Difference between revisions of "OpenVPN/Routing"

From Secure Computing Wiki
Jump to: navigation, search
(ROUTES TO ADD OUTSIDE OF OPENVPN)
 
(30 intermediate revisions by 6 users not shown)
Line 1: Line 1:
herafe is an example from ##OpenVPN on freenode.
+
{{OpenVPN_Menu}}
f Videos
+
Categories
+
Pornstars
+
Imlive
+
+
+
Upload Videos | Galleries
+
Don't be shy
+
  
+
'''
+
== Lans behind OpenVPN ==
+
'''
+
here is an example of how to have multiple lans behind OpenVPN from ##OpenVPN on freenode.
+
129 Ratings
+
+
Share
+
+
Flag
+
+
Embed
+
+
Problems?
+
  
 +
Our user had a openvpn server with a lan (10.10.2.0/24) behind it, and 2 client with lans behind them: <br>
 +
<br>
 +
client1 with lan 10.10.1.0/24 <br>
 +
client2 with lan 10.10.3.0/24 <br>
 +
<br>
 +
He wanted machines on all 3 lans to be able to communicate using a tun (routed) setup.<br>
 +
<br>
 +
Every machine with a LAN behind it must have IP forwarding enabled.  In this example that means the server, and client1/client2.
 +
<br>
 +
The user needed the following in his server.conf:
  
Categories: Amateur, Latina
+
<pre>
Duration: 7:04  |  Date Added: 2 days ago  |  Views: 44334
+
route 10.10.1.0 255.255.255.0
Tags: amateur, homemade, ass, latina, panties, lingerie, brunette...[ + ] more
+
route 10.10.3.0 255.255.255.0
 +
push "route 10.10.2.0 255.255.255.0"
 +
push "route 10.10.1.0 255.255.255.0"
 +
push "route 10.10.3.0 255.255.255.0"
 +
client-to-client
 +
</pre>
  
+
The route entries adjust the local routing table, telling it to route those networks over the vpn.
+
 
+
Related Videos
+
 
+
 
+
 
+
Sexy ass brazilian brun...
+
17:40
+
102107 views
+
 
+
5 months ago
+
 
+
webcam college latina d...
+
13:52
+
53171 views
+
 
+
4 months ago
+
 
+
Take off my panties
+
11:00
+
77498 views
+
 
+
1 month ago
+
 
+
Hot ass latina pornstar...
+
25:53
+
205892 views
+
 
+
3 months ago
+
 
+
We all want a piece of ...
+
18:39
+
142697 views
+
 
+
3 months ago
+
 
+
Hardcore tailpipe latin...
+
30:49
+
319130 views
+
 
+
5 months ago
+
 
+
Afternoon latina ass fu...
+
20:14
+
28492 views
+
 
+
8 months ago
+
 
+
Sexy latina gets her ti...
+
35:18
+
46030 views
+
 
+
5 months ago
+
 
+
Sexy ass fuckdolls puss...
+
45:19
+
138935 views
+
 
+
5 months ago
+
 
+
Grey lingerie teeny ass...
+
29:08
+
117186 views
+
 
+
2 months ago
+
+
© Keezmovies.com, 2008 · Terms & Conditions · Privacy Policy · DMCA · 2257 · Advertise · Supportd
+
Oaudfsr user had a openvpn server with a lan (192.168.2.0) behind it, and 2 client with lans behind them: <br>
+
<br>fas
+
dclient1 with lan 192.168.1.0 <br>
+
cdflient2 with lan 192.168.3.0 <br>
+
 
<br>
 
<br>
He wafanted machines on all 3 lans to be able to communicate using a tun (routed) setup.<br>
+
The push routes are added on the clients connecting, telling them to route those networks over the vpn.<br>
<br>d
+
<br>
The ufaser needed the following in his server.conf:
+
You may realize that client1 should not route 10.10.1.0 traffic over the vpn, and that client2 should not route 10.10.3.0 traffic over the vpn (because those networks are local to each client).  Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client.<br>
safaafd
+
<br>
<pre>s
+
The route entries are telling his server to add a route for each of 10.10.1.0, and 10.10.3.0 to its kernel's routing table, and both will be routed to the tunnel interface and to openvpnHow will openvpn know what client to send each network to?<br>
dapaush "route 192.168.2.0 255.255.255.0"
+
The answer is iroute!<br>
push s"route 192.168.1.0 255.255.255.0"
+
<br>
push "rssoute 192.168.3.0 255.255.255.0"
+
Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about.  The iroute entry tells the openvpn server which client is responsible for the network.  Without the iroute entry you will find the following in your logfiles:
route 192.168.1.0 2 Videos
+
Categories
+
Pornstars
+
Imlive
+
   
