Hi,
On 29/11/21 17:46, Gert Doering wrote:
On Mon, Nov 29, 2021 at 12:12:39PM +0000, Alexander Franklin wrote:
1. Is it possible for client configs to have/Server configs to push out
multiple IP addresses to particular clients? This would be brilliant if
this was an option, as I could just add IP for each device and add the NAT
rules as required. I cannot find this feature in the
documentation/Stackoverflow/Emails, which makes me think this is not an
option at the moment.
"sort of"
You can configure the server to *route* more IPs to a particular client,
by means of --client-config-dir and --iroute statements inside this
per-client config.
There is no way to make these addresses do anything "magic" on the client
(as in, configure multiple addresses, and set up multiple NAT mappings) -
so you need an --up script for that which will have to do all the
"non-default" work. Also, there is no signalling between client and
server about these extra addresses, the server assumes "this is
something like the client's LAN network, so it already knows".
So, if you can live with a few extra addresses that are known by all
parties beforehand (= no dynamic stuff), and can put these into the
--up script on the client and the --client-config-dir on the server,
it will work.
I'd turn the tun link/adapter into a routable one and add a bunch of
local addresses to a local adapter, e.g.
ip a a 192.168.0.1/24 dev eth0.1
ip a a 192.168.0.2/24 dev eth0.1
ip a a 192.168.0.3/24 dev eth0.1
ip a a 192.168.0.4/24 dev eth0.1
or perhaps eth0.1, eth0.2, eth0.3 etc
then route this subnet using a single iroute+route to this particular
client...
Simply adding more IPs to a tun device won't cut it, as the server will
not know about these addresses without some routing/DNAT magic.
It would be nice to know if it would be practical to
add this feature. I did C++ for 4 years when I came out of University, so I
should be able to add this feature but I would need some assistance as I
haven't contributed to the project yet and I wouldn't know where to start
trying to add this.
If you *really* need this to be more dynamic, you can do scripting on
the server side in a --client-connect script, have that script generate
--iroute and --push "setenv UV_..." commands, and then look at the
env variables on the client side to see what was pushed...
again, I'd look into client subnet routing and set up a set of bogus IPs
on a local adapter
2. Could I have additional docker-contained clients on the client side
to host additional IPs? I think this would work, I assume the performance
wouldn't be terrible on a PI 4, although this does feel like a bit of
unnecessary virtualisation and quite a bit of work to set up the docker
containers.
You can have multiple addresses on the tun device just fine ("ip addr add..")
but to install extra NAT mappings, all you need is a DNAT rule with IP match.
3. I know I could I have routes through to the IP pools of each gateway,
however we have lots of gateways and the majority of local IP addresses for
the devices connected to the Gateway are the same. This option feels like a
configuration nightmare.
Not sure I understand this part.
if you use the same local gateway IP (e.g. the "default 192.168.1.1")
then you are always in for a routing nightmare. That is not OpenVPN's
fault, it is your network setup....
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
