-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 3 May 2021 11:43, Gert Doering <g...@greenie.muc.de> wrote:
> HI,
>
> On Mon, May 03, 2021 at 12:38:21PM +0200, Jan Just Keijser wrote:
>
> > > > and that does not seem to take any proxy hosts into account.
> > > > But "link_socket_current_remote" is very likely to be "whoever we are
> > > > talking to right now", aka "the proxy".
> >
> > you're absolutely right,
>
> Sometimes our code might be old, but still working :-)
>
> > and I now remember the caveat that applies
> > mostly when using "socks-proxy", not "http-proxy":
> > what I'd normally do when using "socks-proxy" is set up an SSH tunnel to
> > a remote host
> > ssh -D 1080 <remote-host>
> > and then tunnel the VPN traffic over that. The big caveat here is that
> > when doing this, the "socks-proxy" IP address is actually
> > localhost/127.0.0.1 : so OpenVPN might add an extra route to localhost ,
> > but as soon as the default GW is redirected, the route to the original
> > SSH server is gone.
>
> Mmmh. Indeed, that one is a really tricky one. Even if we were to
> add some sort of policy routing ("openvpn goes to main table, everything
> else goes to 'into-tun' route table") it would still break the SSH session.
>
> For IPv4, a host route
>
> route $ssh_server_ip 255.255.255.255 net_gateway
>
> should work, but OpenVPN won't be able to know the $ssh_server_ip address
> by "magic lookup".
>
> For IPv6, we have an open trac ticket to add "... net_gateway" functionality,
> but someone was lazy in implementing it.
>
My initial question was:
Does --redirect-gateway do the same for --socks-proxy/--http-proxy
as it does for --remote? Install a route for the server we are connected
to so that address is not routed into the tunnel.
The bug in this case is that, while openvpn *does* do the same for at least
--socks-proxy (have not tested --http-proxy but assume it is the same here),
_there is no documentation to that effect_.
As an _improvement_ to openvpn, installing an over-ride route for localhost
when using --redirect-gateway and the --remote/--socks/hhtp-proxy is
127.0.0.1 seems like it would be possible ?
Thanks
R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsBzBAEBCAAGBQJgj/IEACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ20mwgAyKruEmQRpq+LiGw1kXxUq0kEK/PcYApndFPzXNIfthCmGIHj
OBLwwbfhK+9ZoOZ4o226sQ9b5aUOemjz283JRuxKZKJH5VWu5kLwuVj7O8TG
i+EjaSVfvgXhyT4HjobjaprRjrx8YGpJLjxhwYi43bkmLA7yb0OWomxoz9iZ
58BvaBKSczECts2XtFSFUl4z2SXwun424HKLHaXMvVJExPUiZhfOZXySldyO
hOK53/nG/brrQxI5A+K/4Xkh6SGbnETZ1ytXIBPwUwW6skXT4QjW3Mg2bQJK
ON9GzY4y5g+QcIJhlpYTrDKeVCEeV3bhREqdD6SVuJR6PcEiqKCBkQ==
=bdbj
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
