search

zehome / MLVPN

Multi-link VPN (ADSL/SDSL/xDSL/Network aggregation / bonding)
http://www.mlvpn.fr/
BSD 2-Clause "Simplified" License
518 stars 127 forks source link

Routing Tables with MLVPN #103

Open rcoulsell opened 7 years ago

rcoulsell commented 7 years ago

I have been working on getting this set up for 3 months unsuccessfully (tried linux bonding, vtrunkd, and now mlvpn), and am reaching out to see if you can help me get over the last hurdle. I can get the two machines to connect... I just can't get the traffic to route through the mlvpn0 tunnel adapter. I have attached all of my relevant configuration and the connection debug logs at the bottom of this thread.

It is a slightly modified version of the tutorial using two interfaces (eth1 and eth2).

Clearly it is the route and the iptables an I'm in the deep end...

@zehome Please help.

                                               eth0 173.239.1.1
                                              +---------------+
                                 +----------->| Fast internet |--> IN/OUT
                                 |            +---------------+
                         mlvpn0  |
                  +--------------+---+
          +------>| MLVPN EC2 Ubuntu |<------+
          |       | server 52.35.1.1 |       |
          |       +------------------+       |
          |            ^        ^            |
          |            |  T  A  |            |
 +--------+---------+  |  U  G  |  +---------+--------+
 | 4G LTE 1 (link1) |  |  N  G  |  | 4G LTE 2 (link2) |
 +------------------+  |  /  R  |  +------------------+
   192.168.10.0/24     |  T  E  |     192.168.11.0/24
          ^            |  A  G  |            ^
          |            |  P  A  |            |
          |            |     T  |            |
          |            |     E  |            |
internet 1|            |     D  |            | internet 2
          |            v mlvpn0 v            |
          |         +--+--------+---+        |
          +---------| MLVPN client  |--------+
                    | Ubuntu Desktop|
                    +---------------+
eth1: 192.168.10.1       mlvpn0  |     eth2: 192.168.11.1
                                 |
                                 | eth0: 192.168.2.1
 +-------------------+           |
 | LAN 192.168.2.0   |<----------+
 +-------------------+

client: mlvpn.conf

[general]
statuscommand = "/usr/local/sbin/mlvpn/share/doc/mlvpn/mlvpn_updown.sh"
mode = "client"
mtu = 1444
tuntap = "tun"
interface_name = "mlvpn0"
timeout = 30
password = "pleasechangeme"
cleartext_data = 1
reorder_buffer_size = 64
loss_tolerance = 50

[filters]

[link1]
bindhost = "192.168.10.2"
remotehost = "52.35.1.1"
remoteport = "6001"

[link2]
bindhost = "192.168.11.2"
remotehost = "52.35.1.1"
remoteport = "6002"

client: iptables

sudo iptables -A INPUT -i mlvpn0 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i lo -o mlvpn0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

server: mlvpn.conf

[general]
statuscommand = "/usr/local/sbin/mlvpn/share/doc/mlvpn/mlvpn_updown.sh"
mode = "server"
mtu = 1444
tuntap = "tun"
interface_name = "mlvpn0"
timeout = 30
password = "pleasechangeme"
cleartext_data = 1
reorder_buffer_size = 64
loss_tolerence = 50

[filters]

[link1]
bindhost = "0.0.0.0"
bindport = 6001

[link2]
bindhost = "0.0.0.0"
bindport = 6002

server: iptables

sudo iptables -A INPUT -i mlvpn0 -j ACCEPT
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i mlvpn -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

client: ip route show table link1

default via 192.168.10.1 dev eth1
192.168.10.0/24 dev eth1   scope link

client: ip route show table link2

default via 192.168.11.2 dev eth2
192.168.11.0/24 dev eth2   scope link

client: ip route show table main

default via dev mlvpn0
192.168.10.0/24 dev eth1   proto kernel   scope link   src 192.168.10.2
192.168.11.0/24 dev eth1   proto kernel   scope link   src 192.168.11.2

server: start sudo mlvpn --user ubuntu -c /usr/local/sbin/mlvpn/share/doc/mlvpn/mlvpn.conf --debug -Dprotocol -v

client: start sudo mlvpn --user mylogin -c /usr/local/sbin/mlvpn/share/doc/mlvpn/mlvpn.conf --debug -Dprotocol -v

