First off, main doesn't necessarily have to get messy. If you have a bunch
of clients connecting, all with subnets behind them, and you can't get to
those subnets without the VPN connection being up, then most likely the
most effective thing to do is to find a supernet that encompasses all of
the clients, and have that in your "route" statement. Like if all of your
clients have subnets behind them in the 192.168.x.x range, you could do
"route 192.168.0.0 255.255.0.0" (and since, with routing, longest prefix
always takes precedence, that won't mess up any local routes to
192.168.x.x/24 or such) The only time it would be a problem is if there
are 192.168.x.x subnets that are being routed to via the default route. To
give a little bit better description of what's going on there, the "route"
statement (which can only be in the main config) sends all of 192.168.x.x
to openvpn, and then the "iroute" statements (which can be in the ccd
files) tells openvpn which specific client tunnel to send the traffic to.
But, if for some reason you can't or really don't want to do that, then
yes, the "client-connect" directive goes in the main config, but it's a
single script that runs whenever a client connects and can do different
things depending on the client. If you really wanted to cut down on the
number of directives in your main config, you can use the client-connect
directive to entirely replace the ccd directive, and simply have the
client-connect script write a ccd file to $1 when it's done. My script
will be different from yours because A) I'm doing different things and B)
because it's possible, perhaps even likely, that what I'm doing is a
horrible cringe-worthy kluge that should be avoided by all sane people, but
for reference, the part of mine that handles injecting routes looks like
this (mine's in perl):
open (CCD,"/etc/openvpn/ccd/$ENV{common_name}") || die "Problem opening
ccd\n";
while (<CCD>) {
if (/iroute/) {
($iroute,$net,$mask) = split();
system("vtysh -c 'conf t' -c 'ip route $net $mask
$ENV{ifconfig_remote}'");
};
On Thu, Jul 24, 2014 at 12:28 PM, <pg0...@fastmail.fm> wrote:
> Hi Joe,
>
> On Thu, Jul 24, 2014, at 07:31 AM, Joe Patterson wrote:
> > If I'm understanding you correctly, I think I know the problem: "route"
> > statements cannot go in a ccd (or, more accurately, they don't do
> anything
> > if they're there), because route statements are injecting routes into the
> > OS routing table, which is only done on start-up (and in the case of
> > running openvpn un-privileged, only *can* be done at startup before
> > dropping root privs)
>
> Well, that certainly explains the behavior I'm seeing!
>
> > There are two ways to get around this. First, and generally best, is to
> > put all the "route" statements that you expect to need in the main
> config.
> > Second, you *could* put routing commands in a client-connect script (I
> do
> > something similar to this to inject client routes into quagga)
>
> My main's gonna get messy ... so a client-connect script seems the option
> I'll take.
>
> I'm reading docs
>
> --client-connect script
> Run script on client connection. The script is passed the common name
> and IP address of the just-authenticated client as environmental variables
> (see environmental variable section below). The script is also passed the
> pathname of a not-yet-created temporary file as $1 (i.e. the first command
> line argument), to be used by the script to pass dynamically generated
> config file directives back to OpenVPN.
>
> and that seems clear. What I'm missing is -- does THAT ^^ need to be
> invoked in the main config? OR can/does it go in the server's
> ccd/clientN.conf?
>
> The latter keeps things neat(est). The latter, 'messes up' my main again
> -- though not as much as the 'raw' routes would.
>
> PG
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
