If I'm understanding you correctly, I think I know the problem: "route"
statements cannot go in a ccd (or, more accurately, they don't do anything
if they're there), because route statements are injecting routes into the
OS routing table, which is only done on start-up (and in the case of
running openvpn un-privileged, only *can* be done at startup before
dropping root privs)
There are two ways to get around this. First, and generally best, is to
put all the "route" statements that you expect to need in the main config.
Second, you *could* put routing commands in a client-connect script (I do
something similar to this to inject client routes into quagga)
-Joe
On Thu, Jul 24, 2014 at 9:57 AM, <pg0...@fastmail.fm> wrote:
> I have three machines: a 'vpn server' & a 'vpn client' are both running
> OpenVPN 2.3_git [git:master/a4b8f653ee5be9c2].; a 'lan server' sits on the
> client-side LAN behind the 'vpn client'. 'vpn server' & 'vpn client' are
> connected via VPN over a
> UDP connection.
>
>
> I.e.,
>
> @VPN_SERVER
> IP(eth0) = "S.S.S.S" external/WAN intfc
> = 192.168.0.1
> IP(tun1) = 10.0.0.1 vpn tunnel endpoint
>
> @VPN_CLIENT
> IP(eth0) = "C.C.C.C" external/WAN intfc
> IP(eth1) = 192.168.1.1 internal/LAN intfc
> IP(tun1) = 10.0.0.2 vpn tunnel endpoint
>
> @ LAN_SERVER
> IP(eth0) = "192.168.1.10" external/WAN intfc
>
>
> With a @SERVER configs of
>
> /etc/openvpn/server.conf
> ...
> mode server
> server 10.0.0.0 255.255.255.0
> topology subnet
>
> ccd-exclusive
> client-config-dir ccd/
> client-to-client
>
> push "route 192.168.0.0 255.255.255.0"
> route 192.168.1.0 255.255.255.0
> push "route 192.168.1.0 255.255.255.0"
>
> /etc/openvpn/ccd/client1.conf
> ...
> ifconfig-push 10.0.0.2 255.255.255.0
> iroute 192.168.1.0 255.255.255.0
>
> Once the tunnel's up, I can ping both directions all four cases,
>
> @VPN_SERVER, ping -> VPN_CLIENT[192.168.1.1] OK
> @VPN_SERVER, ping -> LAN_SERVER[192.168.1.10] OK
> @VPN_CLIENT, ping -> VPN_SERVER[192.168.0.1] OK
> @LAN_SERVER, ping -> VPN_SERVER[192.168.0.1] OK
>
> But if I move all "client-specific" route config out of the main server
> config to the ccd/client config, i.e.
>
> /etc/openvpn/server.conf
> mode server
> server 10.0.0.0 255.255.255.0
> topology subnet
>
> ccd-exclusive
> client-config-dir ccd/
> client-to-client
>
> push "route 192.168.0.0 255.255.255.0"
>
> /etc/openvpn/ccd/client1.conf
> ifconfig-push 10.0.0.2 255.255.255.0
> iroute 192.168.1.0 255.255.255.0
> + route 192.168.1.0 255.255.255.0
> + push "route 192.168.1.0 255.255.255.0"
>
> and reestablish the tunnel, only one of those PINGs now works
>
> @VPN_SERVER, ping -> VPN_CLIENT[192.168.1.1] FAIL
> @VPN_SERVER, ping -> LAN_SERVER[192.168.1.10] FAIL
> @VPN_CLIENT, ping -> VPN_SERVER[192.168.0.1] OK
> @LAN_SERVER, ping -> VPN_SERVER[192.168.0.1] FAIL
>
> It makes sense to me to be able to consolidate ALL client-specific info in
> client-specific config files.
>
> But, does SOME client-specific config HAVE to go in the main server config?
>
> Or does the above config need to change (aka, be fixed) when I consolidate?
>
> PG
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
