openvpn and routing

Michael Torrie torriem at
Thu Mar 7 20:06:33 MST 2013

On 03/07/2013 07:53 PM, Michael Torrie wrote:
> # Push routes to the client to allow it
> # to reach other private subnets behind
> # the server.  Remember that these
> # private subnets will also need
> # to know to route the OpenVPN client
> # address pool (
> # back to the OpenVPN server.
> push "route remote_host net_gateway"
> push "route"
> push "route"
> push "route"
> push "route"
> push "route"
> push "route"

Just to add an explanation here.  the push commands push arbitrary
routes (using the vpn concentrator as gateway) to the clients.  It does
not do anything to the concentrator's routing table, though subnets
native to the VPN concentrator daemons get added to the concentrator
host's routing table automatically.  I'm not sure if you have to
explicitly push the vpn routes to the client using the push directive on
the conf file, but I've always done that, since I had to publish other
routes anyway.

The ccd files I mentioned are what tell the concentrator that certain
networks can be reached through the vpn (the actual host address is not
in the routing table; openvpn will handle that internally).  This causes
local routes to be added to the *concentrator*'s routing table that
route through the tun interface openvpn creates.  You can have as many
openvpn concentrator processes running as you want, though they have to
be on unique ports.  And it will all work together seemlessly because of
these routing tables.  Sounds more complicated than it is!

I operate 3 openvpn daemons.  One does normal TLS certificate exchange
on the normal UDP port.  This handles clients like routers and vps's
that I want to be static.  Then I have 2 daemons, one tcp and one udp,
that do password-based authentication. These are for laptops to use.
All three of the daemons use different vpn subnets.  The TLS one uses
(in my example), and the TCP password one uses and the UDP password one uses  But
because the concentrator host has routes set up automatically (native
vpn routes are added automatically, and the client subnets added from
ccd files when connected), anyone in any of the three vpn subnets can
ping the others.

Now you might not want to allow inter-vpn-subnet traffic, and you can do
that by not publishing the routes to your clients.  Or/And use iptables
on the concentrator on the "FORWARD" chain.

More information about the PLUG mailing list