Messages

1

Virtual private networks / openvpn and FRR OSPFv2 / OSPFv3

« on: September 28, 2024, 06:42:53 pm »

Hello,

Did anyone succed in using OSPFv2 (IPv4) inside an OpenVPN DCO tunnel ?
Did anyone succeed in using OSPFv3 (IPv6) inside an OpenVPN tunnel ? (with or without DCO)

Maybe someone has a good advice to help me get it work...

Here is my setup :
- server : openvpn 2.6.12-bookworm0 in debian LXC
- client instance : openvpn 2.6.12 on OPNsense 24.7.5-amd64 (instance is used, not legacy client)
- TLS vpn, no PSK

When I use TUN instead of DCO, OSPFv2 is working well.
When I turn DCO on then the OSPFv2 neighbor adjacency is not established so no routes are exchanged.
With DCO I can see using tcpdump on the openvpn interfaces that OSPFv2 hello packets (dst IP 224.0.0.5) are sent in the tunnel on the server side but don't arrive to the client openvpn interface.
On the other hand, OSPF packets which are sent on the client side arrive to the server openvpn interface.

Regarding OSPFv3 (IPv6) it's the same with and without DCO : hello packets (dst IP ff02::5) are sent on both sides, not received on any side.

OSPFv2 and OSPFv3 are working if I use a legacy client configuration. But I need an instance in order to use DCO.

I guess my FRR OSPFv2 / OSPFv3 configurations are correct since there's no problem with interfaces which are not openvpn interfaces.

I changed the value of kern.ipc.maxsockbuf to 16777216 on opnsense.

Regards,

openvpn configuration (server)

Code: [Select]

proto udp6
lport 1195
dev tun1
dev-type tun
script-security 3
keepalive 10 60
persist-tun
persist-key
topology subnet
server 192.168.168.0 255.255.255.0
server-ipv6 fdde:6c68:3589::/64
client-config-dir ccd
#disable-dco
tun-mtu 1420
tls-server
dh /etc/openvpn/keys/dh2048.pem
ca /etc/openvpn/keys/vpn-s2s-ca.crt
cert /etc/openvpn/keys/vpn-s2s.pem
key /etc/openvpn/keys/vpn-s2s.key
log /var/log/openvpn-s2s.log
verb 6
route-ipv6 2001:db8:3053:100::/57
route-ipv6 fde6:66ba:24ff::/48
OSPFv2 configuration (server)

Code: [Select]

log syslog notifications
frr defaults traditional
!
!
!
interface eth0
  ip ospf network point-to-point
  ip ospf area 0.0.0.0
!
interface tun1
  ip ospf network point-to-point
  ip ospf area 0.0.0.0
!
!
router ospf
  redistribute connected
!
!
!
line vty
!
OSPFv3 configuration (server)

Code: [Select]

log syslog notifications
frr defaults traditional
!
!
!
interface eth0
  ipv6 ospf6 network point-to-point
  ipv6 ospf6 area 0.0.0.0
!
interface tun1
  ipv6 ospf6 network point-to-point
  ipv6 ospf6 area 0.0.0.0
!
!
router ospf6
  redistribute connected
!
!
!
line vty
!

openvpn configuration (opnsense client)

Code: [Select]

client
dev ovpnc4
remote vpn-s2s.acme.com
persist-tun
persist-key
dev-type tun
dev-node /dev/ovpn4
script-security 3
writepid /var/run/ovpn-instance-c21882e1-9a02-4529-b32e-d24a25be00b3.pid
daemon openvpn_client4
management /var/etc/openvpn/instance-c21882e1-9a02-4529-b32e-d24a25be00b3.sock unix
proto udp
verb 11
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1195
tun-mtu 1420
route-ipv6 2000::/3
route-ipv6 fda7:e226:8895::/48
route-ipv6 2001:db8:3053:1a0::/59
route-ipv6 fdde:6c68:3589::/48
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
OSPFv2 configuration (opnsense client)

Code: [Select]

log syslog notifications
frr defaults traditional
!
!
!
interface ovpnc4
  ip ospf network point-to-point
  ip ospf area 0.0.0.0
!
!
router ospf
 ospf router-id 192.168.168.2
 redistribute connected
!
!
!
line vty
!
OSPFv3 configuration (opnsense client)

Code: [Select]

log syslog notifications
frr defaults traditional
!
!
!
interface ovpnc4
  ipv6 ospf6 network point-to-point
!
!
router ospf6
 ospf6 router-id 192.168.168.2
 redistribute connected
 interface ovpnc4 area 0.0.0.0
!
line vty
!

