openvpn and routing

Michael Torrie torriem at gmail.com
Thu Mar 7 19:53:02 MST 2013


On 03/07/2013 02:58 PM, Charles Curley wrote:
> I tried installing openvpn and following this tutorial:
> http://wiki.debian.org/OpenVPN
> 
> I got as far as the statement "You should probably configure your route
> at this step." I have tried several "route add" commands but none seem
> to produce useful results. I can ping the local side of the connection,
> but not the remote side.
>
> How do I add the appropriate route to each machine? Thanks
> 

I let OpenVPN do it for me.  Here's a complicate setup that puts in
routes for 6 networks.  What this means is that VPN clients are told to
use the vpn server as the gateway for these routes

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route remote_host 255.255.255.255 net_gateway"
push "route 192.168.2.0 255.255.255.192"
push "route 192.168.2.64 255.255.255.192"
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"

What's cool is I can tell VPN that some VPN clients have routes to these
networks.  For example, 192.168.4.0 might be the internal network at my
home.  192.168.5.0 might be the internal network at my parents' house.
And 192.168.6.0 might be another network at another site.  Then to tell
openvpn which clients have these networks, in the "/etc/openvpn/ccd/"
directory, I can make individual files (based on user id or TLS
certificate common name).  Like this:

home-router:
# give this client the same ip address every time (see docs on how the
pairs work)
ifconfig-push 192.168.3.4 192.168.3.3
iroute 192.168.4.0 255.255.255.0

parents-router:
ifconfig-push 192.168.3.6 192.168.3.5
iroute 192.168.5.0 255.255.255.0

other-site:
ifconfig-push 192.168.3.8 192.168.3.7
iroute 192.168.6.0 255.255.255.0


Now when everyone is vpn'd in you can ping across any of the subnets
just fine and routing is all taken care of.

Hope that makes sense.  Let me know if you have a question about what I
wrote.


More information about the PLUG mailing list