[eduVPN-deploy] different IPs for client traffic/mgmt: one issue

[Stefan Winter]

Hello,


so I've installed the two different NICs and have an IP address just for
the NATed payload traffic. The connection establishment and mgmt goes
via the "primary" NIC instead.


There is one immediate issue: when connecting with a client, I see that
there is a long delay when establishing the connection.


Looking at the traffic, it appears that Tunnelblick tries to connect on
UDP first (to the IP address on the mgmt interface eno1), and then the
VPN server-side sends back a UDP packet via eno2's address instead -
which the client doesn't expect. The connection establishes only after
timeout and Tunnelblick's fallback to TCP.


So, it appears like the server chooses to send its reply from the wrong
source interface - incoming to eno1 IP address; outgoing via eno2's IP
address. (see tcpdump at end)


The same isn't a problem on TCP because the socket is bound to the IP
address. For UDP datagrams, the source is not defined.


Is there a way to force the server to send replies on a specific
interface/IP?


Greetings,


Stefan Winter


# tcpdump -i eno2

12:12:08.100427 IP6 2001:a18:0:b08::3.openvpn >
2001:a18:0:403:2ca5:6a6:465f:9b5d.50321: UDP, length 66


(correct source address to use for this reply is 2001:a18:0:b06::3)


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200820/b6fc0b86/attachment.sig>