Hi Joe,
On Thu, Jul 24, 2014, at 10:47 AM, Joe Patterson wrote:
> I'm not entirely clear
Welcome to MY world ...
> what you're meaning by these preceding few lines.
> Do you have all 4 of these addresses on the external interface?
Yes.
ip -4 addr ls eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN group default qlen 1000
inet S.S.S.S/24 brd S.S.S.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 172.16.0.1/24 brd 172.16.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.0.1/24 brd 10.10.0.255 scope global eth0
valid_lft forever preferred_lft forever
> Since you're using multiple different RFC1918 ranges, then there's not
> really a single supernet that could be used for all of them.
Yep. Hence the reason I'm fussing ...
> That is indicative that you have all of those IP's present on the VPN
> server. Not that you *can't* do that, but any reason why?
There will be (a little after the aformentioned 'eventually') listeners on the
server, listening at various of those IPs, accessible ONLY to their respective
remote LANs clients over the VPN -- AND I'll eventually be setting up DNAT &
masq from/to the SERVERs external IP to/from the LAN_X_SERVERS.
> I've got an older bash script I used (before I started doing dynamic
> routing via ospf) for a client connect script that probably does what you
> want. It's kind of ugly, but functional:
>
> #!/bin/bash
> if [ "$script_type" = "client-connect" ]; then
(snip)
> exit 0
That gets invoked from the *main* openvpn config, right?
> If you add in something like "cat /etc/openvpn/ccd/$common_name > $1" to
> the end, you can remove the client-config-dir directive from your main
> config
Ah, so it replaces ccd/*
TBH, I appreciate the ccd/* metaphor. It's very clean and tidy. And very
nicely portable. It'd ReallyNiceToHave(tm) the ability/option to "do it all",
per client, in each client's ccd/*. Still not sure if it's doable, and/or of
it entails much more than a client-connect-script capability -- in effect, an
"up script", in ccd/*.
> and just to give a bit of history on why *I* did this
Noted ...
> ospf
Know of it. Never used it. Think it's vast overkill for my need. Watch now
-- I've jinxed it :-/
PG
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
