On 03/07/2013 07:53 PM, Michael Torrie wrote: > # Push routes to the client to allow it > # to reach other private subnets behind > # the server. Remember that these > # private subnets will also need > # to know to route the OpenVPN client > # address pool (10.8.0.0/255.255.255.0) > # back to the OpenVPN server. > push "route remote_host 255.255.255.255 net_gateway" > push "route 192.168.2.0 255.255.255.192" > push "route 192.168.2.64 255.255.255.192" > push "route 192.168.3.0 255.255.255.0" > push "route 192.168.4.0 255.255.255.0" > push "route 192.168.5.0 255.255.255.0" > push "route 192.168.6.0 255.255.255.0"
Just to add an explanation here. the push commands push arbitrary routes (using the vpn concentrator as gateway) to the clients. It does not do anything to the concentrator's routing table, though subnets native to the VPN concentrator daemons get added to the concentrator host's routing table automatically. I'm not sure if you have to explicitly push the vpn routes to the client using the push directive on the conf file, but I've always done that, since I had to publish other routes anyway. The ccd files I mentioned are what tell the concentrator that certain networks can be reached through the vpn (the actual host address is not in the routing table; openvpn will handle that internally). This causes local routes to be added to the *concentrator*'s routing table that route through the tun interface openvpn creates. You can have as many openvpn concentrator processes running as you want, though they have to be on unique ports. And it will all work together seemlessly because of these routing tables. Sounds more complicated than it is! I operate 3 openvpn daemons. One does normal TLS certificate exchange on the normal UDP port. This handles clients like routers and vps's that I want to be static. Then I have 2 daemons, one tcp and one udp, that do password-based authentication. These are for laptops to use. All three of the daemons use different vpn subnets. The TLS one uses (in my example) 192.168.3.0/24, and the TCP password one uses 192.168.2.0/26 and the UDP password one uses 192.168.2.64/26. But because the concentrator host has routes set up automatically (native vpn routes are added automatically, and the client subnets added from ccd files when connected), anyone in any of the three vpn subnets can ping the others. Now you might not want to allow inter-vpn-subnet traffic, and you can do that by not publishing the routes to your clients. Or/And use iptables on the concentrator on the "FORWARD" chain. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
