OpenVPN: Listen on TCP and UDP with TUN

Today I’ll describe how to get OpenVPN to listen both to UDP and TCP port, using both tun device and the same network for clients. Meaning the same client can connect on either TCP or UDP and get the same IP Address assigned.

To achieve this, we’re gonna need:

  • OpenVPN
  • Sudo

I’m running this on a Debian Wheezy installation, but any Linux distribution can do the trick.

Let’s create the first OpenVPN instance, to listen on UDP/1194, creation of certificate is not covered by this HOWTO, as plenty of resources can already be found online.

Note that, the only difference with a standard VPN configuration, is the following line:


learn-address /etc/openvpn/MYVPN/learn-address.sh

This configuration line will make the script ‘learn-address.sh’ be ran whenever a client’s address is learned or unlearned. This will allow us to modify the kernel’s routing table upon client connection/disconnection and specify which tunnel interface we should use for that particular client.

Let’s now configure the TCP VPN:

Note that we only changed the name of log files, IPP, the tun device name and of course, the protocol.

Now, let’s configure a client’s CCD file like the following:

Allow vpn user to run /sbin/ip through sudo, to be able to make routing table changes within the learn-address.sh script; Let’s create a ‘/etc/sudoers.d/openvpn’ file with the following content:


vpn ALL=(ALL:ALL) NOPASSWD: /sbin/ip

And last but not least, let’s put together the learn-address.sh script which will make all the magic:

As some comments have mentioned, you also need to run these:


# adduser --system --group vpn
# chmod +x learn-address.sh

Now, you can try and make your client connect to the UDP instance, disconnect and connect again to the TCP one. You can tail -f the /tmp/learn.log file in which you can see routing changes if everything is working:


[-] Adding addr 10.1.2.6 -> tun0
[-] Deleting addr 10.1.2.6 ->
[-] Adding addr 10.1.2.6 -> tun1
[-] Deleting addr 10.1.2.6 ->

This was useful to you? Have questions? Thoughts? Don’t hesitate to leave a comment if so.

BGP4: Enabling IPv6 Neighbors

Being tired of using static routes with IPv6, I’ve some times ago implemented OSPFv3 with IPv6 peers… But I have faced a lot of issue, mostly due to quagga’s implementation of OSPF.

I’ve decided some days ago to switch to BGP4 IPv6 peers. I have to say one things to summary: It works very well.

You can read the full article to see how I have put this in place.

Continue reading BGP4: Enabling IPv6 Neighbors

Packet load balancing over two ISP

Today I’ve been wondering how to loadbalance my home traffic accross two connexions. I had already done some load balancing but the solutions were only possible using a route-based algorithm so, no real gain from using such a method with a small used connexion. What I want to achieve today is sharing link by packet equally over two links.

The A Host is simply my gateway at home while the B one is a server hosted with a 100mbps link on internet. For this to work, we will establish two tunnel connection, one accross each connexion. This will not be covered by this howto. When you have your two tunnel working accross your two link, issue the following commands:

  1. tc qdisc add dev tap0 root teql0
  2. tc qdisc add dev tap1 root teql0
  3. ip link set dev teql0 up
  4. echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
  5. echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter

Assign some ip range to both side of the tunnel and the teql0 interfaces:

On A:

On B:

And you’re set, just make a simple connection sharing on B and set the default route of A to go through teql0n interface.

With two VDSL connexions of 18mbps each, I’ve achived following results:

Cisco: HSRP to improve redundancy

In a previous post, I have talk about how to put in place a heartbeat failover cluster for services. Now I’d like to improve my network redundancy by putting two routers in failover, I’ve achieved this simply by using HSRP protocol on both node.

Here is the IOS configuration of the two nodes:

node1 – primary

node2 – secondary

You can see some difference:

  • priority: the default is 100, putting a higher priority makes the router being the default primary
  • track: This is the condition when failover needs to be down, in this case, when either fastethernet0 or 3 falls down, the failover will be done.

Hope it helps.

Dynamips: compute your idle-pc value

Previously, I talked about dynamips and how to run Cisco hardware virtually. I also talked about an “idle-pc” value that you needed to compute in order to reduce the CPU usage of dynamips.

Let’s try to compute this value:

  1. Start dynamips with your IOS image and an empty configuration.
  2. Wait for the “Press RETURN to get started!” Prompt, and do NOT press enter.
  3. Wait some time (5-10secs) and press “Ctrl-] + i”. Some statistics will be generated during 10 seconds.
  4. You will then see an output such as this one:

  1. Just try to relaunch dynamips with theses values of –idle-pc, If you have found the correct one, and idle router should use between 5 and 15 percent of your CPU..
  2. Keep this value preciously 😉

That’s it

Dynamips: cheap cisco hardware

Some days ago, I was facing a migration problem… I had to find a temporary solution to host a Cisco VPN on a fast line where I can’t place a physical Cisco device…

I searched google to see if there were some opensource solution for such VPN server.. But apparently, there is not..

Then I found Dynamips, an IOS software emulator. After reading some docs about it and talking with friends, I decided to give it a try.

You will find hereunder the results of my testings..

Continue reading Dynamips: cheap cisco hardware

SSH on Cisco

Configure SSH on a Cisco AP with IOS:

To prevent non-SSH login add the following line to all “lines”: