Hi Dave,
>> Not "just one service".
>>
>> "just one target network", yes, but stuff like "but just for one
>> source IP and not all other PCs using that router" or "just one specific
>> port"
>> *can* be done (unlike most other VPNs) but it's work, and needs deep
>> understanding of TCP/IP, routing, and "how to make it happen on Linux".
>>
>> It's not truly an OpenVPN question, as the decisions will have to
>> happen on the OS side.
>
> I didn't realize that other vpns wouldnt be able to do it anyway!
>
> I get that getting it done requires routes. Or mostly routes. And that's
> "on the OS side".
>
Keep thinking of the OpenVPN setup as just 2 routers with a fixed Ethernet
cable in between. That in reality the "ethernet cable" is a VPN tunnel does
not change the routing setup.
> At the same time SOME of those routes need to be communicated to the OS from
> inside of Openvpn's config.
Yup, but that is only because OpenVPN needs to know TOO where to drop stuff
once it comes in. I usually handle that with iroute lines** in the client
config file I have in the ccd directory. OpenVPN sees the iroute lines and
makes sure the OS it is running on gets updates too. Having a config file per
client in a separate directory is an easy way to keep track of what is where,
for me, and is a standard way for OpenVPN.
So in my case I have a lot of networks and clients. The majority of the clients
have no network behind them that need to be reachable, so they have no iroute
statements. Some have an iroute line like:
iroute 172.16.17.0/24
This way the OpenVPN servers knows that behind that client is a network and
that all traffic for those ip-numbers needs to be sent to that client. That
client will then handle the rest of the routing.
A second client has a iroute 172.16.18.0/4 config so in the end my Linux box
running OpenVPN has 2 extra routing rules
172.16.17.0/24 via 172.16.1.130 dev tun0
172.16.18.0/24 via 172.16.1.130 dev tun0
Where 172.16.1.130 is the ip number for OpenVPN itself on this box.
In the OpenVPN config I further have a line pushing the routing line for all
the networks this server knows about so all traffic from the clients destined
for any of those ip-numbers will be sent here.
push "route 172.16.0.0 255.255.0.0"
So at my main site I have a core router that knows how to reach any part of my
network, either direct or via other routers. It is also OpenVPN server and
tells all clients to send all traffic for any 172.16.0.0/16 machine to that
server unless they have a better way/route.
So in my setup a PC in a LAN behind client 1 can talk to any PC/host in the
rest of my network, even a PC in a LAN behind client 2, because I have iroute
lines in the client config for both clients.
X in the picture is 172.16 and I have NOT specified the internal ip numbers in
the OpenVPN tunnel as they are NOT relevant to the routing between the LAN
segments.
(picture needs to be seen with fixed font)
So PC1 (x.17.10) --- LAN --- OpenVPN Client (x.17.1) --- tunnel --- OpenVPN
Server (x.16.1) --- tunnel --- OpenVPN Client (x.18.1) --- LAN --- PC2
(x.18.10)
|
LAN
|
other
x.16.y PCs
> I'm here on this list because I'm hoping that I'm more likely to bump into
> people that think about routing
> across vpns, unlike other places (don't know even which yet) that don't have
> the vpn pieces in the process.
The VPN can be considered a "black box" except for where to put the relevant
routing lines.
> If I'm understanding this so far, to do what I want is a limited # of static
> routes in a limited number of places.
> And that I can do that with Openvpn plus 'ip route'. Not needing any
> "dynamic routing" or more
> complicated tools like BGP, RIP ,OSPF, Quagga etc.
I use a mix of OSPF via Quagga and static routes. Just use static routes when
there are only a few connections and all go through the OpenVPN server. I have
a setup where the OpenVPN link is just one of the links between sites.
> I'd really like to get enough understanding to make this work in & with
> Openvpn. So I'll stick with it for now.
Just ask for more examples when you do not understand something.
> Thanks!
You're welcome.
**
I have always interpreted this for myself as OpenVPN saying: I route this for
you, although it probably stands for internal routing ;-)
Bonno Bloksma
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
