Issue with point to point VPNs behind NAT and asymmetric traffic
Grant Taylor
gtaylor at tnetconsulting.net
Wed Jun 12 23:48:58 UTC 2019
On 6/12/19 3:44 PM, Anurag Bhatia wrote:
> Hello everyone,
Hi,
> I am running two site to site VPNs (wireguard now, OpenVPN earlier)
> between my home and a remote server over two different WAN links. Both
> WAN links are just consumer connections - one with public IP and one
> with CGNATed IP.
Okay.
Is there any filtering of the traffic that flows through the VPNs? Or
do things have full connectivity through them?
What OS is on each of the VPN endpoints?
> The redundancy here is taken care of by the OSPF running via FRR on both
> ends.
Okay.
> The unexpected behaviour I get is that if I set OSPF cost to prefer say
> link1 between home -> server and prefer link 2 between server -> home
> then connectivity completely breaks between the routed pools.
O.o
> The point to point IPs stay reachable (which is over expected links i.e
> symmetric via both ends).
Please clarify if those IPs are inside the VPN or outside the VPN?
> As long as both ends prefer link1 or link2, it works fine.
Okay.
> At first, I thought it had to do something with NAT but still can't
> understand how. Since VPN tunnels have a keep-alive timer (for 10
> seconds), the tunnel is always up.
Is NAT or SPI being applied to the traffic flowing through the VPN?
> Any idea why asymmetric packets are being dropped here?
Not enough data to speculate yet.
> This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is
> still the same when I moved everything to Wireguard for VPN + FRR for
> routing + OSPF.
Can I ask why the change of the VPN technology, routing daemon, and
protocol all at the same time? Or was that a diagnostic step?
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190612/b89c148b/attachment.bin>
More information about the NANOG
mailing list