Community discussions

MUM Europe 2020
 
alecz
just joined
Topic Author
Posts: 1
Joined: Wed Jul 04, 2018 3:33 pm

OpenVPN + VRF

Thu Jul 05, 2018 8:13 am

I hame openvpn server
[alecz@MikroTik] > ppp export
/ppp profile
add local-address=172.16.169.1 name=ovpn remote-address=ovpn-pool use-mpls=yes

/ppp secret

add name=pochta-test password=pochta-test profile=ovpn routes=192.168.228.44/30 service=ovpn

it works
[alecz@MikroTik] > ppp active print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
pochta-test ovpn 192.168.105.1 172.16.169.254 1h5m10s AES-128-CBC/MD5

i added this interface to vrf

[alecz@MikroTik] > ip route vrf print
Flags: X - disabled, I - inactive
0 routing-mark=sbrf interfaces=<ovpn-pochta-test> route-distinguisher=27:13 import-route-targets=27:13 export-route-targets=27:13

[alecz@MikroTik] > ip route add dst-address=192.168.228.44/30 vrf-interface=<ovpn-pochta-test> gateway=<ovpn-pochta-test>

and saw it on bgp neighbor

G2#sh ip route vrf SBRF bgp

Routing Table: SBRF

172.16.0.0/16 is variably subnetted, 9 subnets, 3 masks
B 172.16.169.254/32 [20/0] via , 00:08:51
192.168.228.0/24 is variably subnetted, 22 subnets, 3 masks
B 192.168.228.44/30 [20/0] via , 00:00:02

when i restart my openvpn client i lose route and ip vrf route

[alecz@MikroTik] > ppp active print
pochta-test ovpn 192.168.105.1 172.16.169.254 6s AES-128-CBC/MD5

[alecz@MikroTik] > ip route vrf print
Flags: X - disabled, I - inactive
0 routing-mark=sbrf interfaces=*F00124 route-distinguisher=27:13 import-route-targets=27:13 export-route-targets=27:13
[alecz@MikroTik] > ip route check 192.168.228.46
status: ok
interface: <ovpn-pochta-test>
nexthop: 192.168.228.46

and nothing works.
 
rico29
just joined
Posts: 20
Joined: Fri Sep 25, 2009 10:49 am

Re: OpenVPN + VRF

Fri Oct 19, 2018 12:58 pm

Hello,
Same problem here. As soon as the openvpn server binding (which is a dynamic interface) goes down then up, the corresponding interface in ip/route/vrf and /ip/firewall/* is set to "unknown" or "*F00...".
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: OpenVPN + VRF

Thu Nov 01, 2018 3:43 pm

you need kind of a "crime scene cleaner"

ppp-up:
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
:local actualVrfIfs [/file get ($calledRealm."Members") contents] ;
:local actualExistentIfs [:pick $actualVrfIfs ([:find $actualVrfIfs "interfaces=" ]+11) ([:find $actualVrfIfs "route-distinguisher=" ]-1)]
/ip route vrf set $vrfId interfaces="$actualExistentIfs,$interfaceName"
:log info "$user (srcIp=$callerId, dstIp=$calledId) connected: was given $remoteAddr IP (GW $localAddr) and assigned to $interfaceName interface in VRF $calledRealm"
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
...
ppp-down:
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
/ip route vrf print terse file=($calledRealm."CleanUpMembers") where routing-mark=$calledRealm
:local cleanUpVrfIfs [/file get ($calledRealm."CleanUpMembers") contents] ;
:local lenInterfaceName [:len $interfaceName]
:local cleanUpExistentIfs ([:pick $cleanUpVrfIfs ([:find $cleanUpVrfIfs "interfaces=" ]+11) ([:find $cleanUpVrfIfs (",".$interfaceName) ] +0)]. \
[:pick $cleanUpVrfIfs ([:find $cleanUpVrfIfs $interfaceName ] + $lenInterfaceName) ([:find $cleanUpVrfIfs "route-distinguisher=" ]-1)])
:put $cleanUpExistentIfs
:put $lenInterfaceName
/ip route vrf set $vrfId interfaces="$cleanUpExistentIfs"
/file set ($calledRealm."CleanUpMembers") contents=""
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
...
ppp-down (updatet) for use with pppoe, sstp and open-vpn
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
:delay 2
/ip route vrf print terse file=($calledRealm."CleanUpMembersSec") where routing-mark=$calledRealm
:local cleanUpVrfIfsSec [/file get ($calledRealm."CleanUpMembersSec") contents] ;
:local cleanUpExistentIfsSec ([:pick $cleanUpVrfIfsSec ([:find $cleanUpVrfIfsSec "interfaces=" ]+11) ([:find $cleanUpVrfIfsSec F00 ] -2)]. \
[:pick $cleanUpVrfIfsSec ([:find $cleanUpVrfIfsSec F00 ] + 6) ([:find $cleanUpVrfIfsSec "route-distinguisher=" ]-1)])
:put $cleanUpExistentIfsSec
/ip route vrf set $vrfId interfaces="$cleanUpExistentIfsSec"
/file set ($calledRealm."CleanUpMembersSec") contents=""
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
~~
We know what happens to people who stay in the middle of the road. They get run over.

Who is online

Users browsing this forum: No registered users and 7 guests