[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OVPN and dynamic routing

  • Subject: Re: [Openvpn-users] OVPN and dynamic routing
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Thu, 13 Jan 2005 18:29:06 -0500

On 13 Jan 2005 13:10:02 -0000, Frank Meier <frank.meier@xxxxxxx> wrote:
> Hi there,
> here at work we've the following problem:
> We're using Zebra/ripd for routing and 2 OpenVPN Server to logon the
> Roadwarriors. Because the router could'nt know if there is an RW online and
> on which server, we would have that the tap/tun-devices is only up, if
> there ist a RW online. We can't make own config for all the rw and also
> can't use bridgeing as wrote in (x)inetd-howto.

IMHO you are not looking at this from the best angle.

Consider a similar situation where a, nameless, ISP implemented OSPF
(Dynamic Routing) and then every time someone dialed into them ISP
would add the dial-up IP into the OSPF... creating havoc.

The crux of the issue is that when dynamic routing has to recalculate
or propagate route changes there is a period when different routers
have different routes and packets can be lost, connections dropped,
etc.  The more ofter a route is added or removed the more unstable the
network becomes.  In fact in the worst cases the network routing will
"melt down."

That said the best, IMHO, solution is to have a route for the entire
CIDR range, and if necessary let the OpenVPN server drop or reject the
packet.  This is considered a best practice among the networking

Leonard Isham, CISSP
Ostendo non ostento.

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list