server: debug output

2017-07-16T05:26:11 [ DBG] absolute maximum mtu: 1444
2017-07-16T05:26:11 [INFO/config] new password set
2017-07-16T05:26:11 [INFO/config] reorder_buffer_size changed from 0 to 64
2017-07-16T05:26:11 [INFO/config] link1 tunnel added
2017-07-16T05:26:11 [INFO/config] link2 tunnel added
2017-07-16T05:26:11 [INFO] created interface `mlvpn0'
2017-07-16T05:26:11 [INFO] link1 bind to 0.0.0.0
2017-07-16T05:26:11 [INFO] link2 bind to 0.0.0.0
2017-07-16T05:26:18 [INFO/protocol] link1 new connection -> XXX.XXX.XXX.XXX:XXXXX
2017-07-16T05:26:18 [ DBG/net] < link1 recv 46 bytes (type=0, seq=0, reorder=0)
2017-07-16T05:26:18 [ DBG/protocol] link1 sending 'OK'
2017-07-16T05:26:18 [INFO/protocol] link1 authenticated
2017-07-16T05:26:18 [ DBG/net] > link1 sent 46 bytes (size=2, type=1, seq=0, reorder=0)
2017-07-16T05:26:18 [INFO/protocol] link2 new connection -> XXX.XXX.XXX.XXX:XXXXX
2017-07-16T05:26:18 [ DBG/net] < link2 recv 46 bytes (type=0, seq=0, reorder=0)
2017-07-16T05:26:18 [ DBG/protocol] link2 sending 'OK'
2017-07-16T05:26:18 [INFO/protocol] link2 authenticated
2017-07-16T05:26:18 [ DBG/net] > link2 sent 46 bytes (size=2, type=1, seq=0, reorder=0)
2017-07-16T05:26:18 [ DBG/rtt] 112ms srtt 112ms loss ratio: 0
2017-07-16T05:26:18 [ DBG/net] < link1 recv 76 bytes (type=3, seq=0, reorder=0)
2017-07-16T05:26:18 [ DBG/tuntap] mlvpn0 > sent 48 bytes
2017-07-16T05:26:18 [ DBG/reorder] adjusting reordering drain timeout to 672ms
2017-07-16T05:26:19 [ DBG/reorder] adjusting reordering drain timeout to 672ms
2017-07-16T05:26:20 [ DBG/protocol] link1 sending keepalive
2017-07-16T05:26:20 [ DBG/reorder] adjusting reordering drain timeout to 672ms
2017-07-16T05:26:20 [ DBG/protocol] link2 sending keepalive
2017-07-16T05:26:20 [ DBG/net] > link2 sent 44 bytes (size=0, type=2, seq=0, reorder=0)
2017-07-16T05:26:20 [ DBG/net] > link1 sent 44 bytes (size=0, type=2, seq=0, reorder=0)
2017-07-16T05:26:21 [ DBG/rtt] 330ms srtt 139ms loss ratio: 0
2017-07-16T05:26:21 [ DBG/net] < link1 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:26:21 [ DBG/protocol] link1 keepalive received
2017-07-16T05:26:21 [ DBG/protocol] link1 sending keepalive
2017-07-16T05:26:21 [ DBG/rtt] 304ms srtt 304ms loss ratio: 0
2017-07-16T05:26:21 [ DBG/net] < link2 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:26:21 [ DBG/protocol] link2 keepalive received
2017-07-16T05:26:21 [ DBG/protocol] link2 sending keepalive
2017-07-16T05:26:21 [ DBG/reorder] adjusting reordering drain timeout to 1050ms
2017-07-16T05:26:21 [ DBG/reorder] adjusting reordering drain timeout to 1824ms

