Hi, On Thu, Feb 09, 2012 at 10:44:15PM +1300, Michal Ludvig wrote: > >On Thu, Feb 09, 2012 at 03:49:11PM +1300, Michal Ludvig wrote: > >>I'm used to pushing route options to the clients with explicit metrics. > >>That works good for IPv4 with e.g.: > >>push "route 192.168.128.0 255.255.240.0 vpn_gateway 200" > >> > >>However route-ipv6 doesn't accept the 'vpn_gateway' keyword and > >>therefore I can't easily set a metric. I could indeed put the actual > >>server IP in there but that's less flexible, partly because I have this > >>routes section in a separate file included in multiple configs on the > >>same machine. > >What are you trying to achieve? > > I'm trying to set a metric for IPv6 route pushed from the OpenVPN server. > > Long story, if you're asking why, is: we've got multiple OpenVPN > gateways to our network, each in a different location. A VPN user can > connect to any of them, or to more then one, and must have access to the > whole network. Obviously I'm pushing the prefixes local for each > location with a lower metric and the non-local prefixes with a higher > metric. That way, even if a user has a tunnel up to two or more > locations, the traffic to each location is always routed through the > most direct tunnel with the lowest metric.
OK, this makes sense, and is a good argument for metric.
(And to make this extensible, it would need to understand a gateway
parameter, which it currently doesn't).
> To make things a little more complicated I have both UDP and TCP
> endpoints in each location (TCP is there for users behind HTTP proxies
> for example) and most of their configs are shared, therefore I use the
> "vpn_gateway" placeholder that gets replaced for the VPN IP of the
> actual server, which is different between UDP and TCP on the same
> gateway. Without that placeholder I can't share the config with "push
> route-ipv6" options between UDP and TCP instances.
It won't work anyway right now, because metric isn't handled in
IPv6 routing at all - classical case of "other things were more
pressing" (and all this stuff is "slightly" system-dependent, so
needs lots of testing...).
> So that's what I'm trying to achieve. Hope that makes sense :)
It does. Thanks for explaining.
I'm not promising anything, but it just moved a bit further up on
my TODO list... ;-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpW9injzp8jr.pgp
Description: PGP signature