+
+
Upload Videos | Galleries
+
Don't be shy
+
  
+
<pre>
+
MULTI: bad source address from client [IP ADDRESS], packet dropped
+
</pre>
+
+
129 Ratings
+
+
Share
+
+
Flag
+
+
Embed
+
+
Problems?
+
  
 +
IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is.
 +
Once you give it the iroute statement, that changes.  Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table.  It tells openvpn which client owns which network.  Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE.  You will need it any time a clients source IP address is different from the IP given to it by the vpn server.
  
Categories: Amateur, Latina
+
The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server <!-- or client if pushed, only useful for a complex setup outside the scope of this writeup --> at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface.
Duration: 7:04  |  Date Added: 2 days ago  |  Views: 44334
+
That is why we add the iroute commands to a ccd entry.<br>
Tags: amateur, homemade, ass, latina, panties, lingerie, brunette...[ + ] more
+
 
+
+
+
 
+
Related Videos
+
 
+
 
+
 
+
Sexy ass brazilian brun...
+
17:40
+
102107 views
+
 
+
5 months ago
+
 
+
webcam college latina d...
+
13:52
+
53171 views
+
 
+
4 months ago
+
 
+
Take off my panties
+
11:00
+
77498 views
+
 
+
1 month ago
+
 
+
Hot ass latina pornstar...
+
25:53
+
205892 views
+
 
+
3 months ago
+
 
+
We all want a piece of ...
+
18:39
+
142697 views
+
 
+
3 months ago
+
 
+
Hardcore tailpipe latin...
+
30:49
+
319130 views
+
 
+
5 months ago
+
 
+
Afternoon latina ass fu...
+
20:14
+
28492 views
+
 
+
8 months ago
+
 
+
Sexy latina gets her ti...
+
35:18
+
46030 views
+
 
+
5 months ago
+
 
+
Sexy ass fuckdolls puss...
+
45:19
+
138935 views
+
 
+
5 months ago
+
 
+
Grey lingerie teeny ass...
+
29:08
+
117186 views
+
 
+
2 months ago
+
+
© Keezmovies.com, 2008 · Terms & Conditions · Privacy Policy · DMCA · 2257 · Advertise · Support55.255.255.0
+
route 192.sfd168.3.0 255.255.255.0
+
client-to-claient
+
</pre>f
+
as
+
Thaeaadaf first push route means that he is telling his server to let ALL clients to know about the fact that they should add an entry in their routing table to route 192.168.2.0/24 through their vpn.  That is because 192.168.2.0 is a LAN behind his VPN server, which the clients should be able to communicate with.<br>
+
 
<br>
 
<br>
The secfoadnd and third match route entries, and are telling all clients (and the server via the route entries) to route those networks through the VPN.<br>
+
You will need ''client-config-dir /path/to/ccd/'' in your server config file to enable ccd entries.  ccd entries are basically included into server.conf, but only for the specified client.  You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.<br>
<br>fds
+
You mayf sdrealize that client1 should not route 192.168.1.0 traffic over the vpn, and that client2 should not route 192.168.3.0 traffic over the vpn (because those networks are local to each client)Because of the irosfute entries you will see below, openvpn knows this too and skips the push for the client.<br>
+
 
<br>
 
<br>
The route enaftries are telling his server to add a route for each of 192.168.1.0, and 192.168.3.0 to its kernel's routing table, which will go through the tunnel interface.  The server's kernel now has entries for 2d fsdLANs to both go through the vpn interface, but when that happens how will openvpn know what client to send each network to?
+
In this example lets assume the client owning the network 10.10.1.0 has a common-name of client1.  In ccd/client1 He should have the following:
The answer is iroffaute!<br>
+
<br>da
+
fIsroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroaute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles:
+
f
+
<dapre>
+
MULfaTI: bad source address from client [IP ADDRESS], packet dropped
+
</presd>
+
s
+
IfP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is.
+
Onsdfce you give it the iroute statement, that changes.  Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table.  It tells openvpn which client owns which network.  Note that aseven if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE.  You will need it any time a source ip address different than what the client connected from tries to send (or respond to) traffic over thfe VPN.
+
asdf
+
The asthing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server <!-- or client if pushed, only useful for a complex setup outsiddfe the scope of this writeup --> at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface.
+
That is dswhy we add the iroute commands  Videos
+
Categories
+
Pornstars
+
Imlive
+
+
+
Upload Videos | Galleries
+
Don't be shy
+
  
