Routes for two openvpn connections (different hosts) in the same client

Question

Im trying to make multiple tunnels in the same client, and after a successful connection to the openvpn server I've applied some routes for the tunnels created without success. My first tunnel works but the second one does not. Im doing it like this:

Routes before doing nothing

default         192.168.1.1     0.0.0.0         UG    0      0        0 enp3s0
link-local      *               255.255.0.0     U     1000   0        0 enp3s0
192.168.1.0     *               255.255.255.0   U     0      0        0 enp3s0

First tunnel

France.ovpn

client
dev tun
proto udp
remote france.privateinternetaccess.com
lport 1190
resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/piaauth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
lport 1189
rport 1198

|

sudo /usr/sbin/openvpn --config /etc/openvpn/France.ovpn --dev tun0 --route-noexec


sudo route add -net 10.88.10.1 gw 10.88.10.5 netmask 255.255.255.255 dev tun0
sudo route add -net 10.88.10.5 gw * netmask 255.255.255.255 dev tun0
sudo route add -net 128.0.0.0 gw 10.88.10.5 netmask 128.0.0.0 dev tun0
sudo route add -net 172.98.67.121 gw 192.168.1.1 netmask 255.255.255.255 enp3s0

Routes after first tunnel

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp3s0
10.88.10.1      10.88.10.5      255.255.255.255 UGH   0      0        0 tun0
10.88.10.5      *               255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.88.10.5      128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 enp3s0
172.98.67.121   192.168.1.1     255.255.255.255 UGH   0      0        0 enp3s0
192.168.1.0     *               255.255.255.0   U     0      0        0 enp3s0

All works perfect

Now I try with this:

Norway.ovpn

client
dev tun
proto udp
remote no.privateinternetaccess.com
resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/piaauth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
lport 1187
rport 1198

sudo /usr/sbin/openvpn --config /etc/openvpn/Norway.ovpn --route-noexec

sudo route add -net 10.39.10.1 gw 10.39.10.5 netmask 255.255.255.255 dev tun1
sudo route add -net 10.39.10.5 gw * netmask 255.255.255.255 dev tun1
sudo route add -net 108.61.123.81 gw 192.168.1.1 netmask 255.255.255.255 enp3s0

Routes now:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp3s0
10.39.10.1      10.39.10.5      255.255.255.255 UGH   0      0        0 tun1
10.39.10.5      *               255.255.255.255 UH    0      0        0 tun1
10.8.10.1       10.8.10.5       255.255.255.255 UGH   0      0        0 tun0
10.8.10.5       *               255.255.255.255 UH    0      0        0 tun0
108.61.123.81.c 192.168.1.1     255.255.255.255 UGH   0      0        0 enp3s0
128.0.0.0       10.8.10.5       128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 enp3s0
172.98.67.121   192.168.1.1     255.255.255.255 UGH   0      0        0 enp3s0
192.168.1.0     *               255.255.255.0   U     0      0        0 enp3s0

And I think that the problem comes after trying to add the last route:

sudo route add -net 128.0.0.0 gw 10.39.10.5 netmask 128.0.0.0 dev tun1

because I used 128.0.0.0 previously with tun0. I tried to change it for something different like 252.0.0.0 or 224.0.0.0 for example but it does not work. And if I try with 128.0.0.0 tun1 works but tun0 does not. What should I do in order to make both tunnels working at the same time?

Answer 1

Main routing table

Only 1 default route is possible per routing table. If you want to add the routes to the main routing table, then you need to decide which gateway shall be used as default route.

When redirect-gateway def1 is used, OpenVPN adds 2 (more specific) routes (each one of them matching half of the ip address range) to the main routing table which override the default route without deleting it:

0.0.0.0/1 via 10.8.0.1 dev tun0       # network 0.0.0.0    mask 128.0.0.0
default via 10.0.2.2 dev eth0         # network 0.0.0.0    mask 0.0.0.0
128.0.0.0/1 via 10.8.0.1 dev tun0     # network 128.0.0.0  mask 128.0.0.0

The same applies for these 2 override routes. It is not possible to add another route with 0.0.0.0/1 or 128.0.0.0/1 to the main routing table.

Policy based routing

I suspect what you want to do is to configure some sort of split tunneling. It can be achieved using policy based routing as follows, assuming that the tun0 and tun1 devices are used.

First add 2 more routing tables:

echo "100 tun0" >> /etc/iproute2/rt_tables
echo "101 tun1" >> /etc/iproute2/rt_tables

Create a /etc/openvpn/route-up.sh script to automatically add routes when openvpn connects:

#!/bin/bash

RULE_EXIST=$(ip rule list | grep "from ${ifconfig_local}" | wc -l)
if [ $RULE_EXIST -ne 0 ]; then
  ip rule del from "${ifconfig_local}" lookup "${dev}"
fi
ip rule add from "${ifconfig_local}" lookup "${dev}"
ip route add default via "${route_vpn_gateway}" dev "${dev}" table "${dev}"

Run chmod +x /etc/openvpn/route-up.sh

Add those lines to the OpenVPN client config files:

route-noexec
route-up /etc/openvpn/route-up.sh
script-security 2

Now connect with both clients and check the routing tables:

root@debian:/etc/openvpn# ip route show
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0  scope link  src 10.0.2.15
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.2

root@debian:/etc/openvpn# ip route show table tun0
default via 10.8.0.1 dev tun0

root@debian:/etc/openvpn# ip route show table tun1
default via 10.0.2.2 dev eth0

root@debian:/etc/openvpn# ip rule show
0:      from all lookup local
32762:  from 10.8.0.2 lookup tun0
32763:  from 10.0.2.15 lookup tun1
32766:  from all lookup main
32767:  from all lookup default

Now you need to decide what to do. For example to enable simple load balancing, add the following route:

ip route del default
ip route add default scope global nexthop via 10.8.0.1 dev tun0 weight 1 \
nexthop via 10.0.2.2 dev eth0 weight 1

After that, the main routing table looks as follows:

root@debian:/etc/openvpn# ip route show
default
        nexthop via 10.8.0.1  dev tun0 weight 1
        nexthop via 10.0.2.2  dev eth0 weight 1
10.0.2.0/24 dev eth0  scope link  src 10.0.2.15
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.2

Using policy based routing, you can do cool things. See references below for more ideas.

OpenVPN script debugging

Add this to the route-up.sh script to help debugging and see what variables are available:

log=/tmp/ovpn.log
exec >>"$log" 2>&1
chmod 666 "$log" 2>/dev/null
printenv

Then run tail -f /tmp/ovpn.log while connecting.

References

• Marking packets with iptables for policy routing based on port
• A Quick Introduction to Linux Policy Routing
• Linux Advanced Routing & Traffic Control HOWTO
• Guide to IP Layer Network Administration with Linux