Routing for VPN network

Ondrej Zajicek santiago at crfreenet.org
Wed Apr 6 11:26:30 CEST 2011


On Wed, Apr 06, 2011 at 03:15:29AM +0200, Ask Bj?rn Hansen wrote:
> 
> On Apr 3, 2011, at 18:35, Ondrej Zajicek wrote:
> 
> >> Would it make sense to use OSPF for this instead?  My only experience
> >> with OSPF is setting it up between routers in one site so they know how
> >> to get to the 'next hop' of routes coming in and shared via BGP/IBGP.
> > 
> > I think OSPF should work just right for such setting.
> 
> Thank you!
> 
> I got it to work in a basic test setup.  When I "upgraded" OpenVPN to use certificates and server mode (so the servers can use a relatively simple configuration) I can no longer make it work.
> 
> Maybe the hack that OpenVPN uses in this mode is incompatible with bird.  I'll explain to have you verify or maybe suggest a work-around.
> 
> I have OpenVPN use a 'pool' of addresses (10.221.0.0/24).
> 
> What it does is setup tun0 as a PtP link (.1 being itself and .2 being the 'remote') and then add a route for 10.221.0.0/24 going to 10.221.0.2.   Then OpenVPN does the routing to the actual remote end-points (.4, .5, ...) internally.
> 
> From the manual page I gathered that I need to use 'point to
> multipoint' mode and specify the neighbors manually.   I tried that; but

Yes, this is incompatible. BIRD generally assumes that direct neighbors
have IPs from interfaces' address ranges (like .2 in this case). The
OpenVPN setting is definitely strange, it looks like two hops. The
proper and consistent addressing for that case is either add one peer IP
address pair for each PTP link on tun0 (like .1 peer .3, .1 peer .4, .1
peer .5 ...) and appropriate peer addresses on other ends (and use PTP
mode in BIRD), or use 10.221.0.1/24 on tun0 and 10.221.0.3/24,
10.221.0.4/24 ... on other ends and use PTMP mode in BIRD (the fact that
10.221.0.4 is not directly reachable from 10.221.0.3 is OK, that is what
PTMP means, BIRD would install /32 routes to 10.221.0.1).

So possible fix/workaround might be tweak OpenVPN to use the proper
addressing, the second way (one /24 prefix) might be easier. Or perhaps
just ditch OpenVPN completely and use IPIP or GRE tunnels protected by
IPSec (transport mode).

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20110406/c3170f90/attachment-0001.asc>


More information about the Bird-users mailing list