+
<pre>
+
iroute 10.10.1.0 255.255.255.0
+
+
+
129 Ratings
+
+
Share
+
+
Flag
+
+
Embed
+
+
Problems?
+
 
+
 
+
Categories: Amateur, Latina
+
Duration: 7:04  |  Date Added: 2 days ago  |  Views: 44334
+
Tags: amateur, homemade, ass, latina, panties, lingerie, brunette...[ + ] more
+
 
+
+
+
 
+
Related Videos
+
 
+
 
+
 
+
Sexy ass brazilian brun...
+
17:40
+
102107 views
+
 
+
5 months ago
+
 
+
webcam college latina d...
+
13:52
+
53171 views
+
 
+
4 months ago
+
 
+
Take off my panties
+
11:00
+
77498 views
+
 
+
1 month ago
+
 
+
Hot ass latina pornstar...
+
25:53
+
205892 views
+
 
+
3 months ago
+
 
+
We all want a piece of ...
+
18:39
+
142697 views
+
 
+
3 months ago
+
 
+
Hardcore tailpipe latin...
+
30:49
+
319130 views
+
 
+
5 months ago
+
 
+
Afternoon latina ass fu...
+
20:14
+
28492 views
+
 
+
8 months ago
+
 
+
Sexy latina gets her ti...
+
35:18
+
46030 views
+
 
+
5 months ago
+
 
+
Sexy ass fuckdolls puss...
+
45:19
+
138935 views
+
 
+
5 months ago
+
 
+
Grey lingerie teeny ass...
+
29:08
+
117186 views
+
 
+
2 months ago
+
+
© Keezmovies.com, 2008 · Terms & Conditions · Privacy Policy · DMCA · 2257 · Advertise · Supportto a ccd entry.<br>
+
<br>fa
+
You wiall need ''client-config-dir /path/to/ccd/'' in your server config file to enable ccd entries.  ccd entries are basically included into server.conf, but only for the specified client.  You put commands in ccd/fclient-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.<br>
+
<br>dsaf
+
In this asdexample lets assume the client owning the network 192.168.1.0 has a common-name of client1.  In ccd/client1 He should have the following:
+
f Videos
+
Categories
+
Pornstars
+
Imlive
+
+
+
Upload Videos | Galleries
+
Don't be shy
+
 
+
+
+
+
+
+
129 Ratings
+
+
Share
+
+
Flag
+
+
Embed
+
+
Problems?
+
 
+
 
+
Categories: Amateur, Latina
+
Duration: 7:04  |  Date Added: 2 days ago  |  Views: 44334
+
Tags: amateur, homemade, ass, latina, panties, lingerie, brunette...[ + ] more
+
 
+
+
+
 
+
Related Videos
+
 
+
 
+
 
+
Sexy ass brazilian brun...
+
17:40
+
102107 views
+
 
+
5 months ago
+
 
+
webcam college latina d...
+
13:52
+
53171 views
+
 
+
4 months ago
+
 
+
Take off my panties
+
11:00
+
77498 views
+
 
+
1 month ago
+
 
+
Hot ass latina pornstar...
+
25:53
+
205892 views
+
 
+
3 months ago
+
 
+
We all want a piece of ...
+
18:39
+
142697 views
+
 
+
3 months ago
+
 
+
Hardcore tailpipe latin...
+
30:49
+
319130 views
+
 
+
5 months ago
+
 
+
Afternoon latina ass fu...
+
20:14
+
28492 views
+
 
+
8 months ago
+
 
+
Sexy latina gets her ti...
+
35:18
+
46030 views
+
 
+
5 months ago
+
 
+
Sexy ass fuckdolls puss...
+
45:19
+
138935 views
+
 
+
5 months ago
+
 
+
Grey lingerie teeny ass...
+
29:08
+
117186 views
+
 
+
2 months ago
+
+
© Keezmovies.com, 2008 · Terms & Conditions · Privacy Policy · DMCA · 2257 · Advertise · Support
+
<sdaffafpre>
+
iroute 192.168.1.0 255.255.255.0
+
 
