[Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

pg0706 Thu, 24 Jul 2014 07:00:30 -0700

I have three machines: a 'vpn server' & a 'vpn client' are both running OpenVPN 
2.3_git [git:master/a4b8f653ee5be9c2].; a 'lan server' sits on the client-side 
LAN behind the 'vpn client'.  'vpn server' & 'vpn client' are connected via VPN 
over a
UDP connection.



I.e.,

        @VPN_SERVER
                IP(eth0) = "S.S.S.S"       external/WAN intfc
                         = 192.168.0.1
                IP(tun1) = 10.0.0.1        vpn tunnel   endpoint

        @VPN_CLIENT
                IP(eth0) = "C.C.C.C"       external/WAN intfc
                IP(eth1) = 192.168.1.1     internal/LAN intfc
                IP(tun1) = 10.0.0.2        vpn tunnel   endpoint

        @ LAN_SERVER
                IP(eth0) = "192.168.1.10"  external/WAN intfc


With a @SERVER configs of

        /etc/openvpn/server.conf
                ...
                mode server
                server        10.0.0.0   255.255.255.0
                topology subnet

                ccd-exclusive
                client-config-dir ccd/
                client-to-client

                push "route   192.168.0.0 255.255.255.0"
                route         192.168.1.0 255.255.255.0 
                push "route   192.168.1.0 255.255.255.0"

        /etc/openvpn/ccd/client1.conf
                ...
                ifconfig-push 10.0.0.2   255.255.255.0
                iroute        192.168.1.0 255.255.255.0

Once the tunnel's up, I can ping both directions all four cases,

        @VPN_SERVER, ping -> VPN_CLIENT[192.168.1.1]    OK
        @VPN_SERVER, ping -> LAN_SERVER[192.168.1.10]   OK
        @VPN_CLIENT, ping -> VPN_SERVER[192.168.0.1]    OK
        @LAN_SERVER, ping -> VPN_SERVER[192.168.0.1]    OK

But if I move all "client-specific" route config out of the main server config 
to the ccd/client config, i.e.

        /etc/openvpn/server.conf
                mode server
                server        10.0.0.0   255.255.255.0
                topology subnet

                ccd-exclusive
                client-config-dir ccd/
                client-to-client

                push "route   192.168.0.0 255.255.255.0"

        /etc/openvpn/ccd/client1.conf
                ifconfig-push 10.0.0.2   255.255.255.0
                iroute        192.168.1.0 255.255.255.0
+               route         192.168.1.0 255.255.255.0 
+               push "route   192.168.1.0 255.255.255.0"

and reestablish the tunnel, only one of those PINGs now works

        @VPN_SERVER, ping -> VPN_CLIENT[192.168.1.1]    FAIL
        @VPN_SERVER, ping -> LAN_SERVER[192.168.1.10]   FAIL
        @VPN_CLIENT, ping -> VPN_SERVER[192.168.0.1]    OK
        @LAN_SERVER, ping -> VPN_SERVER[192.168.0.1]    FAIL

It makes sense to me to be able to consolidate ALL client-specific info in 
client-specific config files.

But, does SOME client-specific config HAVE to go in the main server config?

Or does the above config need to change (aka, be fixed) when I consolidate?

PG

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

Reply via email to