1

I'm trying to run multiple openvpn instances at the same time, all works fine running a single one, but I would like to have several instances, one of each connected to a different host and from there be able to use the interface that I want.

I'm trying it like this:

France.ovpn

client
dev tun
proto udp
remote france.privateinternetaccess.com
lport 1190
resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/piaauth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
lport 1189
rport 1198

|

 sudo /usr/sbin/openvpn --config /etc/openvpn/France.ovpn --dev tun0

Fri Dec 16 16:59:32 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Fri Dec 16 16:59:32 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Fri Dec 16 16:59:32 2016 WARNING: file '/etc/openvpn/piaauth.txt' is group or others accessible
Fri Dec 16 16:59:32 2016 UDPv4 link local (bound): [undef]
Fri Dec 16 16:59:32 2016 UDPv4 link remote: [AF_INET]108.61.122.121:1198
Fri Dec 16 16:59:32 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Dec 16 16:59:32 2016 [113b1963081eb5270c22e4405fb71051] Peer Connection Initiated with [AF_INET]108.61.122.121:1198
Fri Dec 16 16:59:34 2016 TUN/TAP device tun0 opened
Fri Dec 16 16:59:34 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Dec 16 16:59:34 2016 /sbin/ip link set dev tun0 up mtu 1500
Fri Dec 16 16:59:34 2016 /sbin/ip addr add dev tun0 local 10.43.10.6 peer 10.43.10.5
Fri Dec 16 16:59:34 2016 Initialization Sequence Completed

After this everything is working. But when I run the next ovpn instance I get some errors.

Toronto

client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com
resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/piaauth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
lport 1192
rport 1198

|

sudo /usr/sbin/openvpn --config /etc/openvpn/Toronto.ovpn --dev tun1

Fri Dec 16 16:59:57 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Fri Dec 16 16:59:57 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Fri Dec 16 16:59:57 2016 WARNING: file '/etc/openvpn/piaauth.txt' is group or others accessible
Fri Dec 16 16:59:57 2016 UDPv4 link local (bound): [undef]
Fri Dec 16 16:59:57 2016 UDPv4 link remote: [AF_INET]172.98.67.16:1198
Fri Dec 16 16:59:57 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Dec 16 16:59:58 2016 [484ec5eff7d70137ae07ee3ec5e62b80] Peer Connection Initiated with [AF_INET]172.98.67.16:1198
Fri Dec 16 17:00:00 2016 TUN/TAP device tun1 opened
Fri Dec 16 17:00:00 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Dec 16 17:00:00 2016 /sbin/ip link set dev tun1 up mtu 1500
Fri Dec 16 17:00:00 2016 /sbin/ip addr add dev tun1 local 10.84.10.6 peer 10.84.10.5
RTNETLINK answers: File exists
Fri Dec 16 17:00:00 2016 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
Fri Dec 16 17:00:00 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Dec 16 17:00:00 2016 Initialization Sequence Completed

Here ip link and ip addr, both fails.

This is my route table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.43.10.5      128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp3s0
10.43.10.1      10.43.10.5      255.255.255.255 UGH   0      0        0 tun0
10.43.10.5      *               255.255.255.255 UH    0      0        0 tun0
10.84.10.1      10.84.10.5      255.255.255.255 UGH   0      0        0 tun1
10.84.10.5      *               255.255.255.255 UH    0      0        0 tun1
108.61.122.121. 192.168.1.1     255.255.255.255 UGH   0      0        0 enp3s0
128.0.0.0       10.43.10.5      128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 enp3s0
172.98.67.16    192.168.1.1     255.255.255.255 UGH   0      0        0 enp3s0
192.168.1.0     *               255.255.255.0   U     0      0        0 enp3s0

And this my ifconfig

enp3s0    Link encap:Ethernet  HWaddr 
          inet addr:192.168.1.128  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::beae:c5ff:fe5a:7ec/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1146017 errors:0 dropped:0 overruns:0 frame:0
          TX packets:727717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1500194552 (1.5 GB)  TX bytes:117446235 (117.4 MB)
          Interrupt:40 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.43.10.6  P-t-P:10.43.10.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2143 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2312566 (2.3 MB)  TX bytes:170653 (170.6 KB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.84.10.6  P-t-P:10.84.10.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I think that I only need to configure some routes, am I right?

therealbigpepe
  • 153
  • 1
  • 6

1 Answers1

1

The 1st VPN instance addes 2 routes pushed by the server using push "redirect-gateway def1. Option def1 overrides the default gateway by using 0.0.0.0/1 and 128.0.0.0/1.

The 2nd VPN instance tries the same and fails to add those 2 routes, because they already exist. Only 1 default route is allowed.

You have at least 2 options:

  1. Add directive route-noexec to the client config of VPN instance 2

--route-noexec

Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

Now routes will be pulled, but not added to your system. You can do your own routing using a script. Example:

route-up add-routes.sh
  1. Or add directive route-noexec to the client config of both VPN instances

Add route-up scripts and setup policy based routing.

rda
  • 1,947
  • 1
  • 13
  • 22
  • 1
    Thanks @rda, that did the trick, now I'm trying to apply the proper routes. I've created a new question because I think that is not appropriate to ask for routing here. Here it is: http://serverfault.com/questions/821583/routes-for-two-openvpn-connections-different-hosts-in-the-same-client – therealbigpepe Dec 19 '16 at 13:28