client: debug ouput

2017-07-16T05:17:40 [ DBG] absolute maximum mtu: 1444
2017-07-16T05:17:40 [INFO/config] new password set
2017-07-16T05:17:40 [INFO/config] reorder_buffer_size changed from 0 to 64
2017-07-16T05:17:40 [INFO/config] link1 tunnel added
2017-07-16T05:17:40 [INFO/config] link2 tunnel added
2017-07-16T05:17:40 [INFO] created interface `mlvpn0'
2017-07-16T05:17:40 [INFO] link1 bind to 192.168.10.2
2017-07-16T05:17:40 [ DBG/protocol] link1 mlvpn_rtun_challenge_send
2017-07-16T05:17:40 [INFO] link2 bind to 192.168.11.2
2017-07-16T05:17:40 [ DBG/protocol] link2 mlvpn_rtun_challenge_send
2017-07-16T05:17:40 [ DBG/net] > link2 sent 46 bytes (size=2, type=0, seq=0, reorder=0)
2017-07-16T05:17:40 [ DBG/net] > link1 sent 46 bytes (size=2, type=0, seq=0, reorder=0)
2017-07-16T05:17:40 [ DBG/rtt] 114ms srtt 114ms loss ratio: 0
2017-07-16T05:17:40 [ DBG/net] < link2 recv 46 bytes (type=1, seq=0, reorder=0)
2017-07-16T05:17:40 [INFO/protocol] link2 authenticated
2017-07-16T05:17:40 [ DBG/rtt] 141ms srtt 141ms loss ratio: 0
2017-07-16T05:17:40 [ DBG/net] < link1 recv 46 bytes (type=1, seq=0, reorder=0)
2017-07-16T05:17:40 [INFO/protocol] link1 authenticated
2017-07-16T05:17:40 [ DBG/net] > link2 sent 76 bytes (size=48, type=3, seq=0, reorder=0)
2017-07-16T05:17:41 [ DBG/reorder] adjusting reordering drain timeout to 846ms
2017-07-16T05:17:41 [ DBG/reorder] adjusting reordering drain timeout to 684ms
2017-07-16T05:17:42 [ DBG/reorder] adjusting reordering drain timeout to 684ms
2017-07-16T05:17:42 [ DBG/reorder] adjusting reordering drain timeout to 846ms
2017-07-16T05:17:42 [ DBG/net] < link1 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:17:42 [ DBG/protocol] link1 keepalive received
2017-07-16T05:17:42 [ DBG/protocol] link1 sending keepalive
2017-07-16T05:17:42 [ DBG/net] < link2 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:17:42 [ DBG/protocol] link2 keepalive received
2017-07-16T05:17:42 [ DBG/protocol] link2 sending keepalive
2017-07-16T05:17:43 [ DBG/reorder] adjusting reordering drain timeout to 846ms
2017-07-16T05:17:43 [ DBG/reorder] adjusting reordering drain timeout to 684ms
2017-07-16T05:17:43 [ DBG/net] > link2 sent 44 bytes (size=0, type=2, seq=0, reorder=0)
2017-07-16T05:17:43 [ DBG/net] > link1 sent 44 bytes (size=0, type=2, seq=0, reorder=0)
2017-07-16T05:17:43 [ DBG/rtt] 125ms srtt 115ms loss ratio: 0
2017-07-16T05:17:43 [ DBG/net] < link2 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:17:43 [ DBG/protocol] link2 keepalive received
2017-07-16T05:17:43 [ DBG/rtt] 155ms srtt 142ms loss ratio: 0
2017-07-16T05:17:43 [ DBG/net] < link1 recv 44 bytes (type=2, seq=0, reorder=0)
2017-07-16T05:17:43 [ DBG/protocol] link1 keepalive received
2017-07-16T05:17:44 [ DBG/reorder] adjusting reordering drain timeout to 595ms
2017-07-16T05:17:44 [ DBG/reorder] adjusting reordering drain timeout to 736ms
2017-07-16T05:17:44 [ DBG/net] > link2 sent 76 bytes (size=48, type=3, seq=0, reorder=0)
markfoodyburton commented 7 years ago

I can't answer your question directly, but - my feeling is you need a firewall on your 'router' (Ubuntu desktop). I used shorewall (there is a wiki page about it, and a couple of issues that helped me get to an answer). It might help you. (https://github.com/zehome/MLVPN/wiki/Using-MLVPN-and-Shorewall) BTW, Do you need encryption on this link? Your data will go across 'fast internet' unencrypted anyway?

tabbertmj commented 6 years ago

Were you able to get this resolved? I am having the same issue. I can see packets arrive on the server but don;t seem to get forward to the internet.

muesli commented 6 years ago

Same here. Interestingly I can ping all my local machines from the server, but I can't ping the server from the local machine. Which doesn't really make sense to me.

zehome commented 6 years ago

it can happen if you don't specify correctly the source ip address when you do a "ping".

You need to run a tcpdump on the tunnel interface in order to know what is going on

legolas108 commented 5 years ago

Also ran into this problem. After applying your server iptables commands it started to work. But I had to correct a tiny typo which might be crucial here:

sudo iptables -A FORWARD -i mlvpn0 -o eth0 -j ACCEPT

Note the mlvpn0!

legolas108 commented 5 years ago

And also had to enable IP4 forwarding which seems disabled by default. Make sure net.ipv4.ip_forward = 1 is set in /etc/sysctl.conf.

legolas108 commented 5 years ago

Ultimately couldn't succeed with MLVPN. Got a solution to work very nicely based on Linux Ethernet Bonding, OpenVPN and FireHOL.

tabbertmj commented 5 years ago

I am testing openMPTCProuter. So far it seems to be working well.

From: legolas108 [mailto:notifications@github.com] Sent: Thursday, August 01, 2019 10:09 AM To: zehome/MLVPN Cc: tabbertmj; Comment Subject: Re: [zehome/MLVPN] Routing Tables with MLVPN (#103)

Ultimately couldn't succeed with MLVPN. Got a solution to work very nicelyhttps://serverfault.com/questions/977589/how-to-bond-two-multiple-internet-connections-for-increased-speed-and-failover based on Linux Ethernet Bonding, OpenVPN and FireHOL.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/zehome/MLVPN/issues/103?email_source=notifications&email_token=AH2JGU7OAUWT3QG2PSOU56TQCL37ZA5CNFSM4DT3STT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3K5AQY#issuecomment-517328963, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AH2JGU7LURJYCADKQDPS4YTQCL37ZANCNFSM4DT3STTQ.

markfoodyburton commented 5 years ago

Give ubond a spin, see if it works for you. it's based on mlvpn. https://github.com/markfoodyburton/ubond I dont know why you found mlvpn didn't work for you.