On Wed, Nov 5, 2014 at 5:46 PM, Jan Just Keijser <janj...@nikhef.nl> wrote:
> Hi Joe, > > > On 05/11/14 21:11, Joe Patterson wrote: > >> Looking through the docs, I *think* I know the answer to this question >> already, but I figured I'd ask here in case I'm wrong... >> >> Is there any way to push an iroute to an openvpn server instance at any >> time other than when a client connects? I would think that if this sort of >> thing could be done, it would be done via the management port, and I don't >> see anything in the management-notes.txt file, but there's always some >> possibility that there's another method that I've been missing. >> >> If I'm correct that this isn't possible, is it something anyone's thought >> of doing before? Is there some reason I haven't thought of that it >> *shouldn't* be done? >> >> >> for an iroute to work the server needs to know that the client is > connected; AFAIK there is only one moment when "per-client" config options > are processed by the server and that is when the client (re)connects. > > If you are in a tun-based setup then you do not need the iroutes, strictly > speaking: it can also be done using server side routing and firewalling, > but this requires some iptables magic. > > Can you elaborate on that statement a bit? Say, for example, I have a server X with clients A, B, and C connected via tun-based connections. So the server has an interface, tun0, with an IP of 192.168.0.1/30, and A has tun0 with 192.168.0.5/30, B has tun0 192.168.0.9/30, and C has 192.168.0.13/30. As I understand it, the openvpn process is sort of like a router that has the .2, .6, .10, and .14 addresses, and uses iroutes to determine which of them gets packets (and which of them what source addresses are legal to get packets from). So if I want to send 10.1.1.0/24 to client B, it's easy enough to add a kernel route to send 10.1.1.0/24 via 192.168.0.2, but once that packet gets to openvpn, shouldn't it need an iroute in order to know which tunnel to send that packet out to? That's what I'm trying to do, I'm trying to figure out how to get that iroute added without having to have client B reconnect. Thanks, -Joe > cheers, > > JJK > > > >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
