At
https://openvpn.net/index.php/open-source/documentation/howto.html#scope
it says:

> Next, you must set up a route on the server-side LAN gateway to route
the VPN client subnet ... to the OpenVPN server ...

I was (possibly wrongly) imagining that there should be a nicer way to
accomplish the intended result without having to tell the server-side
LAN about the *tunnel* IPs in order that hosts there can reply to the
client-side LAN: ideally, shouldn't server-side LAN hosts just need to
know that to reach the client-side LAN they need to go via the server's
interface on the server-side LAN?

To make the next bit easier to explain, here are some numbers:

server-side LAN: 192.168.1.0/24
client-side LAN: 192.168.0.0/24
VPN server 'server' line: server 10.239.67.0 255.255.255.0
server VPN address: 10.239.67.1
client VPN address: 10.239.67.6
client LAN address: 192.168.0.11

My first step was just to ping in both directions: from the server-side
LAN all worked fine, from the client-side LAN everything is fine but
from the client itself it isn't. tcpdump told me why: the client sends
packets with the source address set to its end of the *tunnel* (i.e.
10.239.67.6) and I have deliberately not told the server-side LAN about
the tunnel's IP addresses.

To fix this, I did SNAT on the server:

iptables -t nat -A POSTROUTING -s 10.239.67.6 -j SNAT
--to-source=192.168.0.11

and this worked; now packets on the client, arriving on the server, have
their source addresses changed from the client's tunnel NIC to the
client's LAN NIC, so, when a server-side LAN host receives the packet
then then it knows how to route its replies (because a route to the
client-side LAN was added to its routing table at boot time).

If I had only one client then I could just put this iptables call - with
its hard-coded IP addresses - in the 'up' script, but I want more
clients, so I need to do something a bit more flexible.

However, in the 'up' script's command line args and in its environment,
I don't see anything that tells the server what IP the *client* side of
the tunnel is.

So now to my question: is there any way for the server to determine the
IP of the client's end of the tunnel? The env vars the 'up' script sees are:

route_vpn_gateway=10.239.67.2
daemon_log_redirect=0
script_type=up
proto_1=udp
daemon=0
route_network_1=192.168.0.0
dev=tun0
route_network_2=10.239.67.0
remote_port_1=1194
script_context=init
ifconfig_local=10.239.67.1
verb=3
local_port_1=1194
link_mtu=1541
route_gateway_1=10.239.67.2
tun_mtu=1500
route_gateway_2=10.239.67.2
route_netmask_1=255.255.255.0
route_netmask_2=255.255.255.0
route_net_gateway=192.168.1.1
ifconfig_remote=10.239.67.2
daemon_pid=6240
config=server.conf
PWD=/etc/openvpn

Note that the 10.239.67.6 is not in that list.

A pushed ifconfig *is* known within a client-connect script (says the
man page), but before I start writing one of those, I thought it made
sense to ask here for a simpler solution. Thanks!

Alexis


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to