Hello,
We are using OpenVPN 2.5.2 on CentOS 8.
The setup is using split tunnel for all users, without NAT: remote
clients are assigned a static IPv4 and a static IPv6 address which are
used directly (without NAT) to access all of our organization network.
The rest of their traffic is routed through their ISPs:
client-config-dir ccd
ccd-exclusive
# section 1
push "route <dns_server1_ipv4> 255.255.255.255 vpn_gateway"
push "route <dns_server2_ipv4> 255.255.255.255 vpn_gateway"
push "route-ipv6 <dns_server1_ipv6>/128 2001:648:xxxx:yyyy::1"
push "route-ipv6 <dns_server2_ipv6>/128 2001:648:xxxx:yyyy::1"
# section 2
push "route <network_1> 255.255.255.0 10.201.32.1"
push "route <network_2> 255.255.255.0 10.201.32.1"
push "route <network_3> 255.255.255.0 10.201.32.1"
push "route <network_4> 255.255.255.0 10.201.32.1"
...
push "route <network_N> 255.255.255.0 10.201.32.1"
push "route 10.201.0.0 255.255.0.0 10.201.32.1"
push "route 10.202.0.0 255.255.0.0 10.201.32.1"
push "route-ipv6 2001:648:zzzz::/48 2001:648:aaaa:bbbb::1"
# section 3
push "dhcp-option DNS <dns_server1_ipv6>"
push "dhcp-option DNS <dns_server2_ipv6>"
push "dhcp-option DNS <dns_server1_ipv4>"
push "dhcp-option DNS <dns_server2_ipv4>"
push "register-dns"
push "block-outside-dns"
So, for most users, each ccd file is like:
ifconfig-push 10.201.32.200 255.255.252.0
ifconfig-ipv6-push 2001:648:iiii:jjjj::200/64 2001:648:iiii:jjjj::1
However, for particular users/remote clients we don't want to push all
routes of Section 2 above but only a few of them.
For those users, the ccd file becomes like:
ifconfig-push 10.201.32.200 255.255.252.0
ifconfig-ipv6-push 2001:648:iiii:jjjj::200/64 2001:648:iiii:jjjj::1
push-remove "route <network_1> 255.255.255.224 10.201.32.1"
push-remove "route <network_2> 255.255.255.224 10.201.32.1"
push-remove "route <network_3> 255.255.255.224 10.201.32.1"
push-remove "route <network_4> 255.255.255.224 10.201.32.1"
...
push-remove "route <network_N> 255.255.255.224 10.201.32.1"
push-remove "route-ipv6 2001:648:zzzz::/48 2001:648:aaaa:bbbb::1"
push "route 10.201.80.200 255.255.255.255 10.201.32.1"
My question: Is there an easy way to avoid all these push-remove
statements and remove all pre-defined (in server config) routes? In this
case we would have to push Section 1 and Section 3 and any ad hoc routes.
Or: Is there a way to define {named_sets of push rules} in the server
config which we can call as such (i.e. {named_sets}) in the ccd files?
This would be very handy. For example, the ccd file would then become:
ifconfig-push 10.201.32.200 255.255.252.0
ifconfig-ipv6-push 2001:648:iiii:jjjj::200/64 2001:648:iiii:jjjj::1
push {named_set_1}
...
push {named_set_N}
Any alternative/additional suggestion(s) would be appreciated!
Thanks in advance,
Nick
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
