From: Marco Gaiarin <gaio@sv.lnf.it>
To: lartc@vger.kernel.org
Subject: fwmark routing and OpenVPN...
Date: Thu, 17 Sep 2020 10:49:15 +0000 [thread overview]
Message-ID: <20200917104915.GL3666@sv.lnf.it> (raw)
I use in my firewalls (debian stretch, kernel 4.9.0-12-amd64, iptables
1.6.0+snapshot20161117-6) by years different internet connection in
load balancing (route based) using fwmarks.
Recently (for COVID, of course) i've setup on this box an OpenVPN
server, listening on all connection/interfaces.
OpenVPN client are point towards an A record DNS-ip aliased on all the
three connection (eg, clients roandomly select one of the connection).
Users complain that have to retry many times before they connect.
Server side i see:
Sep 17 12:07:14 tank ovpn-server[55840]: 45.13.80.130:45196 TLS: Initial packet from [AF_INET]45.13.80.130:45196, sidC3fc890 cad5507d
Googling around i've hit a page (i've lost link) that lit me a lamp.
Sniffing traffic on all three interfaces (currently) i get:
(line 1, inbound)
127 270.659375004 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
128 271.896770524 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
129 276.834533759 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
130 285.709393774 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
131 301.564398903 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
132 355.779240076 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
133 356.937076259 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
134 361.549173084 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
135 368.724624378 45.13.80.130 → 88.147.114.200 OpenVPN 86 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
(line 2, outbound)
33 432.043899703 88.37.116.142 → 45.13.80.130 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
34 433.201556082 88.37.116.142 → 45.13.80.130 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
35 437.286099130 88.37.116.142 → 45.13.80.130 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
36 437.813630238 88.37.116.142 → 45.13.80.130 OpenVPN 92 MessageType: P_ACK_V1
37 444.989645902 88.37.116.142 → 45.13.80.130 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
(line 3, outbound)
28 350.793044884 37.186.212.162 → 45.13.80.130 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
29 351.959606450 37.186.212.162 → 45.13.80.130 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
30 352.030123423 37.186.212.162 → 45.13.80.130 OpenVPN 92 MessageType: P_ACK_V1
31 356.846975139 37.186.212.162 → 45.13.80.130 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
32 356.968050772 37.186.212.162 → 45.13.80.130 OpenVPN 92 MessageType: P_ACK_V1
33 364.847600208 37.186.212.162 → 45.13.80.130 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
34 365.842935732 37.186.212.162 → 45.13.80.130 OpenVPN 92 MessageType: P_ACK_V1
35 379.981282619 37.186.212.162 → 45.13.80.130 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
36 381.698151394 37.186.212.162 → 45.13.80.130 OpenVPN 92 MessageType: P_ACK_V1
and exactly what i suppose: openvpn receive on one interface, but
reply traffic flow to another.
My iptables rules are pretty clean my mangle PREROUTING chain is:
Chain PREROUTING (policy ACCEPT 129M packets, 99G bytes)
pkts bytes target prot opt in out source destination
5406M 3721G CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
17M 3039M MARK all -- vlan192 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 MARK xset 0x10/0xf0
14M 2892M MARK all -- vlan193 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 MARK xset 0x30/0xf0
399K 98M MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 MARK xset 0x20/0xf0
and AFAI've understood 'netfilter packet flow' schema,
mangle/PREROUTING get evaluated also for input traffic.
This is aside effect of using this for 'local terminated udp traffic'?
Eg:
+ for UDP and TCP traffic that flow in FORWARD, conntrack do their job.
+ for TCP traffic in INPUT, conntrack CAN track the connection, and so
work.
+ for UDP traffic in INPUT, conntrack CANNOT track the connection, and
so when the local 'openvpn' process inject th UDP response to the
client, there's no tracking at all?
But last sentences does not match very well with the behaviour: when
OpenVPN connection is established (eg, when random input interface match
with random output interface ;), connection are pretty solid, so my
system 'remember' the interface... but this is probably OpenVPN
process itself, not the connection tracking?
What i'm missing? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
next reply other threads:[~2020-09-17 10:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-17 10:49 Marco Gaiarin [this message]
2020-09-18 9:19 ` fwmark routing and OpenVPN Marco Gaiarin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200917104915.GL3666@sv.lnf.it \
--to=gaio@sv.lnf.it \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox