Hi Bonno
Wow. Lots to think about. Once I get this all done, I'm thinking a wiki page
contribution, "by noob, for noob" will be in order!
On 08/01/2014 01:35 PM, Bonno Bloksma wrote:
> Keep thinking of the OpenVPN setup as just 2 routers with a fixed Ethernet
> cable in between.
> That in reality the "ethernet cable" is a VPN tunnel does not change the
> routing setup.
I guess that might be some of my problem.
I've been thinking of it as 2 wires, not 1 (I like to think with diagrams ...)
/-- eth1 -- internet -- ext1 --\
eth0 -- Loc1 --| | -- Loc2 -- eth0 -- lan
-- eth0 -- SvcX
(server) \-- tun1 ----- vpn ---- tun1 --/ (client)
and that traffic can flow any number of ways, over differet routes. And my job
is to tell it all when to travel over which wire.
For example, this
SvcX:eth0 --> Loc2:eth0 --> Loc2:eth1 -> internet
versus
SvcX:eth0 --> Loc2:eth0 --> Loc2:tun1 -> vpn -> Loc1:tun1 -> Loc1:eth1
-> internet
and, of course, 'backwards' for both.
> Yup, but that is only because OpenVPN needs to know TOO where to drop stuff
> once it comes in.
So Openvpn is not CREATING those routes? We're just telling it about EXISTING
routes that have to have already been set up on each involved box/OS?
> I usually handle that with iroute lines** in the client config file I have in
> the ccd directory. OpenVPN
> sees the iroute lines and makes sure the OS it is running on gets updates
> too. Having a config file per
> client in a separate directory is an easy way to keep track of what is where,
> for me, and is a standard
> way for OpenVPN.
So breaking this down piece by piece, to do THAT^ I need related entries in all
of these
Loc1
/etc/openvpn/loc2.server.conf
/etc/openvpn/ccd/loc1.client.conf
/etc/sysconfig/network/ifroute-eth1
/etc/sysconfig/network/ifroute-eth0
Loc2
/etc/sysconfig/network/ifroute-eth1
/etc/sysconfig/network/ifroute-eth0
making sure that the openvpn config data matches what's on the OS in the
ifroute-* stuff.
Is that right?
I guess I could put the 'ip route add ...' commands in Openvpn up/down scripts.
Don't yet know if that's better than the ifroute-*.
> The majority of the clients have no network behind them that need to be
> reachable, so they have no
> iroute statements.
Both ends of mine have lans.
> Some have an iroute line like: iroute 172.16.17.0/24
> This way the OpenVPN servers knows that behind that client is a network and
> that all traffic for those
> ip-numbers needs to be sent to that client. That client will then handle the
> rest of the routing.
"handle the rest" means -- Openvpn config will handle it? IIuc --> no. The OS
configs will. Right?
> A second client has a iroute 172.16.18.0/4 config so in the end my Linux box
> running OpenVPN has 2 extra routing rules
> 172.16.17.0/24 via 172.16.1.130 dev tun0
> 172.16.18.0/24 via 172.16.1.130 dev tun0
> Where 172.16.1.130 is the ip number for OpenVPN itself on this box.
Ok. Not the IP of the tun interface. But the box's IP that Openvpn is
listening on, specified in 'local XXX" in the config.
> In the OpenVPN config I further have a line pushing the routing line for all
> the networks this server knows about so all traffic from the clients destined
> for any of those ip-numbers will be sent here.
...
> So at my main site I have a core router that knows how to reach any part of
> my network, either direct or via other routers. It is also OpenVPN server and
> tells all clients to send all traffic
> for any 172.16.0.0/16 machine to that server unless they have a better
> way/route.
This I think is the meat of it -- the conditional use this/that "wire" logic.
And where I'm having the difficulty understanding.
> So PC1 (x.17.10) --- LAN --- OpenVPN Client (x.17.1) --- tunnel --- OpenVPN
> Server (x.16.1) --- tunnel --- OpenVPN Client (x.18.1) --- LAN --- PC2
> (x.18.10)
> |
> LAN
> |
>
> other x.16.y PCs
IIUC, part of that
PC1 (x.17.10) --- LAN --- OpenVPN Client (x.17.1) --- tunnel ---
OpenVPN Server (x.16.1)
|
LAN
|
other x.16.y PCs
is basically the same as what I'm trying to do
/-- eth1 -- internet -- ext1 --\
eth0 -- Loc1 --| | -- Loc2 -- eth0 -- lan
-- eth0 -- SvcX
(server) \-- tun1 ----- vpn ---- tun1 --/ (client)
> The VPN can be considered a "black box" except for where to put the relevant
> routing lines.
...
> I use a mix of OSPF via Quagga
Don't need that IIUC.
> and static routes. Just use static routes when there are only a few
> connections and all go through the OpenVPN server. I have a setup where the
> OpenVPN link is just one of the links between sites.
Where/how are you setting up your OS static routes? Are those routes set up
and in existence before OpenVPN is started, via OS's network config files?
Or are you using your Openvpn init/systemd startup, or Openvpn's up/down
scripts, to define them?
Thanks for the great explanations so far!
Dave
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
