need Openvpn routing help

Thomas Charron twaffle at gmail.com
Mon Jun 16 16:52:21 EDT 2008 

On Mon, Jun 16, 2008 at 4:41 PM, Thomas Charron <twaffle at gmail.com> wrote:
> On Mon, Jun 16, 2008 at 4:25 PM, Charlie Farinella
>> 10.8.8.6 is pingable
>> from this machine and traceroute shows it as one hop, I can ssh in,
>> etc.  I get similar error messages (SIOCADDRT: Network is unreachable)
>> if I try to set it up on a Linux client.  I don't understand how I have
>> to set the gateway, or perhaps I'm misunderstanding what the gateway
>> should be.
>  Hrm.  Do you have the --client-to-client option anyplace?  Can you
> connect in a way BESIDES ping to the other machines, like, ssh, or
> telnet to port 22?

  This is an excerpt from the man pages regarding the
--client-to-client.  Remember, OpenVPN doesn't just dump packets, it
manages them.  These two options are important for what your wish to
do:

=====  From man openvpn::

--iroute network [netmask]
    Generate an internal route to a specific client. The netmask
parameter, if omitted, defaults to 255.255.255.255.

    This directive can be used to route a fixed subnet from the server
to a particular client, regardless of where the client is connecting
from. Remember that you must also add the route to the system routing
table as well (such as by using the --route directive). The reason why
two routes are needed is that the --route directive routes the packet
from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive
routes to the specific client.

    This option must be specified either in a client instance config
file using --client-config-dir or dynamically generated using a
--client-connect script.

    The --iroute directive also has an important interaction with
--push "route ...". --iroute essentially defines a subnet which is
owned by a particular client (we will call this client A). If you
would like other clients to be able to reach A's subnet, you can use
--push "route ..." together with --client-to-client to effect this. In
order for all clients to see A's subnet, OpenVPN must push this route
to all clients EXCEPT for A, since the subnet is already owned by A.
OpenVPN accomplishes this by not not pushing a route to a client if it
matches one of the client's iroutes.
--client-to-client
    Because the OpenVPN server mode handles multiple clients through a
single tun or tap interface, it is effectively a router. The
--client-to-client flag tells OpenVPN to internally route
client-to-client traffic rather than pushing all client-originating
traffic to the TUN/TAP interface.

    When this option is used, each client will "see" the other clients
which are currently connected. Otherwise, each client will only see
the server. Don't use this option if you want to firewall tunnel
traffic using custom, per-client rules.

==== end excerpt

  In your openvpn.conf file, you'd need something that specifies
client-to-client, as well as pushed route commands.  The CLIENT
connection scripts then need iroute entries so openvpn is aware that
it is to route traffic for those external interfaces as well, THRU the
OpenVPN tunnel.

-- 
-- Thomas

More information about the gnhlug-discuss mailing list