1

I have 2 openvpn clients connected to 2 different servers, on tun0 and tun1 devices.

I need to add 2 static routes, for the same host IP, and map them to 2 different gateways and tun devices.

I've ran these 2 commands:

route add -host 69.30.217.90 gw 10.197.2.1 dev tun0
route add -host 69.30.217.90 gw 10.197.14.1 dev tun1

When I make a CURL request, and specify the device to use, only the 2nd route works. Once I deleted it (by stopping the openvpn instance) the first route works.

Is there any way I can make both routes work, depending on which device I use to make the request?

EDIT:

I should add that this is a simplified example.

I actually need to have upward of 5 openvpn tunnels up at the same time, and the lifetime of the route is ~1s, only enough to do a single curl request.

My purpose for doing this is to test VPN servers if they are working properly, in a similar fashion a client would during normal use, by connecting to the server, making a request through the tunnel, and comparing against expected response.

Running a single instance of the testing daemon works just fine, however the full test suite takes ~20s, and would take a long time to test 100s of servers. I can run multiple of them in parallel, however they end up stepping on each other's routes.

Yegor
  • 21
  • 1
  • 4

1 Answers1

0

I've had trouble matching by oif. I suspect (but am not sure) this is because the output interface decision is made after it initially decides which route entry to use.

But you can match the output IP address and do policy routing.

For example:

echo "100 TUN" >> /etc/iproute2/rt_tables
ip route add 10.197.2.0/24 dev tun0 table TUN
ip route add 69.30.217.90 via 10.197.2.1 dev tun0 table TUN 
ip rule add from 10.197.2.8 table TUN

The echo creates an alias for routing table #100 (hereafter TUN) so it can be referred to by name in iproute2 commands.

The first route command adds the basic on-link network for tun0 to table TUN. This should be set to the same network as the pre-existing route in your default table.

The second route command adds the specific host and gateway associated with tun0 to table TUN.

Finally, the rule matches packets by source IP. The value here should be changed to the local interface address on tun0 or the whole, non-overlapping network would also work. It directs packets matching this rule to use table TUN, which would then be routed according to the routes we added previously to this table.

You may want to try out the oif matching rule. This never worked for me, but ymmv:

ip rule add oif tun0 table TUN
Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
  • How would this work when I need to handle 5 interfaces at a time, which only remain up for ~1s, in order to make a single curl request? – Yegor Dec 29 '15 at 23:15
  • I can't imagine a legit scenario where what you're asking is the appropriate solution. You'd have to expand your question for a better answer. – Andrew Domaszek Dec 29 '15 at 23:22
  • Updated my original question. The purpose here is to rapidly test hundreds of VPN servers to see if they're working properly by simulating the activity of an end user, which is connect and request data through the tunnel. – Yegor Dec 30 '15 at 00:11