OpenVPN and multicast routing

Question

I have setup an OpenVPN server for remote clients to access a server that will be sending them multicast traffic, however I am unable to receive any multicast traffic. The application makes a successful connection to the server in question, but traffic is not flowing. Is this possible in a TUN setup? I would like to avoid a bridged setup if possible.

NETWORK TOPOLOGY Internal LAN 172.30.66.0/24

VPN IP 172.30.66.157 Public IP xxx.xxx.xxx.167 VPN TUN IP 10.8.0.1

Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server) Public IP xxx.xxx.xxx.161

Server Config port 1195 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 172.30.66.0 255.255.255.0" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC user nobody group nobody persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 4 explicit-exit-notify 1

Client Config client dev tun proto udp remote xxx.xxx.xxx.167 1195 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 4

ROUTING AND FIREWALL INFO

Network and routing info for the gateway/router

eth0      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:34
      inet addr:172.30.66.1  Bcast:172.30.66.255  Mask:255.255.255.0
      inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
      TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:4959044399 (4.6 GiB)  TX bytes:79112208698 (73.6 GiB)
      Interrupt:28 Memory:da020000-da040000

eth1      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:35
      inet addr:xxx.xxx.xxx.62  Bcast:xxx.xxx.xxx.63  Mask:255.255.255.252
      inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
      TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:87043706669 (81.0 GiB)  TX bytes:166155469966 (154.7 GiB)
      Interrupt:36 Memory:da060000-da080000

eth2      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:36
      inet addr:xxx.xxx.xxx.161  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
      inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
      TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:158649519904 (147.7 GiB)  TX bytes:552647203 (527.0 MiB)
      Interrupt:36 Memory:da120000-da140000

lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:10 errors:0 dropped:0 overruns:0 frame:0
      TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:688 (688.0 b)  TX bytes:688 (688.0 b)


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xxx.60  *               255.255.255.252 U     0      0        0 eth1
xxx.xxx.xxx.160  *               255.255.255.240 U     0      0        0 eth2
172.30.66.0     *               255.255.255.0   U     0      0        0 eth0
10.8.0.0        172.30.66.157   255.255.255.0   UG    0      0        0 eth0
default         xxx.xxx.xxx.61. 0.0.0.0         UG    0      0        0 eth1

Network and routing info for the VPN server

eth2      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2E
      inet addr:xxx.xxx.xxx.167  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:8222 errors:0 dropped:0 overruns:0 frame:0
      TX packets:2009 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:1235747 (1.1 MiB)  TX bytes:462680 (451.8 KiB)

eth3      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2F
      inet addr:172.30.66.157  Bcast:172.30.66.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:38220 errors:0 dropped:0 overruns:0 frame:0
      TX packets:696 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:9821255 (9.3 MiB)  TX bytes:64314 (62.8 KiB)

lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:424 errors:0 dropped:0 overruns:0 frame:0
      TX packets:424 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:36072 (35.2 KiB)  TX bytes:228498 (223.1 KiB)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.117.52.160  *               255.255.255.240 U     0      0        0 eth2
172.30.66.0     *               255.255.255.0   U     0      0        0 eth3
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
default         Router-Eth0-P 0.0.0.0         UG    0      0        0 eth3

Current IPTABLES on the VPN

Chain INPUT (policy ACCEPT 34819 packets, 9286K bytes)
pkts bytes target     prot opt in     out     source               destination
5659 1040K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2   115 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
1    52 ACCEPT     tcp  --  *      *       172.30.66.0/24       0.0.0.0/0           tcp dpt:22
2   104 ACCEPT     tcp  --  *      *       10.8.0.0/24          0.0.0.0/0           tcp dpt:22
4   160 DROP       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
0     0 ACCEPT     udp  --  eth3   *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1195
0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 4 packets, 160 bytes)
pkts bytes target     prot opt in     out     source               destination
24  3232 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  tun+   eth3    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
21  4265 ACCEPT     all  --  eth3   tun+    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 2426 packets, 520K bytes)
pkts bytes target     prot opt in     out     source               destination
448  231K ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

Current IPTABLES on the router/gateway

Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
pkts bytes target     prot opt in     out     source               destination
289  254K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
10   688 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     udp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           udp dpt:161
0     0 ACCEPT     tcp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           tcp dpt:161
221K   13M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
101M   59G ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
6732  431K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
285 12124 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
973 58340 ACCEPT     tcp  --  *      *       172.30.66.0/24       0.0.0.0/0           tcp dpt:22
0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
17337 1158K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
1200  394K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
0     0 ACCEPT     esp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     ah   --  eth1   *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
0     0 ACCEPT     2    --  tun0   *       0.0.0.0/0            0.0.0.0/0
235K   57M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0
5168  226K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02

Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
86M   44G ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
39M 1833M ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
0     0 ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
12M 1317M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
14M   22G ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
149K 9702K ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
173K  246M ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
313M  128G ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0
2039K  458M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            172.30.66.157       udp dpt:1195 state NEW,RELATED,ESTABLISHED
0     0 ACCEPT     all  --  tun0   eth3    10.8.0.0/24          172.30.66.0/24      ctstate NEW
28  1568 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED


Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
pkts bytes target     prot opt in     out     source               destination
46M 5245M ACCEPT     esp  --  *      eth1    0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0
18  2960 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500

Any help is greatly appreciated. Thanks.

Multicast routing is very different than unicast routing. Multicast is a form of broadcast, and like broadcast, it will not normally cross a layer-3 device, e.g. router. To overcome this, you use IGMP and PIM to route multicast. You should also be aware that many tunnels cannot transport multicast. You need a GRE tunnel. — Ron Maupin, May 25 '17 at 00:57
I can change to tap if that would help. I would like to avoid a bridge though. Can I mangle the matching frames with an iptable rule? — scott, May 25 '17 at 02:00
What you need to do is to run IGMP on the LANs where the source and destination(s) are, and PIM on your routers. Multicast will start out with a TTL of `1`, and PIM-DM will send it everywhere, while PIM-SM will use an RP. Multicast routing is _very_ different than unicast routing. Modern switches with IGMP snooping will also be a problem on the LANs. See [this ahswer](https://serverfault.com/questions/814259/use-ip-route-add-to-add-multicast-routes-to-multiple-interfaces/814296#814296) that I wrote for someone else that explains things. — Ron Maupin, May 25 '17 at 02:06
Thank you for your help. I will look more into that. I greatly appreciate it. — scott, May 25 '17 at 02:16

OpenVPN and multicast routing

0 Answers0