Difference between revisions of "OpenVPN/Routing"

From Secure Computing Wiki
Jump to: navigation, search
Line 56: Line 56:
 
</pre>
 
</pre>
  
This assumes each client is the default gateway for machines on its lan.  If that is not the case, he will need to do one of the following:<br>
+
'''ROUTES TO ADD OUTSIDE OF OPENVPN'''
1:  Manually add the route back to the vpn to the gateway for the openvpn client's lan.<br>
+
If you are not running openvpn on the router for each lan, you have some more routes to add.
2:  Manually add the route back to the vpn to each machine on the lan.<br>
+
Lets say our server is 192.168.2.10 on its lan, and uses 192.168.2.1 as its default route.
<br>
+
192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network, it sends the traffic to 192.168.2.10
 +
This is true for any number of lans you want to connect, whether server or client.
 +
 
 
If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.<br>
 
If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.<br>
 
<br>
 
<br>

Revision as of 01:36, 20 November 2008

here is an example from ##OpenVPN on freenode.

Our user had a openvpn server with a lan (192.168.2.0) behind it, and 2 client with lans behind them:

client1 with lan 192.168.1.0
client2 with lan 192.168.3.0

He wanted machines on all 3 lans to be able to communicate using a tun (routed) setup.

The user needed the following in his server.conf:

push "route 192.168.2.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
route 192.168.3.0 255.255.255.0
client-to-client

The first push route means that he is telling his server to let ALL clients to know about the fact that they should add an entry in their routing table to route 192.168.2.0/24 through their vpn. That is because 192.168.2.0 is a LAN behind his VPN server, which the clients should be able to communicate with.

The second and third match route entries, and are telling all clients to route those networks through the VPN.

You may realize that client1 should not route 192.168.1.0 traffic over the vpn, and that client2 should not route 192.168.3.0 traffic over the vpn (because those networks are local to each client). Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client.

The route entries are telling his server to add a route for each of 192.168.1.0, and 192.168.3.0 to its kernel's routing table, which will go through the tunnel interface. The server's kernel now has entries for 2 LANs to both go through the vpn interface, but when that happens how will openvpn know what client to send each network to? The answer is iroute!

Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles:

MULTI: bad source address from client [IP ADDRESS], packet dropped

IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes. Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells openvpn which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE. You will need it any time a source ip address different than what the client connected from tries to send (or respond to) traffic over the VPN.

The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface. That is why we add the iroute commands to a ccd entry.

You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.

In this example lets assume the client owning the network 192.168.1.0 has a common-name of client1. In ccd/client1 He should have the following:

iroute 192.168.1.0 255.255.255.0

As you can see, each client our user has will have a ccd/ entry including an iroute for the network behind the client, and pushed routes for all networks behind other clients.

That means that client2 on the 192.168.3.0 LAN would have the following entry for its ccd/client2 file:

iroute 192.168.3.0 255.255.255.0

ROUTES TO ADD OUTSIDE OF OPENVPN If you are not running openvpn on the router for each lan, you have some more routes to add. Lets say our server is 192.168.2.10 on its lan, and uses 192.168.2.1 as its default route. 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network, it sends the traffic to 192.168.2.10 This is true for any number of lans you want to connect, whether server or client.

If this needs clarification ask me about it and I will update this page after discovering how to make it clearer.

-by krzee Ovpn routing-1.jpg