On Thu, Jul 24, 2014 at 1:17 PM, <pg0...@fastmail.fm> wrote:
>
> I will have a single SERVER. It'll eventually have a config of:
>
> @VPN_SERVER
> IP(eth0) = "S.S.S.S" external/WAN intfc
> = 192.168.0.1
> = 172.16.0.1
> = 10.10.0.1
>
I'm not entirely clear what you're meaning by these preceding few lines.
Do you have all 4 of these addresses on the external interface?
>
> There will be servers on each client's LAN
>
> @LAN_A_SERVER
> IP(eth0) = "192.168.1.100" external/LAN intfc
>
> @LAN_B_SERVER
> IP(eth0) = "172.16.1.100" external/LAN intfc
>
> @LAN_C_SERVER
> IP(eth0) = "10.10.1.100" external/LAN intfc
>
>
Since you're using multiple different RFC1918 ranges, then there's not
really a single supernet that could be used for all of them.
> As a nominal, 1st step, I want to make sure that I'll be able to:
>
> @VPN_SERVER, ping -> LAN_A_SERVER[192.168.1.100]
> @VPN_SERVER, ping -> LAN_B_SERVER[172.16.1.100]
> @VPN_SERVER, ping -> LAN_C_SERVER[10.10.1.100]
>
> and
>
> @LAN_A_SERVER, ping -> @VPN_SERVER[192.168.0.1]
> @LAN_B_SERVER, ping -> @VPN_SERVER[172.16.0.1]
> @LAN_C_SERVER, ping -> @VPN_SERVER[10.10.0.1]
>
>
That is indicative that you have all of those IP's present on the VPN
server. Not that you *can't* do that, but any reason why?
>
>
> > ... horrible cringe-worthy kluge that should be avoided by all sane
> people ...
>
> so, I'm strangely drawn to that! ;-)
>
>
:)
> Though, for for the sake of correctness, if not sanity. I'd like to hear a
> bit more re: approaches to doing THAT ^^ *AND* keeping config neat & tidy.
>
> PG
>
I've got an older bash script I used (before I started doing dynamic
routing via ospf) for a client connect script that probably does what you
want. It's kind of ugly, but functional:
#!/bin/bash
if [ "$script_type" = "client-connect" ]; then
ACTION="replace"
elif [ "$script_type" = "client-disconnect" ]; then
ACTION="delete"
else
echo invalid script type.
exit 1
fi
for route in `grep ^iroute /etc/openvpn/ccd/$common_name | tr " " / | cut
-d "/" -f 2,3`; do
ip route $ACTION $route dev $dev via $ifconfig_remote
done
exit 0
If you add in something like "cat /etc/openvpn/ccd/$common_name > $1" to
the end, you can remove the client-config-dir directive from your main
config, and if you also put something like '[ -r
/etc/openvpn/ccd/$common_name ] || exit 1' that would reasonably emulate
ccd-exclusive. Just for information's sake, the reason that I have
ACTION="replace" as opposed to "add" there is that iproute2 treats replace
just like add if there isn't already a route there, but if there is an old
route hanging around for some reason, then "add" will fail.
and just to give a bit of history on why *I* did this, I had two instances
of openvpn running, one listening on udp and the other on tcp, because some
clients ended up behind firewalls that didn't seem to like long udp
sessions. This is how I managed to add the routes for the client's remote
subnet to whichever instance of openvpn the client happened to connect to.
Later, when I moved to using multiple openvpn servers in multiple
locations, I used a similar script to inject routes into ospf so that the
routes would follow the client wherever the client connected to.
-Joe
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
