Greetings all
I am converting a system built 10 years ago to openvpn-2.5.9
which entails moving onto topo subnet from the older net 30 which has
worked just fine these last 10 years.
I started this project in November of 2023 and I am now so close to
getting what I want that I can smell it.
I want each connection to use a unique cert/key pair and to obtain a
unique static address for the tun0 connection.
I want the user rrc to gain access to 192.168.50.10/32 via his unique
connection.
I am able to get what I want with "ip route add/delete" statements after
starting the vpn
here is my server.conf as it now stands
>>> Start server.conf
[root@narciso openvpn]# cat server.conf
local 187.188.148.89
port 1194
proto udp
dev tun
ca ca.crt
cert narciso.moov.com.mx.crt
key narciso.moov.com.mx.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.50.0 255.255.255.0
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir ccd
route 10.8.0.0 255.255.255.0
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
keepalive 10 120
max-clients 50
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 5
mute 20
explicit-exit-notify 1
>>> END server.conf
>>> Start client rrc.ovpn
[root@Tanio openvpn]# cat rrc.ovpn
client
dev tun
proto udp
remote 187.188.148.89
persist-key
persist-tun
route-delay 5
ping-restart 10
ping 60
persist-tun
;comp-lzo
comp-noadapt
#script-security 2
ca ca.crt
cert rrc.crt
key rrc.key
log openvpn.log
status openvpn-status.log
verb 5
>>> End Client rrc.ovpn
>>> Start ccd/rrc
[root@narciso openvpn]# cat ccd/rrc
ifconfig-push 10.8.0.6 255.255.255.0
iroute 192.168.50.0 255.255.255.0
>>> End ccd/rrc
>>> Here is what I get on the client side
[root@Tanio openvpn]# ip add sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
dddddgroup default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
link/ether 74:3a:f4:d4:8b:31 brd ff:ff:ff:ff:ff:ff
altname wlp2s0
inet 192.168.51.59/24 brd 192.168.51.255 scope global wlo1
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.8.0.6/24 scope global tun0
valid_lft forever preferred_lft forever
[root@Tanio openvpn]# ip route sh
default via 192.168.51.1 dev wlo1 metric 35
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
169.254.0.0/16 dev wlo1 scope link metric 1002
192.168.51.0/24 dev wlo1 proto kernel scope link src 192.168.51.59
>>> Here is what I get on the server side
[root@narciso openvpn]# ip add sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
4: ens2f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:64:0f:85 brd ff:ff:ff:ff:ff:ff
altname enp81s0f1
inet 192.168.50.3/24 brd 192.168.50.255 scope global ens2f1
valid_lft forever preferred_lft forever
inet6 fe80::7ec2:55ff:fe64:f85/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
8: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:27:9e:2d brd ff:ff:ff:ff:ff:ff
altname enp1s0f1
inet 187.188.148.89/26 brd 187.188.148.127 scope global eno2
valid_lft forever preferred_lft forever
inet6 fe80::7ec2:55ff:fe27:9e2d/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.8.0.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::91be:d23b:f505:9697/64 scope link stable-privacy proto
kernel_ll
valid_lft forever preferred_lft forever
[root@narciso openvpn]# ip route sh
default via 187.188.148.65 dev eno2 metric 10
10.8.0.0/24 via 10.8.0.2 dev tun0
169.254.0.0/16 dev usb0 scope link metric 1002
169.254.0.0/16 dev ens2f1 scope link metric 1004
169.254.0.0/16 dev eno2 scope link metric 1008
169.254.3.0/24 dev usb0 proto kernel scope link src 169.254.3.1
187.188.148.64/26 dev eno2 proto kernel scope link src 187.188.148.89
192.168.50.0/24 via 10.8.0.2 dev tun0
>>> End Server Side
Note that I DO get a unique address of 10.8.0.6 at the client tun0
which I can ssh to from the server and I can ssh to the server at
10.8.0.1 from the client
However this report in ip route show at the server messes everything up
as 10.8.0.2 does NOT exist
192.168.50.0/24 via 10.8.0.2 dev tun0
Also note tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP>
which to me indicate net30 routing?? though I want topo subnet
Also
on the client side routing for 192.168.50.10 does NOT show up
the 192.168.51.0/24 is my local net on the client side and has nothing
to do with openvpn configs
How can I adjust my server.conf, rrc.ovpn and ccd/rrc files to get
a connection to use a unique cert/key pair and to obtain a unique static
address for the tun0 connection.
and
to gain access to 192.168.50.10/32 via his unique connection.
Thanks
Richard
--
LinuxCabal AsociaciĆ³n Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Cel.: (+52) 333 377-7505
Web: http://www.LinuxCabal.org
E-Mail: r...@linuxcabal.org
Hosted en la nube Cloud Sigma - www.CloudSigma.com
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
