ppp / open vpn

ppp / open vpn

[tony.chamberlain]

For our customers I have to set up an openvpn server and client.
Our cell software creates Linux tunnels (e.g. tun0, tun1) when a cell
phone wants to do a data session.  Subsequently on startup our software
kills all the tunnels.  Unfortunately, it then kills the VPN client (this
on the client side).

So to get around this, a person at work changed in the ovpn file
dev tun0  to  dev ppp0 so it would not get killed.  As far as I understand
though, openvpn is not ppp.  I am wondering whether this will cause any
problems in CentOS, calling a tunnel ppp?

On a related note they want me to write something called "reroute" which
has a parameter (-V or -E) which will reroute all traffic, except 
192.168.5.10, either via VPN or via ETHERNET.  192.168.5.10 will always
go through VPN so I gave it its own route.  Basically what it does:

Through VPN:

0.0.0.0         0.0.0.0         128.0.0.0       U     0      0        0 ppp0
128.0.0.0       0.0.0.0         128.0.0.0       U     0      0        0 ppp0
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0

Through eth0 just
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0

I could remove the 0.0.0.0 with netmask 0.0.0.0 when routing through the
VPN but I don't want to forget what the original router (192.168.5.1) is.

So a question is, what has precedence, 0.0.0.0 with netmask 0.0.0.0 or
0.0.0.0 and 128.0.0.0 with a netmask of 128.0.0.0?  They bothe appear to
cover every address (not specifically specified in a previous route which I did not show).

For completion, here is the full set of routes:
10.6.1.50       192.168.5.15    255.255.255.255 UGH   0      0        0 eth0
192.168.5.10    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.4.55.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.0.0.0        192.168.5.15    255.0.0.0       UG    0      0        0 eth0
0.0.0.0         0.0.0.0         128.0.0.0       U     0      0        0 ppp0
128.0.0.0       0.0.0.0         128.0.0.0       U     0      0        0 ppp0
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0

ppp0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.1.0.6  P-t-P:10.1.0.6  Mask:255.0.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

we need the ip address 10.0.1.6
10.4.55.X should definitely be eth0

Re: ppp / open vpn

[James Carlson]

On 01/11/11 19:20, tony.chamberlain@lemko.com wrote:
> For our customers I have to set up an openvpn server and client.
> Our cell software creates Linux tunnels (e.g. tun0, tun1) when a cell
> phone wants to do a data session.  Subsequently on startup our software
> kills all the tunnels.  Unfortunately, it then kills the VPN client (this
> on the client side).

Why not fix your software so that it doesn't kill all the tunnels?
Isn't that the root of the problem you're facing?

> So to get around this, a person at work changed in the ovpn file
> dev tun0  to  dev ppp0 so it would not get killed.  As far as I understand
> though, openvpn is not ppp.  I am wondering whether this will cause any
> problems in CentOS, calling a tunnel ppp?

I don't know that anyone uses or tests the software in that way, so
you'll have to let us know whether it works.  If you have problems,
though, you're probably on your own.

> Through eth0 just
> 0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
> 
> I could remove the 0.0.0.0 with netmask 0.0.0.0 when routing through the
> VPN but I don't want to forget what the original router (192.168.5.1) is.

One way to handle it would be to save it in a file.  I realize that's
less than optimal.

> So a question is, what has precedence, 0.0.0.0 with netmask 0.0.0.0 or
> 0.0.0.0 and 128.0.0.0 with a netmask of 128.0.0.0?  They bothe appear to
> cover every address (not specifically specified in a previous route which I did not show).

In IP forwarding, longer netmask = higher precedence.

So, yes, you could have a default 0.0.0.0/0 route pointing to the old
destination, and then cover it with two new routes to 0.0.0.0/1 and
128.0.0.0/1.  Those new routes would take precedence over the 0.0.0.0/0
route, because each has a longer netmask (1 > 0).

(For what it's worth, I find CIDR notation a little easier to grok than
explicit netmasks ... but express it whatever way makes sense to you.)

