9

I have multiple VPN connections which use the same gateway IP (I do not have the ability to change this as it is out of my control). These VPNs all provide access to different networks, and the networks are at least one or two hops upstream, so a gateway IP is required in all cases. With Linux, to route to the networks, I can simply do:

ip route add $destination_1 via $gateway_ip dev $interface_1
ip route add $destination_2 via $gateway_ip dev $interface_2
ip route add $destination_3 via $gateway_ip dev $interface_3

etc.

Linux will then place the traffic for each destination network onto the correct interfaces, headed for the correct gateway, so it doesn't matter that the gateway IP is the same for each interface.

My question is, how can I achieve this in OpenBSD? I have tried and failed. My findings are that for a particular destination, I can either:

  • specify an interface (if the destination is directly reachable on that link - which it isn't in my case)
  • specify a gateway IP because the destination is not directly on link

But I can't figure out how to specify both.

bao7uo
  • 1,664
  • 11
  • 24
  • Are you sure a gateway is required? If the link is Ethernet and the target is more than one hop away a gateway is required. But VPNs often behave as point-to-point interfaces which don't need a gateway. – kasperd Aug 06 '17 at 14:25
  • Yes, it's definitely required as although the interfaces are point-to-point, the destination networks are all more than one hop away and there is ip forwarding and NAT involved – bao7uo Aug 07 '17 at 09:09
  • Point-to-point links don't care about gateways. – kasperd Aug 07 '17 at 19:15
  • ok, but how can I get it to work then? – bao7uo Aug 08 '17 at 14:26
  • How about using the `-T` option to `route` and defining a routing table for each destination? I think it provides better "insulation" for per interface rules. – gmelis Aug 08 '17 at 14:45
  • The VPN does use TAP adapters and it is not point to point after all! The gateway needs to be set to the remote IP of the VPN - i.e. the remote TAP adapter. On each VPN the gateway IP is the same, and openvpn sets up a route to the gateway IP when you establish the VPN connection. This works the first time, but that first route then prevents subsequent openvpn connections from setting their own routes. Without that route to the gateway, the -ifp syntax cannot be used. In Linux it all just works, but OpenBSD seems to hate the idea of remote gateways with the same IP on different adapters. – bao7uo Aug 10 '17 at 12:20

1 Answers1

1

Use the -ifp modifier to route. From the man page:

In a change or add command where the destination and gateway are not
sufficient to specify the route, the -ifp or -ifa modifiers may be 
used to determine the interface name or interface address.

So something like this works:

# for  arg in tun0 tun1 tun2; do ifconfig $arg  192.168.11.1/24; done
# route add 10/8 -iface 192.168.11.1 -ifp tun0
add net 10/8: gateway 192.168.11.1
# route add 172.16/12 -iface 192.168.11.1 -ifp tun1
add net 172.16/12: gateway 192.168.11.1
# route add 192.168.254/24 -iface 192.168.11.1 -ifp tun2
add net 192.168.254/24: gateway 192.168.11.1
# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio 
Iface
10/8               192.168.11.1       GS         0        0     -     8 tun0
localhost          localhost          UHl        0       22 32768     1 lo0
172.16/12          192.168.11.1       S          0        0     -     8 tun1
192.168.11.1       192.168.11.1       UHhl       1        4     -     1 tun0
[...my real routes omitted...]
192.168.254/24     192.168.11.1       S          0        0     -     8 tun2

If your destination routes are overlapping then you can use pf and route labels to match, or routing domains.

quadruplebucky
  • 5,041
  • 18
  • 23
  • Thanks for this. I have tried it and couldn't get it to work. I don't think `-iface` applies because the gateway address is for an upstream router (next hop), not an IP of an interface on the openbsd box itself. When I removed the -iface it did work, but only for the first VPN interface. So I can do `-ifp tap0` and it works, but if I do `-ifp tap1` it fails with `no route to host` when I try to add the route. – bao7uo Aug 07 '17 at 18:05
  • Even though it didn't resolve the problem, I have awarded you the bounty because I am grateful that you tried to help. – bao7uo Aug 11 '17 at 11:53
  • I'm honestly puzzled by what linux is doing under the hood there...BSD is doing the "right" thing by complaining about gw not being local. Have you tried the `-link -llinfo` flags to the route command? Also, I think `-iface` does apply (you get the error without routing tables/domians, as you noted, because the network route conflicts and can't be added again). OpenVPN / tap? Wondering what's provisioning the "other" end, if it's a fake p-t-p. – quadruplebucky Aug 12 '17 at 19:35