Macvlan with VLAN profile, vpn client oddity

jimi · April 5, 2023, 1:07pm

Moved macvlan profile into VLAN but the moment the openvpn starts i am not able to reach the container.
Tested with vpn offline and container is reachable in the vlan and from lan.
It is not the fw on or off same behavior.

container with running vpn

$ ip r
0.0.0.0/1 via 10.8.3.1 dev tun0 
default via 10.10.60.1 dev eth0 proto dhcp src 10.10.60.60 metric 100 
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.11 
10.10.60.0/24 dev eth0 proto kernel scope link src 10.10.60.60 metric 100 
10.10.60.1 dev eth0 proto dhcp scope link src 10.10.60.60 metric 100 
128.0.0.0/1 via 10.8.3.1 dev tun0

macvlan profile

devices:
  eth0:
    hwaddr: 00:12:77:77:77:77
    nictype: macvlan
    parent: eth0
    type: nic
    vlan: "60"

host

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 70:85:e2:42:cb:55  brd ff:ff:ff:ff:ff:ff
    inet 10.10.22.50/24 brd 10.10.22.255 scope global dynamic eth0
       valid_lft 6363sec preferred_lft 6363sec
3: lxdbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:16:3e:4f:cf:62 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
4: eth0.60@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 70:85:e2:42:cb:55 brd ff:ff:ff:ff:ff:ff

sdeziel · April 5, 2023, 2:42pm

Your VPN is essentially configuring a default route through it by using 2 /1 routes. This could explain why you loose connectivity to the container. If I read your routing table properly, only machines part of 10.10.60.0/24 should still be able to connect to it.

jimi · April 5, 2023, 8:02pm

Thanks you are partially right, if the vpn is on, i can reach the web server when coming from same vlan
and i can reach the web server from another host in a different vlan as long as the vpn client is off.

Will try to create a lxc vlan network tomorrow and see how that works out.

sdeziel · April 5, 2023, 8:03pm

Assuming you don’t control the VPN server, you can workaround that by add static routes for your other VLANs.

jimi · April 5, 2023, 8:06pm

could you please give an example

sdeziel · April 5, 2023, 8:09pm

Say your own network uses 10.0.0.0/8, you could have this route go through your container’s gateway with: ip route add 10.0.0.0/8 via 10.10.60.1. This way, the 2 /1 routes pushed by the VPN wouldn’t take precedence over your /8 route.