OSPF via OpenVPN to Edgerouter. Possible?

wayne47

wayne47

I have several Ubiquiti ERLite and ERMax routers that successfully run OpenVPN links between each other as well as to FreeBSD servers. I've been trying, without success, to get OSPF to run over a link from an ERMax to a FreeBSD server running bird.

The firewalls permit OSPF (protocol 89). The MTU is set to 1,500 on the links. The ERMax gets stuck in "ExStart/ -" and FreeBSD/bird gets stuck in " Exchange/PtP ".

OPSF is configured to be type pointtopoint.

OpenVPN is using TUN interfaces.

Google shows lots of examples of people trying to do something similar, not seeing any solutions.

Looking for suggestions from anyone who has actually gotten OSPF working across OpenVPN. Things I suspect are Multicast, MTU or something unusual in the OSPF configuration but I've tried the all the "obvious" things and none of them have worked.
 
I'm using shared keys, which seems to be sending the multicast packets over the TUN link properly. From the ERMax side:

Code: 
tcpdump: listening on vtun4, link-type RAW (Raw IP), capture size 262144 bytes
13:34:14.480903 IP (tos 0xc0, ttl 1, id 24742, offset 0, flags [none], proto OSPF (89), length 68)
    172.16.6.1 > 224.0.0.5: OSPFv2, Hello, length 48
        Router-ID A.B.C.D, Backbone Area, Authentication Type: simple (1)
        Simple text password: Password
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
          Neighbor List:
            E.F.G.H
13:34:14.728677 IP (tos 0xc0, ttl 1, id 11170, offset 0, flags [DF], proto OSPF (89), length 52)
    172.16.6.3 > 224.0.0.5: OSPFv2, Database Description, length 32
        Router-ID E.F.G.H, Backbone Area, Authentication Type: simple (1)
        Simple text password: Password
        Options [External, Opaque], DD Flags [Init, More, Master], MTU: 1500, Sequence: 0x0003c962
13:34:18.748357 IP (tos 0xc0, ttl 1, id 11538, offset 0, flags [DF], proto OSPF (89), length 68)
    172.16.6.3 > 224.0.0.5: OSPFv2, Hello, length 48
        Router-ID E.F.G.H, Backbone Area, Authentication Type: simple (1)
        Simple text password: Password
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
          Neighbor List:
            A.B.C.D
13:34:19.729655 IP (tos 0xc0, ttl 1, id 11582, offset 0, flags [DF], proto OSPF (89), length 52)
    172.16.6.3 > 224.0.0.5: OSPFv2, Database Description, length 32
        Router-ID E.F.G.H, Backbone Area, Authentication Type: simple (1)
        Simple text password: Password
        Options [External, Opaque], DD Flags [Init, More, Master], MTU: 1500, Sequence: 0x0003c962
 
You can see it on the TUN interface but you need to pass it behind the VPN tunnel. That's why you need to use layer 2 bridge with TAP interface or use vector based routing protocol.

Or you need some proxy to pass this multicast over ppp, something like this:
github.com

GitHub - danielkucera/vpnmcast

Contribute to danielkucera/vpnmcast development by creating an account on GitHub.
github.com github.com

And you still will end up with TAP interface...
 
Bird is logging this. I'd prefer not to use TAP as it gets rather chatty with multiple links.
Code: 
Apr 26 14:16:36 r4 bird[20146]: Test: Socket error on tun0: Network is unreachable
 
Yes there's a big overhead when you are using TAP as it start to act as L2 switch and it's a bit slower compared to the TUN.

In my case i end up to use eigrp for internal network and at the end entire switch to DMVPN.
 
Interesting. That post seems to have gotten it working with topology subnet. I was not able to do that but with topology net30 I have it working. This is a test link so I will look at tweaking it to use topology subnet when I have a moment.
 
You must log in or register to reply here.
Back
Top