</pre>
 
</pre>
  
 
As you can see our user will make a ccd/ entry for each client with a lan behind it.  The ccd entry will have an iroute command for the network behind the client.<br>
 
As you can see our user will make a ccd/ entry for each client with a lan behind it.  The ccd entry will have an iroute command for the network behind the client.<br>
 
<br>
 
<br>
That means that client2 on the 192.168.3.0 LAN would have the following entry for its ccd/client2 file:
+
That means that client2 on the 10.10.3.0 LAN would have the following entry for its ccd/client2 file:
  
 
<pre>
 
<pre>
iroute 192.168.3.0 255.255.255.0
+
iroute 10.10.3.0 255.255.255.0
 
</pre>
 
</pre>
[[Image:ovpn_routing-1.jpg]]
+
[[Image:ovpn_routing.jpg]]
  
'''ROUTES TO ADD OUTSIDE OF OPENVPN'''<br>
+
'''
 +
 
 +
== ROUTES TO ADD OUTSIDE OF OPENVPN ==
 +
'''<br>
 
If you are not running openvpn on the router for each lan, you have some more routes to add. <br>
 
If you are not running openvpn on the router for each lan, you have some more routes to add. <br>
Lets say our server is 192.168.2.10 on its lan, and uses 192.168.2.1 as its default route, and you want the 2.x lan to be accessible or able to access other lans over the vpn.<br>
+
This [[Graph|diagram]] explains it pretty well.
2.1 would need a route for every network that 2.x will access or be accessed by.  That means in our example:<br>
+
 
192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10 <br>
+
Lets say our server is 10.10.2.10 on its lan, and uses 10.10.2.1 as its default route, and you want the 10.10.2.0/24 lan to be accessible or able to access over the vpn.<br>
 +
10.10.2.1 would need a route for every network that 10.10.2.0/24 will access or be accessed by.  That means in our example:<br>
 +
10.10.2.1 must know that for 10.10.1.x 10.10.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 10.10.2.10 <br>
 
This is true for any number of lans you want to connect, whether server or client.<br>
 
This is true for any number of lans you want to connect, whether server or client.<br>
 
<br>
 
<br>
If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 192.168.2.20: <br>
+
If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 10.10.2.20: <br>
1) The vpn client sends traffic to 192.168.2.20, with a source address of 10.8.0.6 <br>
+
1) The vpn client sends traffic to 10.10.2.20, with a source address of 10.8.0.6 <br>
2) The vpn server (10.8.0.1 and 192.168.2.10) receives the traffic, has IP forwarding enabled, and passes the traffic to 192.168.2.20<br>
+
2) The vpn server (10.8.0.1 and 10.10.2.10) receives the traffic, has IP forwarding enabled, and passes the traffic to 10.10.2.20<br>
3) 192.168.2.20 gets it and tries to respond to 10.8.0.6 but has no entry in its routing table<br>
+
3) 10.10.2.20 gets it and tries to respond to 10.8.0.6 but has no entry in its routing table<br>
4) Because 192.168.2.20 has no route for 10.8.0.6, it sends the traffic to its default gateway which is 192.168.2.1 <br>
+
4) Because 10.10.2.20 has no route for 10.8.0.6, it sends the traffic to its default gateway which is 10.10.2.1 <br>
5) 192.168.2.1 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is likely its ISP <br>
+
5) 10.10.2.1 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is likely its ISP <br>
 
6) The ISP ignores it, because it is a RFC 1918 ip (aka lan only) <br>
 
6) The ISP ignores it, because it is a RFC 1918 ip (aka lan only) <br>
  
 
the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work.
 
