[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Dynamic routing in client server mode, how to deal with iroute?


  • Subject: Re: [Openvpn-users] Dynamic routing in client server mode, how to deal with iroute?
  • From: Stijn Jonker <SJCJonker@xxxxxx>
  • Date: Fri, 28 Oct 2005 19:00:03 +0200

Hello Phillip & Others,

First of all sorry for the late reply.

On 24-Oct-2005 5:08, Phillip Vandry wrote:
> On Sun, Oct 23, 2005 at 09:29:36PM +0200, Stijn Jonker wrote:
> 
>>Small ascii art describing setup:
>>----------------------------------
>>
>>              --------
>>              | hn01 | \
>>            / --------  \
>>           /             \
>>--------  /   --------    \ --------
>>| hn00 | ---- | hn02 | ---- | ad00 |
>>-------- \    --------    / --------
>>   |      \              /      |
>>   |       \  --------  /       |
>>   |        \ | hn03 | /        |
>>   |          --------          |
>>   |____________________________|
>>
> 
> 
> It sounds to me like you should be able to do this if you leave your
> BGP sessions in place. Did you instead want to get rid of BGP?

No, the idea was to keep BGP in there as it's also used for blackholing
and sinkholing.


> I would also leave hn00 <--> ad00 as a dedicated PtP tunnel while moving
> to client/server for the rest. Each machine would have two tun interfaces.

Yes it is, and had no intention to change.


> Disable (do not use) the client-to-client option.
> 
> The networks at hn01, hn02, and hn03 should be iroute'd to the apropriate
> clients by hn00 and ad00, but not route'd. Your dynamic routing protocol
> will let hn00 and ad00 learn those same routes from the remote clients
> themselves and from each other through the dedicated tunnel, and put them
> into the kernel routing tables.

The way I fixed this was to use the TAP device in routed mode instead of
the tun devices, now the VPN's daemon's at hn00 and ad00 do the routing
and they clients think they are all interconnected.

The funny side effect is, if I don't configure BGP peering between for
instance hn01 and hn02, they can't reach each other, which is great for
some limited connectivity.


Thanks for your reply!

-- 
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@xxxxxx>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users