On Wed, Sep 22, 2021 at 3:12 AM Joe Patterson <j.m.patter...@gmail.com>
wrote:
> OSPF is a great way to distribute those routes between hosts, the
> problem is getting the routes from the iroute table into the OSPF
> routing table in the first place.
>
> I have used quagga for an ospf daemon.
>
I was thinking to use quagga also.
>
> My first whack at this was an ugly kluge where I directly called vtysh
> from my client-connect script, along the lines of:
>
> #parse ccd file for iroute and/or ifconfig-push
> if "connect"
> vtysh -c 'config t' -c "ip route {net} {mask} {gateway}"
> else
> vtysh -c 'config t' -c "no ip route {net} {mask} {gateway}"
>
I guess the gateway is the active host in this case? (the other passive
hosts will need to reach the published internal networks of the client)
Why do you publish push routes also? Aren't they supposed to just be pushed
to the client and used only from the clients?
>
> (please excuse my pseudocode)
>
> My second whack at it was a slightly more elegant kluge, where a
> process connected to the management interface and did... a lot of
> things, including keeping track of iroutes and advertising them via
> localhost RIPv2 announcements that could be listened to by quagga and
> redistributed into ospf. I tried it out some, and it did work, but I
> don't think anyone (including myself) has ever run it in production.
>
> If you're feeling adventurous, it's here:
> https://github.com/j-m-patterson/ovpnherder
>
> The basic idea behind it was to have multiple openvpn servers at
> multiple sites, and any client could connect to any server and have
> their iroute-ed subnets and static IP routed to them via ospf.
>
> Let me know if you're interested in it.
>
Thank you for the feedback and pointer. Appreciated. I will have a look and
see where I end. In case I end to sth useful I will come back.
By the way, my three servers are in the same LAN and not WAN distributed
and I use glusterfs to share all the openvpn configs and keys. So if I edit
one ccd file all the hosts get the same instantly.
I was thinking also as a quick hack to just add a cron job at each host
which will look for all the iroutes and add the required routes in case it
is not the active host to reach the client networks through the active one,
but I like the idea with OSPF to learn sth new.
> -Joe
>
> On Tue, Sep 21, 2021 at 5:02 PM Alex K <rightkickt...@gmail.com> wrote:
> >
> > Hi all,
> >
> > I have a set of 3 hosts/servers, in an active/passive setup using
> pacemaker/corosync where openvpn runs only at one of the hosts.
> >
> > I have also some up/down scripts to add or remove some routes (defined
> from iroute entries at ccd files per client at server) whenever a vpn
> client connects or disconnects. For example when a client connects, a route
> is added announcing to the active host that a specific client network is
> reachable through the vpn tunnel of the client.
> >
> > Since this script is triggered only at the active host I wanted to find
> a way to announce these routes to the other passive hosts also so as to be
> able to reach these networks from the passive hosts.
> >
> > I was thinking to look into ospf or similar. Any ideas on how to tackle
> his?
> >
> > Thanks,
> > Alex
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