>           inet addr:10.1.0.6  P-t-P:10.1.0.6  Mask:255.0.0.0

That doesn't look happy.  Why would both the local and remote address be
equal?  (I wouldn't expect a functioning system to allow a configuration
like that.)

The whole point of a point-to-point interface (of any type; PPP, tunnel,
or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
one IP node to itself!

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: ppp / open vpn

[tony.chamberlain]

>> inet addr:10.1.0.6 P-t-P:10.1.0.6 Mask:255.0.0.0

>That doesn't look happy. Why would both the local and remote address be
>equal? (I wouldn't expect a functioning system to allow a configuration
>like that.)

I thought the same thing, but that is how openvpnas sets up the routes.
As for changing the software so it does not kill all the tunnels, I agree
completely (as I agree they should use two different config files for
routing traffic, one to route everything through VPN and one to route
everything through ethernet) but I have no control over that.  I can't
change the software.




-----Original Message-----
From: James Carlson [mailto:carlsonj@workingcode.com]
Sent: Wednesday, January 12, 2011 08:57 AM
To: tony.chamberlain@lemko.com
Cc: linux-ppp@vger.kernel.org
Subject: Re: ppp / open vpn

On 01/11/11 19:20, tony.chamberlain@lemko.com wrote:
> For our customers I have to set up an openvpn server and client.
> Our cell software creates Linux tunnels (e.g. tun0, tun1) when a cell
> phone wants to do a data session.  Subsequently on startup our software
> kills all the tunnels.  Unfortunately, it then kills the VPN client (this
> on the client side).

Why not fix your software so that it doesn't kill all the tunnels?
Isn't that the root of the problem you're facing?

> So to get around this, a person at work changed in the ovpn file
> dev tun0  to  dev ppp0 so it would not get killed.  As far as I understand
> though, openvpn is not ppp.  I am wondering whether this will cause any
> problems in CentOS, calling a tunnel ppp?

I don't know that anyone uses or tests the software in that way, so
you'll have to let us know whether it works.  If you have problems,
though, you're probably on your own.

> Through eth0 just
> 0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
> 
> I could remove the 0.0.0.0 with netmask 0.0.0.0 when routing through the
> VPN but I don't want to forget what the original router (192.168.5.1) is.

One way to handle it would be to save it in a file.  I realize that's
less than optimal.

> So a question is, what has precedence, 0.0.0.0 with netmask 0.0.0.0 or
> 0.0.0.0 and 128.0.0.0 with a netmask of 128.0.0.0?  They bothe appear to
> cover every address (not specifically specified in a previous route which I did not show).

In IP forwarding, longer netmask = higher precedence.

So, yes, you could have a default 0.0.0.0/0 route pointing to the old
destination, and then cover it with two new routes to 0.0.0.0/1 and
128.0.0.0/1.  Those new routes would take precedence over the 0.0.0.0/0
route, because each has a longer netmask (1 > 0).

(For what it's worth, I find CIDR notation a little easier to grok than
explicit netmasks ... but express it whatever way makes sense to you.)

>           inet addr:10.1.0.6  P-t-P:10.1.0.6  Mask:255.0.0.0

That doesn't look happy.  Why would both the local and remote address be
equal?  (I wouldn't expect a functioning system to allow a configuration
like that.)

The whole point of a point-to-point interface (of any type; PPP, tunnel,
or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
one IP node to itself!

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: ppp / open vpn

[James Carlson]

On 01/12/11 10:17, tony.chamberlain@lemko.com wrote:
>>> inet addr:10.1.0.6 P-t-P:10.1.0.6 Mask:255.0.0.0
> 
>> That doesn't look happy. Why would both the local and remote address be
>> equal? (I wouldn't expect a functioning system to allow a configuration
>> like that.)
> 
> I thought the same thing, but that is how openvpnas sets up the routes.
> As for changing the software so it does not kill all the tunnels, I agree
> completely (as I agree they should use two different config files for
> routing traffic, one to route everything through VPN and one to route
> everything through ethernet) but I have no control over that.  I can't
> change the software.

Ah, the classic overconstrained problem.  Good luck.