the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work.
 +
  
 
If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.<br>
 
If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.<br>
 +
 +
On Jan26, 2010 I changed this article to no longer use 192.168.1.0 192.168.2.0 and 192.168.3.0 for my subnets.  I did this because it is important for people to not use common subnets such as 192.168.1/0.x when pushing routes to clients.  It does not matter if you know where every client connects from, but once you add a single road warrior to the VPN you will run in to a problem.  If the road warrior is connecting from a LAN where he has 192.168.0.X and he gets pushed a route to 192.168.0.0/24 to flow over the vpn, he will lose all connectivity to the internet until he kills the vpn.  This is because the client loses his route to his gateway... he tries to contact the gateway over the VPN, but he has no route to the VPN because he needs to access his gateway to reach it.  In short, if your lan that you want to access using openvpn uses a common subnet such as 192.168.0.x or 192.168.1.x, CHANGE IT. <br>
  
 
== Caveats ==
 
== Caveats ==
* There is an issue with Windows Vista and a broken API when running less that OpenVPN 2.1.
+
* There is an issue with some Windows and a broken API when running less than OpenVPN 2.1.
 
Basically if you see an error like this:
 
Basically if you see an error like this:
 
<blockquote>
 
<blockquote>
Line 472: Line 103:
 
<pre>
 
<pre>
 
route-method exe
 
route-method exe
route-delay 2
+
route-delay
 
</pre>
 
</pre>
 
The first option changes how windows adds a route <br>
 
The first option changes how windows adds a route <br>
Line 478: Line 109:
 
If those dont help, try turning off routing and remote acess in administrative tools - routing and remote access <br>
 
If those dont help, try turning off routing and remote acess in administrative tools - routing and remote access <br>
  
Written by krzee @ ##OpenVPN @ freenode IRC
 
Videos
 
Categories
 
Pornstars
 
Imlive
 
 
 
Upload Videos | Galleries
 
Don't be shy
 
 
 
 
 
 
 
129 Ratings
 
 
Share
 
 
Flag
 
 
Embed
 
 
Problems?
 
 
 
Categories: Amateur, Latina
 
Duration: 7:04  |  Date Added: 2 days ago  |  Views: 44334
 
Tags: amateur, homemade, ass, latina, panties, lingerie, brunette...[ + ] more
 
 
 
 
 
Related Videos
 
 
 
 
 
Sexy ass brazilian brun...
 
17:40
 
102107 views
 
 
5 months ago
 
 
webcam college latina d...
 
13:52
 
53171 views
 
 
4 months ago
 
 
Take off my panties
 
11:00
 
77498 views
 
 
1 month ago
 
 
Hot ass latina pornstar...
 
25:53
 
205892 views
 
 
3 months ago
 
 
We all want a piece of ...
 
18:39
 
142697 views
 
 
3 months ago
 
 
Hardcore tailpipe latin...
 
30:49
 
319130 views
 
 
5 months ago
 
 
Afternoon latina ass fu...
 
20:14
 
28492 views
 
 
8 months ago
 
 
Sexy latina gets her ti...
 
35:18
 
46030 views
 
 
5 months ago
 
 
Sexy ass fuckdolls puss...
 
45:19
 
138935 views
 
 
5 months ago
 
  
Grey lingerie teeny ass...
+
Written by krzee @ #OpenVPN @ freenode IRC
29:08
+
117186 views
+
  
2 months ago
+
Feel free to discuss this document on the <s> un</s>official OpenVPN forum at:
+
[https://forums.openvpn.net/topic98.html OpenVPN Forum: Lans behind OpenVPN]
© Keezmovies.com, 2008 · Terms & Conditions · Privacy Policy · DMCA · 2257 · Advertise · Support
+
Feel free to discuss this document on the unofficial OpenVPN forum at:
+
[http://www.ovpnforum.com/viewtopic.php?f=8&t=98 OpenVPN Forum: Lans behind OpenVPN]
+
 
[[Category: OpenVPN]]
 
[[Category: OpenVPN]]

Latest revision as of 09:45, 5 September 2014

OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

Lans behind OpenVPN

here is an example of how to have multiple lans behind OpenVPN from ##OpenVPN on freenode.

Our user had a openvpn server with a lan (10.10.2.0/24) behind it, and 2 client with lans behind them:

client1 with lan 10.10.1.0/24
client2 with lan 10.10.3.0/24

He wanted machines on all 3 lans to be able to communicate using a tun (routed) setup.

