:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.1.0.21/24 brd 10.1.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.1.0.2/24 scope global secondary eth0:1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:ff:fea9:4d66/64 scope link
       valid_lft forever preferred_lft forever
root@keepalived01-1:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1        0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.240.0.0      10.240.0.2      255.255.0.0     UG    0      0        0 tun0
10.240.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

root@keepalived01-1:/# tcpdump -i eth0 host 192.168.7.200 -netvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

00:00:00:45:21:69 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 62, id 33040, offset 0, flags [DF], proto UDP (17), length 42)
    192.168.7.200.40621 > 10.1.0.2.1194: [udp sum ok] UDP, length 14
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 61950, offset 0, flags [DF], proto UDP (17), length 54)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2b9 -> 0x2097!] UDP, length 26
00:00:00:17:43:01 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 96: (tos 0xc0, ttl 63, id 53979, offset 0, flags [none], proto ICMP (1), length 82)
    192.168.7.200 > 10.1.0.21: ICMP 192.168.7.200 udp port 40621 unreachable, length 62
    (tos 0x0, ttl 63, id 61950, offset 0, flags [DF], proto UDP (17), length 54)
    10.1.0.21.1194 > 192.168.7.200.40621: [udp sum ok] UDP, length 26
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 62179, offset 0, flags [DF], proto UDP (17), length 42)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2ad -> 0x0869!] UDP, length 14
00:00:00:17:43:01 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 84: (tos 0xc0, ttl 63, id 53983, offset 0, flags [none], proto ICMP (1), length 70)
    192.168.7.200 > 10.1.0.21: ICMP 192.168.7.200 udp port 40621 unreachable, length 50
    (tos 0x0, ttl 63, id 62179, offset 0, flags [DF], proto UDP (17), length 42)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0x4ddd -> 0x0869!] UDP, length 14
00:00:00:45:21:69 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 62, id 33335, offset 0, flags [DF], proto UDP (17), length 42)
    192.168.7.200.40621 > 10.1.0.2.1194: [bad udp cksum 0xd29a -> 0x990f!] UDP, length 14
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 62201, offset 0, flags [DF], proto UDP (17), length 50)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2b5 -> 0x389f!] UDP, length 22
00:00:00:17:43:01 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 92: (tos 0xc0, ttl 63, id 54006, offset 0, flags [none], proto ICMP (1), length 78)
    192.168.7.200 > 10.1.0.21: ICMP 192.168.7.200 udp port 40621 unreachable, length 58
    (tos 0x0, ttl 63, id 62201, offset 0, flags [DF], proto UDP (17), length 50)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0x4de5 -> 0x389f!] UDP, length 22
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 62796, offset 0, flags [DF], proto UDP (17), length 42)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2ad -> 0x0869!] UDP, length 14
00:00:00:17:43:01 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 84: (tos 0xc0, ttl 63, id 54455, offset 0, flags [none], proto ICMP (1), length 70)
    192.168.7.200 > 10.1.0.21: ICMP 192.168.7.200 udp port 40621 unreachable, length 50
    (tos 0x0, ttl 63, id 62796, offset 0, flags [DF], proto UDP (17), length 42)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0x4ddd -> 0x0869!] UDP, length 14
00:00:00:45:21:69 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 62, id 33483, offset 0, flags [DF], proto UDP (17), length 42)
    192.168.7.200.40621 > 10.1.0.2.1194: [bad udp cksum 0xd29a -> 0x990f!] UDP, length 14
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 62869, offset 0, flags [DF], proto UDP (17), length 50)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2b5 -> 0x389f!] UDP, length 22
00:00:00:45:21:69 > 00:00:00:a9:4d:66, ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 62, id 33610, offset 0, flags [DF], proto UDP (17), length 42)
    192.168.7.200.40621 > 10.1.0.2.1194: [bad udp cksum 0xd29a -> 0x990f!] UDP, length 14
00:00:00:a9:4d:66 > 00:00:00:17:43:01, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 64344, offset 0, flags [DF], proto UDP (17), length 54)
    10.1.0.21.1194 > 192.168.7.200.40621: [bad udp cksum 0xd2b9 -> 0x2097!] UDP, length 26

the incoming packet dst IP is 10.1.0.2(keepalived vip), but the reply packet source IP is 10.1.0.21(eth0 primary IP). I think the reply packet source IP should be 10.1.0.2(keepalived VIP) too.

To Reproduce Steps to reproduce the behavior. Please make sure to not post any secrets like keys and passwords.

Expected behavior A clear and concise description of what you expected to happen.

Version information (please complete the following information):

Additional context Add any other context about the problem here.

cron2 commented 9 months ago

Add multihome to your server config if the server has more than one IP address.

bobz965 commented 9 months ago

Add multihome to your server config if the server has more than one IP address.

Thanks for your reply, I will give it a try.