At least the IP routing part of the solution should work.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: ppp / open vpn

[Jan Just Keijser]

Hi all,

I'm responding to this thread as I am more of an OpenVPN person than a 
PPP person. Hopefully I can shed some light on the things Tony is seeing.

James Carlson wrote:
>> So a question is, what has precedence, 0.0.0.0 with netmask 0.0.0.0 or
>> 0.0.0.0 and 128.0.0.0 with a netmask of 128.0.0.0?  They bothe appear to
>> cover every address (not specifically specified in a previous route which I did not show).
>>     
>
> In IP forwarding, longer netmask = higher precedence.
>
> So, yes, you could have a default 0.0.0.0/0 route pointing to the old
> destination, and then cover it with two new routes to 0.0.0.0/1 and
> 128.0.0.0/1.  Those new routes would take precedence over the 0.0.0.0/0
> route, because each has a longer netmask (1 > 0).
>
> (For what it's worth, I find CIDR notation a little easier to grok than
> explicit netmasks ... but express it whatever way makes sense to you.)
>
>   
The 0.0.0.0/1+128.0.0.0/1 route is an OpenVPN trick to redirect the 
default gateway while keeping the original route intact. When OpenVPN 
shuts down or crashes the default route is still available and you still 
have a working system. If the 0.0.0.0/0 route is replaced then you'd end 
up with a broken box.

>>           inet addr:10.1.0.6  P-t-P:10.1.0.6  Mask:255.0.0.0
>>     
>
> That doesn't look happy.  Why would both the local and remote address be
> equal?  (I wouldn't expect a functioning system to allow a configuration
> like that.)
>
> The whole point of a point-to-point interface (of any type; PPP, tunnel,
> or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
> one IP node to itself!
>
>   
This is another trick of OpenVPN to assign "linear addresses" to clients 
while using a PtP (tun) interface. It is enabled in OpenVPN 2.1 (and 
openvpnas, which is based  on 2.1) by using the
  topology subnet
directive.
This trick *does* work on several platforms (Linux, BSD, MacOS, Windows, 
all with their respective special flags), but you need to be careful NOT 
to use the remote PtP address. Linux does not care whether the remote 
PtP address is the same as the local part. Linux does not even care if 
the 'tun' device as an IP address at all: it will still let you route 
data over it as long as you specify the right routing device. Data 
intended for the 'tun0' (or 'ppp0' interface in Tony's case) is simply 
sent to the 'tun' device. The OpenVPN process then picks it up, ships it 
to the other end of the tunnel and the reverse is done.


You can achieve the local routing of the 10.4.55.X subnet by adding a 
statement to the client-side OpenVPN config file
   route 10.4.55.0 255.255.255.0 net_gateway

But this is getting off-topic for this list ....

HTH,

JJK

Re: ppp / open vpn

[James Carlson]

On 01/12/11 16:17, Jan Just Keijser wrote:
> James Carlson wrote:
>> The whole point of a point-to-point interface (of any type; PPP, tunnel,
>> or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
>> one IP node to itself!
>>
>>   
> This is another trick of OpenVPN to assign "linear addresses" to clients
> while using a PtP (tun) interface. It is enabled in OpenVPN 2.1 (and
> openvpnas, which is based  on 2.1) by using the
>  topology subnet
> directive.

That's simply frightening.  Thanks for the update; I had no idea anyone
was relying on that sort of undocumented OS feature.

Good luck getting a routing protocol to work reliably with that ...

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: ppp / open vpn

[Jan Just Keijser]

James Carlson wrote:
> On 01/12/11 16:17, Jan Just Keijser wrote:
>   
>> James Carlson wrote:
>>     
>>> The whole point of a point-to-point interface (of any type; PPP, tunnel,
>>> or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
>>> one IP node to itself!
>>>
>>>   
>>>       
>> This is another trick of OpenVPN to assign "linear addresses" to clients
>> while using a PtP (tun) interface. It is enabled in OpenVPN 2.1 (and
>> openvpnas, which is based  on 2.1) by using the
>>  topology subnet
>> directive.
>>     
>
> That's simply frightening.  Thanks for the update; I had no idea anyone
> was relying on that sort of undocumented OS feature.
>
> Good luck getting a routing protocol to work reliably with that ...
>
>   
actually, this mode is not used in combination with routing protocols. 
'topology subnet' is used primarily when multiple clients are connecting 
to a single server. OpenVPN also support a "point-to-point" mode (for 
lack of a better term), which does follow the regular PtP semantics. 
Running a routing protocol in that mode is just as easy as running one 
over a ppp-based link.