Every machine with a LAN behind it must have IP forwarding enabled. In this example that means the server, and client1/client2.
The user needed the following in his server.conf:

route 10.10.1.0 255.255.255.0
route 10.10.3.0 255.255.255.0
push "route 10.10.2.0 255.255.255.0"
push "route 10.10.1.0 255.255.255.0"
push "route 10.10.3.0 255.255.255.0"
client-to-client

The route entries adjust the local routing table, telling it to route those networks over the vpn.
The push routes are added on the clients connecting, telling them to route those networks over the vpn.

You may realize that client1 should not route 10.10.1.0 traffic over the vpn, and that client2 should not route 10.10.3.0 traffic over the vpn (because those networks are local to each client). Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client.

The route entries are telling his server to add a route for each of 10.10.1.0, and 10.10.3.0 to its kernel's routing table, and both will be routed to the tunnel interface and to openvpn. How will openvpn know what client to send each network to?
The answer is iroute!

Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles:

MULTI: bad source address from client [IP ADDRESS], packet dropped

IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes. Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells openvpn which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE. You will need it any time a clients source IP address is different from the IP given to it by the vpn server.

The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface. That is why we add the iroute commands to a ccd entry.

You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.

In this example lets assume the client owning the network 10.10.1.0 has a common-name of client1. In ccd/client1 He should have the following:

iroute 10.10.1.0 255.255.255.0

As you can see our user will make a ccd/ entry for each client with a lan behind it. The ccd entry will have an iroute command for the network behind the client.

That means that client2 on the 10.10.3.0 LAN would have the following entry for its ccd/client2 file:

iroute 10.10.3.0 255.255.255.0

Ovpn routing.jpg

ROUTES TO ADD OUTSIDE OF OPENVPN


If you are not running openvpn on the router for each lan, you have some more routes to add.
This diagram explains it pretty well.

Lets say our server is 10.10.2.10 on its lan, and uses 10.10.2.1 as its default route, and you want the 10.10.2.0/24 lan to be accessible or able to access over the vpn.
10.10.2.1 would need a route for every network that 10.10.2.0/24 will access or be accessed by. That means in our example:
10.10.2.1 must know that for 10.10.1.x 10.10.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 10.10.2.10
This is true for any number of lans you want to connect, whether server or client.

If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 10.10.2.20:
1) The vpn client sends traffic to 10.10.2.20, with a source address of 10.8.0.6
2) The vpn server (10.8.0.1 and 10.10.2.10) receives the traffic, has IP forwarding enabled, and passes the traffic to 10.10.2.20
3) 10.10.2.20 gets it and tries to respond to 10.8.0.6 but has no entry in its routing table
4) Because 10.10.2.20 has no route for 10.8.0.6, it sends the traffic to its default gateway which is 10.10.2.1
5) 10.10.2.1 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is likely its ISP
6) The ISP ignores it, because it is a RFC 1918 ip (aka lan only)

the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work.


If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.

On Jan26, 2010 I changed this article to no longer use 192.168.1.0 192.168.2.0 and 192.168.3.0 for my subnets. I did this because it is important for people to not use common subnets such as 192.168.1/0.x when pushing routes to clients. It does not matter if you know where every client connects from, but once you add a single road warrior to the VPN you will run in to a problem. If the road warrior is connecting from a LAN where he has 192.168.0.X and he gets pushed a route to 192.168.0.0/24 to flow over the vpn, he will lose all connectivity to the internet until he kills the vpn. This is because the client loses his route to his gateway... he tries to contact the gateway over the VPN, but he has no route to the VPN because he needs to access his gateway to reach it. In short, if your lan that you want to access using openvpn uses a common subnet such as 192.168.0.x or 192.168.1.x, CHANGE IT.

Caveats

  • There is an issue with some Windows and a broken API when running less than OpenVPN 2.1.

Basically if you see an error like this:

route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.9
ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.
Route addition via IPAPI failed

One solution is to run the latest 2.1 client package.
And an easier solution is to use add this to your config:

route-method exe
route-delay

The first option changes how windows adds a route
The second option waits to add the route (helpful for making sure you get a DHCP lease before messing with routes)
If those dont help, try turning off routing and remote acess in administrative tools - routing and remote access


Written by krzee @ #OpenVPN @ freenode IRC

Feel free to discuss this document on the unofficial OpenVPN forum at: OpenVPN Forum: Lans behind OpenVPN