On Wed, 5 May 2021 08:03:12 +0200, Gert Doering <g...@greenie.muc.de> wrote:
>Hi, > >On Wed, May 05, 2021 at 01:20:14AM +0200, Bo Berglund wrote: >> But I don't want any other traffic to go through the VPN, so how should I set >> the server conf file to accomplish that? > >If the server conf (and client conf) has no instance of "route" or >"redirect-gateway", all the client will see is the 10.8.113.0/24 subnet >on the tunnel. > >OpenVPN will never automagically route something into the tunnel if >not told explicitly (in the client conf, or by a "push" from the server). Thanks! I thought as much but wanted to confirm. >> server 10.8.113.0 255.255.255.0 'nopool' >> ifconfig-pool 10.8.113.2 10.8.113.127 255.255.255.0 > >This is a bit weird. "server" *without* "nopool" will include the >pool setting (though for the full /24)... so this is more complicated >then necessary. What I am trying to do here is to separate external server devices from external clients. The external servers are remote monitoring RaspberryPi devices which will sit behind non-public IP 4G routers. When they connect I want to set them up to get a specific tunnel IP address via the ccd mechanism. So each such VPN client will have an entry in the ccd dir. Therefore I have set aside half of the IP range for them. The other range half will be used for external client connections and here it is not important which IP they get in the tunnel, they may well get different every time they connect. Just as long as the corresponding server has its fixed address so they can connect to it. They do so on a non-obvious TCP port which the external server is listening on. Just ASCII traffic after connection. >> ifconfig-pool-persist ippagi.txt >> client-config-dir /etc/openvpn/ccdagi #Used to handle special configs >> # Add route to Client routing table for the OpenVPN Server >> push "route 10.8.113.1 255.255.255.255" >> # Add route to Client routing table for the OpenVPN Subnet >> push "route 10.8.113.0 255.255.255.0" > >This is not needed. The "server" subnet is always known. So if a Windows client connects to this VPN then it will automatically be able to reach 10.8.113.1 as well as the external servers on 10.8.113.xx addresses? That is *without* the added route pushes? > >> So I don't want the tunnel clients to be routed out onto the server side LAN >> nor >> do I want them to be able to route through to the Internet. >> Basically the ONLY traffic in the tunnel should be the client-to-client >> traffic. >> >> What else should I do in the conf file? > >If the client is well-behaved, what you have is sufficient. > >If the client is malicious, it could just add "route" statements to >the local client conf and send packets your way. To prevent that, put >an iptables rule on the server tun interface and drop packets "coming >in via tun, to go out to the internet". > Well our client app used for configuration purposes is sending/receiving TCP/IP packets via the socket which are just ASCII with some telegram delimiters. This whole idea comes from the need to be able to reach the remote monitoring devices even though they are behind unreachable routers. So a 24/7 VPN connection from the devices and an on-demand connection to the same VPN from the clients is what I am trying. PS: I am sorry to have hijacked this thread by @lejeczek! It was triggered by the mention of the client-to-client directive for the server so I took a chance to get my own client-to-client problem discussed with knowledgeable people... If I get deeper into trouble I will start a thread of my own in the future. Right now I am trying to modify an OVPN server I have access to so it also will serve this kind of connections. It is a hurdle because that is an old server running Raspbian Jessie and I have forgotten how one started a second instance back then. Enough for now... DS -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
