[eduVPN-deploy] NAT problem / write UDPv6: Operation not permitted

[Marc Langer]

Hi,

my HA setup includes one node-specific IP and one HA IP, that is managed 
by keepalived with VRRP and is only active on one node at a time.

I added the HA IP to the loopback interface on both nodes, so that I can 
use it, even when it is not active on that node.

The OpenVPN profile is configured with a hostname that points to the HA 
address, so that the clients will connect to the active VRRP node.

I then noticed, that OpenVPN response packets come from the wrong source 
address, as OpenVPN uses the node-specific (main interface) IP address. 
Thereforce I use NAT rules:

SNAT       udp  --  131.173.16.208       0.0.0.0/0            udp 
spt:1200 to:131.173.16.167:1200
SNAT       tcp  --  131.173.16.208       0.0.0.0/0            tcp 
spt:1200 to:131.173.16.167:1200

(and the same for IPv6)

But when I enable these NAT rules, OpenVPN can not send UDP packets anymore:

openvpn[20317]: 131.173.188.86:48039 write UDPv6: Operation not 
permitted (code=1)

When I delete the NAT rule, this message does not occur, but the client 
received the packet from the wrong source IP (131.173.16.208 instead of 
131.173.16.167).

I have no idea how to proceed :-( Has anyone experience with a setup, 
where OpenVPN lists on a secondary (HA) IP and has to answer with this 
specific source address? How can I achieve this?

Thanks,
Marc

-- 
Uni Osnabrück
Rechenzentrum
Nelson-Mandela-Str. 4
49076 Osnabrück

Tel. 0541-969-2365
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5974 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220802/6e469445/attachment.p7s>