[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Split Tunneling


  • Subject: Re: [Openvpn-users] Split Tunneling
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Wed, 17 Mar 2004 00:02:39 -0000

It's interesting that you ask this, because I am actually working on code
right now to do this for 2.0.

Basically 2.0 will allow the OpenVPN server to "push" certain config file
options back to the client (in SSL/TLS mode only).  Options like --ifconfig,
--route, and --dhcp-options will be pushable, meaning that things like routes,
DNS servers, WINS servers, and the IP/netmask applied to the tun/tap adapter
on the client side will all be centrally configurable in the server config
file without the need to set up a DHCP server.

James

uml@xxxxxxxxx said:

> I've been testing OpenVPN for several uses, mainly as a replacement for our
> Cisco 3005 Concentrator and the proprietary and often fickle cisco software
> client.
> 
> One of the things that I employ frequently with the Cisco unit is a feature
> called split-tunneling.  Translated, this essentially means that you only
> route specific network(s) through the tunnel instead of a default route.
> 
> Now, the problem.  This is easily accomplished on the client side by
> specifying the routes you want to push to the OS, or by using a script
> afterwards, etc.. however, I want these to be transparent to the client
> config such that all that needs to be specified on the client end is the
> cipher type, remote node, and secret (essentially).  The 'server' side is a
> linux server with a translation on UDP 5000 from the firewall.  The client
> is a Win2k pro machine, with DHCP, that sits behind another disparate
> network using plain NAT.
> 
> I can successfully get the client to connect, authenticate and pass packets
> to the server and the network behind it.  It picks up an address from the
> dhcpd server that listens only on the tap0 device.  No sweat.  Now, what I'd
> like to do is push a route (192.168.2.0/24) to the client so that it will
> ONLY route traffic destined to that network across the VPN tunnel.  I tried
> 'option static-routes' in the dhcpd.conf file -- but that is grossly
> malfunctional.  I considered doing a curl on a web-site address on the other
> end of the VPN tunnel (provided it IS the other end of the VPN tunnel since
> it knows no other routes) -- which works, but is still somewhat kludged.  I
> have been doing some reading and came across the route_{parm}_n
> environmental variable.  Could this be used with a --up script to pull the
> information from the server to establish the correct routes?
> 
> What other options have others tried?  I essentially want my client to be as
> 'dumb' as possible so that configuration changes are limited solely to the
> server-side of the connection.
> 
> Ideas, comments, flames?
> 
> Thanks!
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



-- 




____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users