- 
                Notifications
    You must be signed in to change notification settings 
- Fork 3.2k
Description
Describe the bug
When using --multihome option according to the man page the expected behavior is that packets sent from server to client will be send with the source IP being set to what the client used as the destination IP to reach the server.
This in general works, but has an unexpected side effect: The return packets are sent out the same interface where the clients packets were received on. Effectively ignoring the servers routing table.
We're running a load balanced setup with an IPVS based L4 load balancer in tunnel mode with direct server retrun (DSR) setup in front of our OpenVPN servers.
The load balancers are encapsulating traffic into an IPIP tunnel to steer the packets to a specific selected backend. On the openvpn server node we have an IPIP tunnel interface like this:
lb-vpn: ip/ip remote any local 192.0.2.0 ttl inherit
The tunnel is unidirectional (as this is a DSR setup) and we expected the egress packets to just leave the machine on an interface that is the result of a regular routing table lookup. instead we see the packets being sent into the IPIP tunnel interface.
To Reproduce
Setup openvpn server with --multihome enabled, where ingress traffic is received on one interface and default route points out another. You'll see the egress packets leave on the wrong interface.
Expected behavior
Egress interface/next-hop selection should always be left to the operating systems routing table.
Version information (please complete the following information):
- OS: Ubuntu 22.04
- OpenVPN version: 2.6.14-0ubuntu0.24.04.1
Additional context
Add any other context about the problem here.