Hi Dave,
> Wow. Lots to think about. Once I get this all done, I'm thinking a wiki page
> contribution, "by noob, for noob" will be in order!
>
> On 08/01/2014 01:35 PM, Bonno Bloksma wrote:
>> Keep thinking of the OpenVPN setup as just 2 routers with a fixed Ethernet
>> cable in between.
>> That in reality the "ethernet cable" is a VPN tunnel does not change the
>> routing setup.
>
> I guess that might be some of my problem.
>
> I've been thinking of it as 2 wires, not 1 (I like to think with diagrams
> ...)
We have all been there and done that. ;-)
[....]
>> Yup, but that is only because OpenVPN needs to know TOO where to drop stuff
>> once it comes in.
>
> So Openvpn is not CREATING those routes? We're just telling it about
> EXISTING routes that have to have already been set up on each involved box/OS?
Well, the nice thing is.....
> I usually handle that with iroute lines** in the client config file I
> have in the ccd directory. OpenVPN sees the iroute lines and makes
> sure the OS it is running on gets updates too.
So, yes, OpenVPN will create those routing lines on the box it is running for
you.
> Linux box running OpenVPN has 2 extra routing rules
> 172.16.17.0/24 via 172.16.1.130 dev tun0
> 172.16.18.0/24 via 172.16.1.130 dev tun0 Where 172.16.1.130 is the ip
> number for OpenVPN itself on this box.
OpenVPN made those routing lines all by itself. It is the only way too as
OpenVPN is the only one that knows which ip it has created and where the
traffic needs to be sent to.
> Having a config file per client in a separate directory is an easy way to
> keep track of what is where,
> for me, and is a standard way for OpenVPN.
> So breaking this down piece by piece, to do THAT^ I need related entries in
> all of these
>
> Loc1
> /etc/openvpn/loc2.server.conf
> /etc/openvpn/ccd/loc1.client.conf
> /etc/sysconfig/network/ifroute-eth1
> /etc/sysconfig/network/ifroute-eth0
>
> Loc2
> /etc/sysconfig/network/ifroute-eth1
> /etc/sysconfig/network/ifroute-eth0
>
> making sure that the openvpn config data matches what's on the OS in the
> ifroute-* stuff.
>
> Is that right?
Nope, too complex. I am assuming Loc2 is the "server" side of OpenVPN.
Loc1
/etc/openvpn/client.conf
Loc2
/etc/openvpn/server.conf
/etc/openvpn/ccd/loc1.conf
Server.conf has the normal server side stuff and at least a push route line
that lets all clients, in your case just 1, know which network is behind the
server. So in my case
push "route 172.16.0.0 255.255.0.0"
Looking at my "real config" I see I have an additional "route statement" in my
server config. It seems the routing lines at the OS lever are created by those
statements and not the iroute statement. Another mistake in my previous mail.
:-(
>From the manual:
------<quote>--------------------
--iroute network [netmask]
Generate an internal route to a specific client. The netmask parameter, if
omitted, defaults to 255.255.255.255.
This directive can be used to route a fixed subnet from the server to a
particular client, regardless of where the client is connecting from. Remember
that you must also add the route to the system routing table as well (such as
by using the --route directive). The reason why two routes are needed is that
the --route directive routes the packet from the kernel to OpenVPN. Once in
OpenVPN, the --iroute directive routes to the specific client.
------<quote>--------------------
So server config also has a line
route 172.16.17.0 255.255.255.0
Which is a copy of the iroute line below, missing just the i.
loc1.conf is a very small conf file with maybe only just 1 line. In my case
iroute 172.16.17.0 255.255.255.0
> I guess I could put the 'ip route add ...' commands in Openvpn up/down
> scripts. Don't yet know if that's better than the ifroute-*.
No, no aditional routing statements at the OS level. The ones you need in your
setup can be created by OpenVPN
[....]
>> The majority of the clients have no network behind them that need to
>> be reachable, so they have no iroute statements.
> Both ends of mine have lans.
So you need ONE iroute statement for the network behind the ONE client, and the
corresponding route line in the server conf. And a push route statement for the
network behind the server.
>> Some have an iroute line like: iroute 172.16.17.0/24
And yes, there was a "bug" in my example the the previous mail, the iroute
statement still needs the netmask syntax, it cannot handle the CIDR syntax yet,
according to the manual. :-(
>> This way the OpenVPN servers knows that behind that client is a
>> network and that all traffic for those ip-numbers needs to be sent to that
>> client. That client will then handle the rest of the routing.
>
> "handle the rest" means -- Openvpn config will handle it? IIuc --> no. The
> OS configs will. Right?
"Handle the rest" means OpenVPN will create the routing lines at the OS level
for you.
So, to recuperate.
The server.conf has the normal lines to setup the VPN tunnel, it does NOT
matter which ip-range you use for the tunnel as long as it does not conflict
with the rest of your network.
Aditionaly you need 2 lines in the server.conf:
Push "route 192.168.2.0 255.255.255.0
route 192.168.1.0 255.255.255.0
the ccd/loc1.conf needs just 1 line
iroute 192.168.1.0 255.255.255.0
Those 3 lines will make OpenVPN create the proper routing lines for you on the
OS it is running on.
BTW I am assuming 192.168.1.0/24 is the network behind client 1 and you are
using the server / client setup and not the peer-2-peer setup.
Bonno Bloksma
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
