[eduVPN-deploy] NAT problem / write UDPv6: Operation not permitted

Marc Langer marc.langer at uos.de
Sun Aug 7 18:06:42 CEST 2022 

Hi all,

I think I have a solution now. All configuration, including IP address 
ranges for VPN tunnels, have to be identically on both nodes. The 
following directories have to be copied or automatically synchronised 
between nodes:

- /etc/vpn-user-portal
- /etc/vpn-server-node
- /var/lib/vpn-user-portal

Then you need a VRRP configuration in keepalived.conf, including the 
following:

     virtual_ipaddress_excluded {
         $HA_ADDR_v4
         $HA_ADDR_v6
     }

     virtual_routes {
         src $HA_ADDR_v4 to 0.0.0.0/0 via $GWv4 dev eth0 metric 1
         src $HA_ADDR_v6 to ::/0 via $GWv6 dev eth0 metric 1
     }

(replace the variables with your HA IPs and default gateway addresses)

The "src" statement in the "ip route" command will set the correct 
source address, this is essential for UDP connections. If the existing 
default route in the system has metric 0 or 1, this has to be modified 
in the system configuration first, use a metric of 2 or higher there. In 
my case on Debian 11, I did not set "gateway x.x.x.x" in 
/etc/network/interfaces, but used the following line (same for IPv6):

   up ip route add default via $GWv4 dev eth0 proto static metric 100

Do not use the "src $HA_ADDR_v4" statement there, as this will not work 
when the node is not VRRP master and doesn't own the HA IP address.

Now the VPN IP ranges can be routed through the VRRP HA IPs, or you can 
use the HA IP for NAT (iptables_ -t SNAT --to-source $HA_ADDR_v4, same 
for ip6tables).

This seems to work! The portal can be on the same machines then, as it 
has the same config on both nodes.

Marc


Am 02.08.22 um 15:34 schrieb François Kooman:
> On 02.08.22 15:28, Marc Langer via eduVPN-deploy wrote:
>> I have no idea how to proceed :-( Has anyone experience with a setup,
>> where OpenVPN lists on a secondary (HA) IP and has to answer with this
>> specific source address? How can I achieve this?
>
> Right. *That* was the reason for making the *nodes* not "HA", but 
> instead having multiple of them where the best one (or the one that is 
> up) would be selected when connecting (using eduVPN/LC client) to the 
> VPN.
>
> So I guess for a "real" HA setup that makes things _much_ easier you 
> need (at least) 4 systems...
>
> Regards,
> François

More information about the eduVPN-deploy mailing list