Hi, On Fri, Apr 01, 2016 at 03:05:06PM +0200, Marc Haber wrote: > > The "canonical" solution as of today is to use a --learn-address script > > (which gets called by the openvpn process as soon as ifconfig-pool and > > iroute processing is done) and set up routing on the linux side towards > > the corresponding tun device for the "UDP server" or the "TCP server". > > Wouldn't I need that script on both sides? Or only on the server?
Only on the server.
For the client, since the tunnel is set up / torn down anyway, routes
are dynamically configured already.
> Is there some example code somewhere since it's the "canonical" solution?
I have something that I use, but that's not really ready for sharing - but
basically, --learn-address passes in
op="$1" # add, update, delete
ip="$2" # address, or subnet
cn="$3" # common name
and the tunnel device is on $dev, so my code roughly looks like this:
---------------------------------------------------------------------
#!/bin/sh
LOG=/var/log/openvpn/la.out
exec >>$LOG 2>&1
echo --
date
echo $@
op="$1" # add, update, delete
ip="$2" # address, or subnet
cn="$3" # common name
# dynamically add/remove route to tunnel
case $op in
add|update)
/sbin/ip route delete $ip 2>/dev/null # might not exist yet
/sbin/ip route add $ip dev $dev
echo "route $op done."
;;
delete)
/sbin/ip route delete $ip/32
echo "route delete done."
;;
*)
echo "nothing to do for '$op'"
;;
esac
exit 0
---------------------------------------------------------------------
(I think this is not handling IPv6 correctly, because in the setup where
I use it, IPv6 is not really production ready yet, so separate pools are
used and no static client IPs. OpenVPN side is fine, but this script isn't
handling v6 correctly, it should check for a ":" in the address and call
"ip -6 ...")
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
