Difference between revisions of "OpenVPN"

From Secure Computing Wiki
Jump to: navigation, search
Line 40: Line 40:
 
As you can see, each client our user has will have a ccd/ entry including an iroute for the network behind the client, and pushed routes for all networks behind other clients.
 
As you can see, each client our user has will have a ccd/ entry including an iroute for the network behind the client, and pushed routes for all networks behind other clients.
  
That means that client2, sitting on the 192.168.3.0 LAN would have the following entry for its's ccd/ file:
+
That means that the client on the 192.168.3.0 LAN would have the following entry for its's ccd/ file:
 
<blockquote>
 
<blockquote>
 
iroute 192.168.3.0 255.255.255.0  <br>
 
iroute 192.168.3.0 255.255.255.0  <br>

Revision as of 02:48, 17 August 2008

here is an example from ##OpenVPN on freenode.

The user had the following in his server.conf:

push "route 192.168.2.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
route 192.168.3.0 255.255.255.0
route 192.168.4.0 255.255.255.0
client-to-client

The push route means that he is telling his server to let ALL clients to know about the fact that they should add an entry in their routing table to route 192.168.2.0/24 through their vpn. That is because 192.168.2.0 is a LAN behind his VPN server, which the clients should be able to communicate with.

The route entries are telling his server to add a route for each of 1.0, 3.0, and 4.0 to its kernel's routing table, which will go through the tunnel interface. The server's kernel now has an entry for 3 LANs to both go through the vpn interface, but when that happens how will openvpn know what client to send each network to? The answer is iroute!

Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles:

MULTI: bad source address from client [IP ADDRESS], packet dropped

The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface. That is why we add the iroute commands to a ccd entry.

You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.

In this example lets assume the client owning the network 1.0 has a common-name of client1. In ccd/client1 He should have the following:

iroute 192.168.1.0 255.255.255.0

But our user also wants client-to-client to work, so lets say he also wants the LANs behind those clients to be able to communicate. In ccd/client1 we add some more entries... now it would look like this:

iroute 192.168.1.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

As you can see, each client our user has will have a ccd/ entry including an iroute for the network behind the client, and pushed routes for all networks behind other clients.

That means that the client on the 192.168.3.0 LAN would have the following entry for its's ccd/ file:

iroute 192.168.3.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"