Hi,
On 06/11/14 00:03, Joe Patterson wrote:
On Wed, Nov 5, 2014 at 5:46 PM, Jan Just Keijser <janj...@nikhef.nl
<mailto:janj...@nikhef.nl>> wrote:
Hi Joe,
On 05/11/14 21:11, Joe Patterson wrote:
Looking through the docs, I *think* I know the answer to this
question already, but I figured I'd ask here in case I'm wrong...
Is there any way to push an iroute to an openvpn server
instance at any time other than when a client connects? I
would think that if this sort of thing could be done, it would
be done via the management port, and I don't see anything in
the management-notes.txt file, but there's always some
possibility that there's another method that I've been missing.
If I'm correct that this isn't possible, is it something
anyone's thought of doing before? Is there some reason I
haven't thought of that it *shouldn't* be done?
for an iroute to work the server needs to know that the client is
connected; AFAIK there is only one moment when "per-client" config
options are processed by the server and that is when the client
(re)connects.
If you are in a tun-based setup then you do not need the iroutes,
strictly speaking: it can also be done using server side routing
and firewalling, but this requires some iptables magic.
Can you elaborate on that statement a bit? Say, for example, I have a
server X with clients A, B, and C connected via tun-based
connections. So the server has an interface, tun0, with an IP of
192.168.0.1/30 <http://192.168.0.1/30>, and A has tun0 with
192.168.0.5/30 <http://192.168.0.5/30>, B has tun0 192.168.0.9/30
<http://192.168.0.9/30>, and C has 192.168.0.13/30
<http://192.168.0.13/30>. As I understand it, the openvpn process is
sort of like a router that has the .2, .6, .10, and .14 addresses, and
uses iroutes to determine which of them gets packets (and which of
them what source addresses are legal to get packets from). So if I
want to send 10.1.1.0/24 <http://10.1.1.0/24> to client B, it's easy
enough to add a kernel route to send 10.1.1.0/24 <http://10.1.1.0/24>
via 192.168.0.2, but once that packet gets to openvpn, shouldn't it
need an iroute in order to know which tunnel to send that packet out
to? That's what I'm trying to do, I'm trying to figure out how to get
that iroute added without having to have client B reconnect.
I will look into providing a more elaborate example tomorrow, but in
short this is what I'd do:
- use 'topology subnet' so that each client is assigned a single address
instead of the /30 subnets
- add server side routes directly to the IP address of the client (so if
clientA is assigned IP 192.168.0.2 then the GW for the server side route
is 192.168.0.2); you might be able to get away with your current /30
topology and then specify the IP address of the client (192.16.8.0.5)
but I am not sure
- make sure ip forwarding is enabled on the server
- use tcpdump to see what traffic is coming in on tun0
HTH,
JJK
PS for those who are wondering: this will NOT work in tap mode
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
