Farkas Levente <lfar...@bnap.hu> said: > James Yonan wrote: > > Farkas Levente <lfar...@bnap.hu> said: > > > > > >>Mathias Sundman wrote: > >> > >>>Hi! > >>> > >>> > we use our linux vpn gateway and some win2000 road warrior clients with > >>> > openvpn. I would like to route all internet traffic trough our firewall > >>> > from the windows clients. > >>> > >>> I´ve been thinking about doing this too, but never accually tried it. > >>> > >>> What you basicly need to do is: > >>> > >>> 1. Don´t set a default gateway on your ethernet adapter. > >> > >>you have to set otherwise the vpn connection can't estabilished. > >> > >> > >>> 2. Add a route to your openvpn server with a /32 mask pointing to the > >>> gateway on your ethernet. > >>> > >>> In your exampel this would be done with the following command on > >>> Win2K where w.x.y.z is the IP of your remote openvpn server, > >>> and a.b.c.254 is your local gateway. > >>> > >>> ROUTE ADD w.x.y.z MASK 255.255.255.255 a.b.c.254 > >>> > >>> 3. Setup OpenVPN as usual but also add a default gateway route to > >>> the TAP interface. > >>> > >>> > >>> The reason why I havn´t tried this is because I don´t know how to solve > >>> the problem that the ROUTE command will be diffrent for each network you > >>> hook your laptop into. So if you don´t want to manually do this every > >>> time, you would need to write a little app that looks at the IP and > >>> default gateway that has been assigned by DHCP, switch to static IP and > >>> add the correct route. > >>> > >>> Anyone that has a better solution to this? > >> > >>you see exactly the problem! > >>on linux I can do (eg. in the up script): > >>---------------------------------- > >>route add -host <remote-server-ip> dev ppp0 > >>route del default dev ppp0 > >>route add default dev tun0 > >>---------------------------------- > >>and we got it, but unfotunately on windows you can't route by interface > >>(or to be more precise on windos the interface is defined by it's ip > >>address even if you can specify the interface). > >>so I'd like to suggest a new option for openvpn to be portable (like in > >>the case of --route): > >>--route-internal > >> which do exactly as the above on all platform. > >>since openvpn know whcih ip address has the under the tun/tap interface. > >>or may it would be more better if the up script has one more (6th) > >>paramter and the underlying interface's ip address: > >>----------------------------------- > >>cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip > >>underlying_ip [ init | restart ] > >>cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask > >>underlying_ip [ init | restart ] > >>----------------------------------- > >>and in this case on linux we cn write an up script as: > >>---------------------------------- > >>route add -host $5 dev ppp0 > >>route del default dev ppp0 > >>route add default dev tun0 > >>---------------------------------- > >>while on windows > >>---------------------------------- > >>route add $5 gw $6 > >>route delete 0.0.0.0 mask 0.0.0.0 $5 > >>route add 0.0.0.0 mask 0.0.0.0 $4 > >>---------------------------------- > >>does it possible? or any better solution? > > > > > > When you say "underlying_ip" I assume you mean the original default gateway > > (before the up script (might have) changed it)? > > > > I agree that it would be useful to provide an "original default gateway" > > parameter to up scripts. > > yes. > > > This would provide the support necessary to conveniently route all IP > > traffic > > through the VPN tunnel. > > > > Unfortunately, as is often the case with network configuration, there is no > > standard API for doing this. > > > > To make this work in OpenVPN, you would need to follow the model of tun.c > > and > > route.c where there is a function such as get_default_gateway that has a > > bunch > > of #ifdefs for each platform. > > > > If you want this to work on Windows right now, I would suggest you run > > "route > > print" in your up script and pipe the output to a program which parses out > > the > > "default gateway" information and returns it to the script. > > that's what I wouldn't like to! if openvpn already contains this code > (get_default_gateway) and you knoe that this is very difficult to find > out than why openvpn provide it for us? > that would be a big help! > thanks in advace:-)
Good news. I threw together some code under a new flag called --redirect-gateway that will do the routing smarts to redirect the default gateway into the tunnel, and undo its actions on tun/tap close. Keep in mind that there's no standard API for getting the current default gateway. That means there's yet another #if block at the bottom of route.c for each platform's version of get_default_gateway(). I've only implemented for Linux and Windows so far. It will be out with beta13... If you are adventurous, the patch is already committed to the CVS, if you'd like to test or add support for other OSes besides Linux and Windows. James