[eduVPN-deploy] NAT problem / write UDPv6: Operation not permitted
Marc Langer
marc.langer at uos.de
Tue Aug 2 15:28:46 CEST 2022
Hi,
my HA setup includes one node-specific IP and one HA IP, that is managed
by keepalived with VRRP and is only active on one node at a time.
I added the HA IP to the loopback interface on both nodes, so that I can
use it, even when it is not active on that node.
The OpenVPN profile is configured with a hostname that points to the HA
address, so that the clients will connect to the active VRRP node.
I then noticed, that OpenVPN response packets come from the wrong source
address, as OpenVPN uses the node-specific (main interface) IP address.
Thereforce I use NAT rules:
SNAT udp -- 131.173.16.208 0.0.0.0/0 udp
spt:1200 to:131.173.16.167:1200
SNAT tcp -- 131.173.16.208 0.0.0.0/0 tcp
spt:1200 to:131.173.16.167:1200
(and the same for IPv6)
But when I enable these NAT rules, OpenVPN can not send UDP packets anymore:
openvpn[20317]: 131.173.188.86:48039 write UDPv6: Operation not
permitted (code=1)
When I delete the NAT rule, this message does not occur, but the client
received the packet from the wrong source IP (131.173.16.208 instead of
131.173.16.167).
I have no idea how to proceed :-( Has anyone experience with a setup,
where OpenVPN lists on a secondary (HA) IP and has to answer with this
specific source address? How can I achieve this?
Thanks,
Marc
--
Uni Osnabrück
Rechenzentrum
Nelson-Mandela-Str. 4
49076 Osnabrück
Tel. 0541-969-2365
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5974 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220802/6e469445/attachment.p7s>
More information about the eduVPN-deploy
mailing list