add a static route to THAT device that is responding ip route add remote-net/suf via vpn-server
something like that.. or get fancy and add the route to yuor dhcp settings. On 26/09/2013 5:51 PM, Daniel Miller wrote: > Hello again. > > Have a perfectly working setup - so now I want to mess with it. Maybe. > > Routed VPN, Linux OpenVPN server, server-side Mikrotik router is > external to the VPN server. Clients connect and are able to access the > server - and the server-side network, as I have configured IP forwarding > on the server and added a route to the VPN on the router. > > So now...all of a sudden I started thinking (I was sitting down, I > admit...). > > First - please confirm my assumption. Client connecting from whatever > his own internal LAN/external internet IP address, but has a routed VPN > IP assigned. Through the magic of IP, the client reaches my server-side > router. The router knows to pass connections on port "X" to the VPN > server. The VPN server decodes the packet and decides what to do. If > the packet is NOT intended for the VPN server, but instead another > server-side address, the packet gets forwarded. When THAT device > responds - it tries to reply to the address of the VPN client. Since it > doesn't know how to reach that network it looks to its default gateway - > my router. Normally the router wouldn't know what to do with it - but > since I've manually told it VPN addresses belong to the VPN server it > sends it on - and then the VPN server encodes the response and passes it > back to the router to send it back out via the Internet. > > Did I get that right? > > If that's the case...then it strikes me as inefficient and inelegant to > have the server-side network responses bouncing to the router, back to > the VPN server, and then back out the router. So...is there a way to > eliminate that link in the chain? Some iproute2 or iptables magic? Or > would I have to manually configure the VPN route on every server-side > machine (which I might be able to do via my DHCP...)? Or as usual am I > overthinking it and just leave it alone? > > -- > Daniel > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
