Hi, On Mon, Jul 31, 2023 at 03:02:57PM +0200, Jochen Bern wrote: > On 31.07.23 13:42, Jason Long wrote: > > And added the following lines to the client.ovpn file: > > > > route 172.20.1.0 255.255.255.0 > > push "dhcp-option dns 172.20.1.2" > > push "dhcp-option dns 172.20.1.7" > > dhcp-option DOMAIN MY_DOMAIN > > (I would *hope* that clients *cannot* "push" any settings to a central > server's OpenVPN ...)
They can't. PUSH is pure server-to-client.
So putting "push" options into a client config will do exactly nothing,
except create warnings.
> > My problem is that I did it by enabling the IP Forwarding. I wanted
> > to do it without it. I guess that I must to enable the IP Forwarding
> > because of my OpenVPN server NICs. It has two NICs (NAT and Local)
> > and because of it I must enable IP Forwarding.
> > What is your opinion?
>
> Traffic from and to the VPN clients flows between your server's enps0s3 and
> tun... interfaces, so I'm pretty sure that iptables+kernel *do* consider
> them "forwarded" and enabling forwarding is *required* for things to work.
Purely talking "from VPN client to an IP owned by the VPN server"
(like, a SSH connection through the VPN to the VPN server's eth0 address)
is not considered "forwarding" - so forward_ip=1 is not required, and
neither are FORWARD iptables evaluated (= INPUT only).
"From VPN client to *another* machine on the server's eth0 lan" *is*
"forwarding".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
