If I'm understanding what you're trying to do, it falls into that lovely
category of either trivial or impossible. If 1.2.3.4 is the un-nat'd IP
that the client is connecting from, then, as I understand it, it's nearly
impossible because if you route packets to the client IP over the tunnel,
then when you need to send the encapsulated packets, they'll try and go
down the tunnel too (you *could* do it with policy-based routing wherein
you specifically route the openvpn packets outside of the tunnel, but
that's a pain to do). If, on the other hand, the client is behind a NAT,
or if it's connecting to the server via a different interface than eth0,
then it's pretty easy. On the server, add "route 1.2.3.4 255.255.255.255",
and you add a client-config-dir and in it have a file with the name of the
client cn containing "iroute 1.2.3.4 255.255.255.255" (you could do the
same with a client-connect script, but I find the ccd simpler)
The route command routes the packets from the OS to openvpn, and the iroute
tells openvpn which tunnel to send those packets to.
(on a side note, the filenames of your certificate and key are the same on
both the client and the server, are the files themselves the same, or did
you just name them the same?)
Thanks,
-Joe
On Mon, Dec 30, 2013 at 12:43 PM, Jordan Hayes <[email protected]>wrote:
> I have a simple Linux OpenVPN client with the following interfaces:
>
> eth0 1.2.3.4
> tun0 10.0.0.5
>
> The server side of the tunnel is 10.0.0.1 ...
>
> >From the client, I can ping the server:
>
> % ping -c 3 10.0.0.1
> PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
> 64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=52.9 ms
> 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=32.0 ms
> 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=38.0 ms
>
> If however, I set the source address to the external interface, I can't:
>
> % ping -I 1.2.3.4 -c 3 10.0.0.1
> PING 10.0.0.1 (10.0.0.1) from 1.2.3.4 : 56(84) bytes of data.
>
> --- 10.0.0.1 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms
>
> I believe this is a feature :-)
>
> I've read about --iroute and --route, but it's still pretty opaque to me
> ...
>
> What would I have to add to my configs to allow this to work as
> intended?
>
> I don't need packets that *arrive* on eth0 to be routed to the tunnel,
> just the ones that are locally bound on the client machine (if that
> makes a difference).
>
> Thanks,
>
> /jordan
>
>
> ps: dead-simple client config
> ---
> client
> dev tun
> proto udp
> remote <host> <port>
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> user nobody
> group nobody
> ca server-ca.crt
> cert server.crt
> key server.key
> ns-cert-type server
> tls-auth server-ta.key 1
> comp-lzo
> verb 3
> ---
>
> server config
> ---
> port <port>
> proto udp
> dev tun
> ca server-ca.crt
> cert server.crt
> key server.key
> dh dh2048.pem
> server 10.0.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> keepalive 10 120
> tls-auth server-ta.key 0
> comp-lzo
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
> ---
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Openvpn-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
