Re: [Openvpn-devel] route-ipv6 parameters & route prefixes

Thu, 09 Feb 2012 10:49:26 +0000 

Hi,

On Thu, Feb 09, 2012 at 10:44:15PM +1300, Michal Ludvig wrote:
> >On Thu, Feb 09, 2012 at 03:49:11PM +1300, Michal Ludvig wrote:
> >>I'm used to pushing route options to the clients with explicit metrics.
> >>That works good for IPv4 with e.g.:
> >>push "route 192.168.128.0 255.255.240.0 vpn_gateway 200"
> >>
> >>However route-ipv6 doesn't accept the 'vpn_gateway' keyword and
> >>therefore I can't easily set a metric. I could indeed put the actual
> >>server IP in there but that's less flexible, partly because I have this
> >>routes section in a separate file included in multiple configs on the
> >>same machine.
> >What are you trying to achieve?
> 
> I'm trying to set a metric for IPv6 route pushed from the OpenVPN server.
> 
> Long story, if you're asking why, is: we've got multiple OpenVPN 
> gateways to our network, each in a different location. A VPN user can 
> connect to any of them, or to more then one, and must have access to the 
> whole network. Obviously I'm pushing the prefixes local for each 
> location with a lower metric and the non-local prefixes with a higher 
> metric. That way, even if a user has a tunnel up to two or more 
> locations, the traffic to each location is always routed through the 
> most direct tunnel with the lowest metric.

OK, this makes sense, and is a good argument for metric.

(And to make this extensible, it would need to understand a gateway
parameter, which it currently doesn't).

> To make things a little more complicated I have both UDP and TCP 
> endpoints in each location (TCP is there for users behind HTTP proxies 
> for example) and most of their configs are shared, therefore I use the 
> "vpn_gateway" placeholder that gets replaced for the VPN IP of the 
> actual server, which is different between UDP and TCP on the same 
> gateway. Without that placeholder I can't share the config with "push 
> route-ipv6" options between UDP and TCP instances.

It won't work anyway right now, because metric isn't handled in 
IPv6 routing at all - classical case of "other things were more
pressing" (and all this stuff is "slightly" system-dependent, so
needs lots of testing...).

> So that's what I'm trying to achieve. Hope that makes sense :)

It does.  Thanks for explaining.

I'm not promising anything, but it just moved a bit further up on
my TODO list... ;-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             [email protected]
fax: +49-89-35655025                        [email protected]

Attachment: pgpW9injzp8jr.pgp
Description: PGP signature

Reply via email to