HTH,

JJK

Re: ppp / open vpn

[tony.chamberlain]

So how do I set up the ptp instead of topology mode?
Is that ethernet bridging, which was the only option I saw?
Or do I even want to change from topology?

-----Original Message-----
From: Jan Just Keijser [mailto:jan.just.keijser@gmail.com]
Sent: Wednesday, January 12, 2011 07:47 PM
To: 'James Carlson'
Cc: tony.chamberlain@lemko.com, linux-ppp@vger.kernel.org
Subject: Re: ppp / open vpn

James Carlson wrote:
> On 01/12/11 16:17, Jan Just Keijser wrote:
>   
>> James Carlson wrote:
>>     
>>> The whole point of a point-to-point interface (of any type; PPP, tunnel,
>>> or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
>>> one IP node to itself!
>>>
>>>   
>>>       
>> This is another trick of OpenVPN to assign "linear addresses" to clients
>> while using a PtP (tun) interface. It is enabled in OpenVPN 2.1 (and
>> openvpnas, which is based  on 2.1) by using the
>>  topology subnet
>> directive.
>>     
>
> That's simply frightening.  Thanks for the update; I had no idea anyone
> was relying on that sort of undocumented OS feature.
>
> Good luck getting a routing protocol to work reliably with that ...
>
>   
actually, this mode is not used in combination with routing protocols. 
'topology subnet' is used primarily when multiple clients are connecting 
to a single server. OpenVPN also support a "point-to-point" mode (for 
lack of a better term), which does follow the regular PtP semantics. 
Running a routing protocol in that mode is just as easy as running one 
over a ppp-based link.

HTH,

JJK

Re: ppp / open vpn

[Charlie Brady]

On Thu, 13 Jan 2011, tony.chamberlain@lemko.com wrote:

> So how do I set up the ptp instead of topology mode?
> Is that ethernet bridging, which was the only option I saw?
> Or do I even want to change from topology?

You'll have to ask an OpenVPN forum.

> 
> -----Original Message-----
> From: Jan Just Keijser [mailto:jan.just.keijser@gmail.com]
> Sent: Wednesday, January 12, 2011 07:47 PM
> To: 'James Carlson'
> Cc: tony.chamberlain@lemko.com, linux-ppp@vger.kernel.org
> Subject: Re: ppp / open vpn
> 
> James Carlson wrote:
> > On 01/12/11 16:17, Jan Just Keijser wrote:
> >   
> >> James Carlson wrote:
> >>     
> >>> The whole point of a point-to-point interface (of any type; PPP, tunnel,
> >>> or otherwise) is that it connects two distinct IP nodes.  Distinct.  Not
> >>> one IP node to itself!
> >>>
> >>>   
> >>>       
> >> This is another trick of OpenVPN to assign "linear addresses" to clients
> >> while using a PtP (tun) interface. It is enabled in OpenVPN 2.1 (and
> >> openvpnas, which is based  on 2.1) by using the
> >>  topology subnet
> >> directive.
> >>     
> >
> > That's simply frightening.  Thanks for the update; I had no idea anyone
> > was relying on that sort of undocumented OS feature.
> >
> > Good luck getting a routing protocol to work reliably with that ...
> >
> >   
> actually, this mode is not used in combination with routing protocols. 
> 'topology subnet' is used primarily when multiple clients are connecting 
> to a single server. OpenVPN also support a "point-to-point" mode (for 
> lack of a better term), which does follow the regular PtP semantics. 
> Running a routing protocol in that mode is just as easy as running one 
> over a ppp-based link.
> 
> HTH,
> 
> JJK
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>