> Farkas Levente <lfar...@bnap.hu> said:
>
>> James Yonan wrote:
>> > Farkas Levente <lfar...@bnap.hu> said:
>> >
>> >
>> >>Mathias Sundman wrote:
>> >>
>> >>>Hi!
>> >>>
>> >>> > we use our linux vpn gateway and some win2000 road warrior clients
>> with
>> >>> > openvpn. I would like to route all internet traffic trough our
>> firewall
>> >>> > from the windows clients.
>> >>>
>> >>> I´ve been thinking about doing this too, but never accually tried
>> it.
>> >>>
>> >>> What you basicly need to do is:
>> >>>
>> >>> 1. Don´t set a default gateway on your ethernet adapter.
>> >>
>> >>you have to set otherwise the vpn connection can't estabilished.
>> >>
>> >>
>> >>> 2. Add a route to your openvpn server with a /32 mask pointing to
>> the
>> >>> gateway on your ethernet.
>> >>>
>> >>> In your exampel this would be done with the following command on
>> >>> Win2K where w.x.y.z is the IP of your remote openvpn server,
>> >>> and a.b.c.254 is your local gateway.
>> >>>
>> >>> ROUTE ADD w.x.y.z MASK 255.255.255.255 a.b.c.254
>> >>>
>> >>> 3. Setup OpenVPN as usual but also add a default gateway route to
>> >>> the TAP interface.
>> >>>
>> >>>
>> >>> The reason why I havn´t tried this is because I don´t know how to
>> solve
>> >>> the problem that the ROUTE command will be diffrent for each network
>> you
>> >>> hook your laptop into. So if you don´t want to manually do this
>> every
>> >>> time, you would need to write a little app that looks at the IP and
>> >>> default gateway that has been assigned by DHCP, switch to static IP
>> and
>> >>> add the correct route.
>> >>>
>> >>> Anyone that has a better solution to this?
>> >>
>> >>you see exactly the problem!
>> >>on linux I can do (eg. in the up script):
>> >>----------------------------------
>> >>route add -host <remote-server-ip> dev ppp0
>> >>route del default dev ppp0
>> >>route add default dev tun0
>> >>----------------------------------
>> >>and we got it, but unfotunately on windows you can't route by
>> interface
>> >>(or to be more precise on windos the interface is defined by it's ip
>> >>address even if you can specify the interface).
>> >>so I'd like to suggest a new option for openvpn to be portable (like
>> in
>> >>the case of --route):
>> >>--route-internal
>> >> which do exactly as the above on all platform.
>> >>since openvpn know whcih ip address has the under the tun/tap
>> interface.
>> >>or may it would be more better if the up script has one more (6th)
>> >>paramter and the underlying interface's ip address:
>> >>-----------------------------------
>> >>cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip
>> >>underlying_ip [ init | restart ]
>> >>cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask
>> >>underlying_ip [ init | restart ]
>> >>-----------------------------------
>> >>and in this case on linux we cn write an up script as:
>> >>----------------------------------
>> >>route add -host $5 dev ppp0
>> >>route del default dev ppp0
>> >>route add default dev tun0
>> >>----------------------------------
>> >>while on windows
>> >>----------------------------------
>> >>route add $5 gw $6
>> >>route delete 0.0.0.0 mask 0.0.0.0 $5
>> >>route add 0.0.0.0 mask 0.0.0.0 $4
>> >>----------------------------------
>> >>does it possible? or any better solution?
>> >
>> >
>> > When you say "underlying_ip" I assume you mean the original default
>> gateway
>> > (before the up script (might have) changed it)?
>> >
>> > I agree that it would be useful to provide an "original default
>> gateway"
>> > parameter to up scripts.
>>
>> yes.
>>
>> > This would provide the support necessary to conveniently route all IP
>> traffic
>> > through the VPN tunnel.
>> >
>> > Unfortunately, as is often the case with network configuration, there
>> is no
>> > standard API for doing this.
>> >
>> > To make this work in OpenVPN, you would need to follow the model of
>> tun.c and
>> > route.c where there is a function such as get_default_gateway that has
>> a bunch
>> > of #ifdefs for each platform.
>> >
>> > If you want this to work on Windows right now, I would suggest you run
>> "route
>> > print" in your up script and pipe the output to a program which parses
>> out the
>> > "default gateway" information and returns it to the script.
>>
>> that's what I wouldn't like to! if openvpn already contains this code
>> (get_default_gateway) and you knoe that this is very difficult to find
>> out than why openvpn provide it for us?
>> that would be a big help!
>> thanks in advace:-)
>
> Good news. I threw together some code under a new flag called
> --redirect-gateway that will do the routing smarts to redirect the default
> gateway into the tunnel, and undo its actions on tun/tap close.
>
> Keep in mind that there's no standard API for getting the current default
> gateway. That means there's yet another #if block at the bottom of
> route.c
> for each platform's version of get_default_gateway(). I've only
> implemented
> for Linux and Windows so far.
>
> It will be out with beta13... If you are adventurous, the patch is already
> committed to the CVS, if you'd like to test or add support for other OSes
> besides Linux and Windows.
thanks!!! I'll try tomorrow.
I just make this small patch to your code to conform better to your coding
style:-)
-------------------------------------
--- ./route.c.lfarkas 2003-11-02 10:57:38.000000000 +0100
+++ ./route.c 2003-11-02 11:06:46.000000000 +0100
@@ -709,11 +709,12 @@
* to get the current default gateway.
*/
-#if defined(WIN32)
-
static bool
get_default_gateway (in_addr_t *ret)
{
+
+#if defined(WIN32)
+
ULONG size = 0;
DWORD status;
@@ -747,14 +748,9 @@
}
}
}
- return false;
-}
#elif defined(TARGET_LINUX)
-static bool
-get_default_gateway (in_addr_t *ret)
-{
FILE *fp = fopen ("/proc/net/route", "r");
if (fp)
{
@@ -794,15 +790,10 @@
}
fclose (fp);
}
- return false;
-}
#else
+#endif
-static bool
-get_default_gateway (in_addr_t *ret)
-{
return false;
}
-#endif
-------------------------------------
