OpenVPN can be used to maintain persistent connections such that a machine can be made to route through different gateways - the latter being related to multiple gateway load-balancing techniques.

Unfortunately a VPN tunnel by definition is not designed to be persistent and most functionality assumes frequent disconnects in roadwarrior like setups. In order to make OpenVPN routing successful, scripts have to be written to add appropriate network parameters when tunnels arise or fall.

The following scripts are designed to maintain networking routing for a dialin server that will route traffic through a set of predefined gateways.

In this scenario, an OpenVPN server is established that will perform outbound conditional routing for the clients behind the server. In turn, multiple gateway machines on the Internet will dial in to the OpenVPN server and act as gateways such that the traffic will flow back and forth from the clients behind the OpenVPN server and the Internet.

The setup is somewhat counter-intuitive since the implicit router is the OpenVPN server that does not dial out but the gateways dial in to the OpenVPN server instead.

Additionally, the OpenVPN server uses a bridge to tie the TAP interfaces together with the interface used for routing traffic to client machines. In the diagram above, the bridge interface is br0, tap0 is the OpenVPN interface to be erected once gateway clients dial in and eth0 is used internally by the server to provide networking to client machines.

The configuration for the OpenVPN server is not entirely relevant to this scenario except for two vital configuration concepts that must be implemented.

First, in case the OpenVPN server uses UDP transports and is configured to listen on multiple interfaces, the multihome option has to be added to the OpenVPN server configuration. The multihome option tells OpenVPN to reply to UDP packets using the same interface on which they were received. The feature acts on the application layer of OpenVPN and is unrelated to the scripts presented on this page that take care of the actual routing. Nevertheless, unless multihome is specified, OpenVPN will reply to UDP packets out of the first interface regardless of any other routing settings configured on the server.

Second, since the gateways have to be used for outbound routing, all dial-in clients must receive a static IP address. In order to accomplish the latter, the client-configuration-directory options of OpenVPN can be leveraged or RADIUS can be setup to provide static IPs based on client identities - both of which, are out of the scope of this article.

The scripts provided in this article are designed to work with any number of dial-in gatways, however, for each gateway, several routing parameters have to be set in order to identify the tunnel.

Create or edit /etc/iproute2/rt_tables and add marker values for each dial-in gatway. For instance:

100     gw1
101     gw2

where:

• gw1 is the first gateway with a mark value of 100 (0x65 in hex).
• gw2 is the second gateway with a mark value of 101 (0x66 in hex)

For more dial-in gateways, additional values can be added following the established pattern. All the values entered in /etc/iproute2/rt_tables will be used by the scripts in order to setup routing tables to be used with IPTables or to make sure that traffic flows out of the correct interface.

The scripts can be placed under the openvpn configuration directory (usually, /etc/openvpn) and then referenced in the OpenVPN configuration to be invoked during the up and down phase of inbound connections.

+--- etc
      +
      |
      +--- openvpn
              +
              |
              +--- scripts
              |        +
              |        |
              |        +--- bridge-if-up.sh
              |        |
              |        +--- bridge-if-down.sh
              |
              +--- server.conf        

The two scripts have to be configured in order to setup the various parameters described in the configuration section of this article.