On Wed, Sep 22, 2021 at 4:19 AM Alex K <rightkickt...@gmail.com> wrote:
>
>
>
> On Wed, Sep 22, 2021 at 3:12 AM Joe Patterson <j.m.patter...@gmail.com> wrote:
>> My first whack at this was an ugly kluge where I directly called vtysh
>> from my client-connect script, along the lines of:
>>
>> #parse ccd file for iroute and/or ifconfig-push
>> if "connect"
>> vtysh -c 'config t' -c "ip route {net} {mask} {gateway}"
>> else
>> vtysh -c 'config t' -c "no ip route {net} {mask} {gateway}"
>
> I guess the gateway is the active host in this case? (the other passive hosts
> will need to reach the published internal networks of the client)
I believe that might be the case if you use TAP, I was using TUN, so
the "gateway" address was the IP of the openvpn side of the tunnel
interface, but actually I was remembering incorrectly, I just routed
to the interface itself, so {net} {mask} tunX
> Why do you publish push routes also? Aren't they supposed to just be pushed
> to the client and used only from the clients?
I don't publish pushed routes, I publish pushed ifconfigs, i.e.
statically assigned IP's.
>>
>>
>> (please excuse my pseudocode)
>>
>> My second whack at it was a slightly more elegant kluge, where a
>> process connected to the management interface and did... a lot of
>> things, including keeping track of iroutes and advertising them via
>> localhost RIPv2 announcements that could be listened to by quagga and
>> redistributed into ospf. I tried it out some, and it did work, but I
>> don't think anyone (including myself) has ever run it in production.
>>
>> If you're feeling adventurous, it's here:
>> https://github.com/j-m-patterson/ovpnherder
>>
>> The basic idea behind it was to have multiple openvpn servers at
>> multiple sites, and any client could connect to any server and have
>> their iroute-ed subnets and static IP routed to them via ospf.
>>
>> Let me know if you're interested in it.
>
> Thank you for the feedback and pointer. Appreciated. I will have a look and
> see where I end. In case I end to sth useful I will come back.
> By the way, my three servers are in the same LAN and not WAN distributed and
> I use glusterfs to share all the openvpn configs and keys. So if I edit one
> ccd file all the hosts get the same instantly.
I did something somewhat similar. I stored all my ccd's in git and
then had a commit hook that pushed out to all of my servers. I used
different keys for each server, and a single config file that pulled
in a local config that had things like a specific server's ifconfig
pool.
> I was thinking also as a quick hack to just add a cron job at each host which
> will look for all the iroutes and add the required routes in case it is not
> the active host to reach the client networks through the active one, but I
> like the idea with OSPF to learn sth new.
That technically works, but you're running the cron job maybe every
minute, which seems like a lot of process executions, but on the other
hand, waiting up to a minute for your network to be reachable also
seems like a long time.
-Joe
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