2

20.1 Legacy Series / IPv6 outbound NAT done with LLA instead of GUA

« on: March 23, 2020, 10:41:49 am »

Hello,

I want to use outbound IPv6 NAT. But the NAT is done using the Link Local Address (LLA) instead of GUA (Globally Unique Address) when NATing to "Interface Address". So of course I can't reach the Internet. How could I customize that ?

As a workaround I created an Interface alias in order to NAT to this alias' IP. (IP 2001:db8:8101:f700::1).
But it's a static address and I want to be able to NAT to an IP address obtained via SLAAC, because there is no guarantee that my ISP won't change the SLAAC prefix 2001:db8:8101:f700::/56. And I can't create an Interface Alias with a SLAAC obtained IP.

Thanks !

Romain

Code: [Select]

vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether 52:54:00:f2:98:08
        hwaddr 52:54:00:f2:98:08
        inet6 fe80::5054:ff:fef2:9808%vtnet1 prefixlen 64 scopeid 0x2
        inet6 2001:db8:8101:f700:5054:ff:fef2:9808 prefixlen 64 autoconf
        inet6 2001:db8:8101:f700::1 prefixlen 56
        inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active

Code: [Select]

nat on vtnet1 inet6 all -> (vtnet1:0) port 1024:65535

3

17.7 Legacy Series / Re: opnsense 17.7.10 : can't start os-quagga 1.4.3

« on: December 15, 2017, 10:29:38 pm »

Thanks for the quick fix (impressive), indeed the service is starting now.

And sorry for the late feedback, I was having family time :p

4

17.7 Legacy Series / Re: opnsense 17.7.10 : can't start os-quagga 1.4.3

« on: December 15, 2017, 01:39:27 pm »

OSPF only and first time usage ! I will try the patch asap

5

17.7 Legacy Series / Re: opnsense 17.7.10 : can't start os-quagga 1.4.3

« on: December 15, 2017, 12:09:20 pm »

Hi !

Thanks for your reply.

For now quagga.log is empty but I will tail -f next time :-)

Regards,

6

17.7 Legacy Series / opnsense 17.7.10 : can't start os-quagga 1.4.3

« on: December 15, 2017, 11:40:10 am »

Hello !

opnsense 17.7.10 / os-quagga 1.4.3

Unfortunately I can't start the quagga service. Did I miss something or is there a bug ?

Thanks, I wish a good day to whoever read this :p

Code: [Select]

root@opnsense-dedibox:~ # clog /var/log/quagga.log
Segmentation fault (core dumped)

Code: [Select]

root@opnsense-dedibox:~ # ls -l /var/log/quagga.log
-rw-r-----  1 quagga  quagga  0 Dec 15 10:43 /var/log/quagga.log

Code: [Select]

Dec 15 11:33:03 opnsense-dedibox configd.py: [36b580d6-2fe2-402a-9bb7-305e4ffa9627] request quagga
Dec 15 11:33:03 opnsense-dedibox configd.py: [ed9f44d4-8998-47b5-b5ef-e7bc14713aa6] stopping quagga
Dec 15 11:33:03 opnsense-dedibox configd.py: [deeb2ed5-fba0-477f-aae4-751a5ea9dcdb] generate template OPNsense/Quagga
Dec 15 11:33:03 opnsense-dedibox configd.py: generate template container OPNsense/Quagga
Dec 15 11:33:04 opnsense-dedibox configd.py: [deeb2ed5-fba0-477f-aae4-751a5ea9dcdb] Inline action failed with OPNsense/Quagga OPNsense/Quagga/quagga unexpected char u'#' at 936 at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 507, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 50, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 321, in generate     raise render_exception Exception: OPNsense/Quagga OPNsense/Quagga/quagga unexpected char u'#' at 936
Dec 15 11:33:04 opnsense-dedibox configd.py: [14767aee-fe41-44cb-90f4-3413a979770a] starting quagga
Dec 15 11:33:04 opnsense-dedibox configd.py: [e3da2fca-7b83-4f1d-873a-d16a634afcb6] Reloading filter
Dec 15 11:33:05 opnsense-dedibox configd.py: [3c7f87c0-11c9-4561-916e-fc2547072dac] request quagga