id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1148,OpenVPN Server: BGP Router: wrong ARP lookups,Konstantin Shalygin,,"Router: Dell R330 Kernel: Linux gate 4.11.12-1.el7.centos.x86_64 #1 SMP PREEMPT Fri Feb 16 23:01:02 +07 2018 x86_64 x86_64 x86_64 GNU/Linux Routing daemon: Quagga 0.99.22.4 OpenVPN: {{{ OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no }}} The problem: OpenVPN Server can't send answer to client because try send packets to wrong interface. Client: {{{ OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 16 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no }}} {{{ [root@client /]# ip ro get 193.150.124.1 193.150.124.1 via 79.175.37.13 dev vlan999 src 79.175.37.14 cache [root@client /]# mtr -nzerc 5 193.150.124.1 Start: Wed Dec 12 13:13:56 2018 HOST: *** Loss% Snt Last Avg Best Wrst StDev 1. AS12418 79.175.37.13 0.0% 5 2.0 1.8 1.0 2.9 0.0 2. AS8359 212.188.22.225 0.0% 5 10.6 11.7 10.6 13.2 1.0 3. AS8359 212.188.23.94 0.0% 5 9.5 9.7 9.5 9.9 0.0 4. AS12389 213.228.109.59 0.0% 5 10.1 10.4 9.7 11.9 0.7 5. AS198181193.150.124.1 0.0% 5 8.8 8.9 8.4 10.1 0.0 }}} Incoming connection to router from vlan301 interface, and send ARP's to this interface is useless, because we already know how to communicate with 79.175.37.14: {{{ [root@gate k0ste]# ip ro get 79.175.37.14 79.175.37.14 via 81.1.245.17 dev vlan1623 src 81.1.245.18 uid 0 cache }}} Tcpdump: {{{ 12:51:36.727084 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:36.727087 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:37.741225 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:37.741227 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:38.754559 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:38.754561 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:42.137844 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:42.137847 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:43.154562 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:43.154565 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:44.167889 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:44.167890 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:50.393027 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:50.393030 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:51.394555 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:51.394557 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:52.411222 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:51:52.411223 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:06.407934 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:06.407937 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:07.421220 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:07.421222 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:08.434566 Out 3c:fd:fe:ac:1e:c4 ethertype ARP (0x0806), length 44: Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 12:52:08.434568 Out 3c:fd:fe:ac:1e:c4 ethertype 802.1Q (0x8100), length 48: vlan 301, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 79.175.37.14 tell 193.150.124.1, length 28 }}} Server configuration is: {{{ port 1196 proto udp dev tap2 server 10.10.0.0 255.255.255.0 dh /etc/openvpn/server/tls/dhparam.pem ca /etc/openvpn/server/tls/rootCA.crt cert /etc/openvpn/server/tls/<***>.crt key /etc/openvpn/server/tls/<***>.key tls-auth /etc/openvpn/server/tls/ta.key 0 crl-verify /etc/openvpn/server/tls/<***>.pem user nobody group nobody verify-client-cert require multihome persist-key persist-tun keepalive 10 60 max-clients 250 reneg-sec 86400 replay-window 64 client-to-client comp-lzo adaptive verb 4 mute 10 mute-replay-warnings status /var/lib/openvpn/status1196.log push ""persist-key"" push ""persist-tun"" push ""comp-lzo adaptive"" tls-server tls-version-min 1.2 client-config-dir /etc/openvpn/server/openvpn1196 ccd-exclusive }}}",Bug / Defect,closed,major,,Networking,,"Not set (select this one, unless your'e a OpenVPN developer)",notabug,bgp arp,