[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] problem with hub-spoke without client-to-client and routing


  • Subject: [Openvpn-users] problem with hub-spoke without client-to-client and routing
  • From: Peter Warasin <peter@xxxxxxxxx>
  • Date: Mon, 14 May 2007 18:15:45 +0200

hi

I have a testenvironment with an openvpn server with several openvpn
clients connected and need to create iptables filter rules on the
openvpn server in order to allow only specific traffic between the vpn
endpoints.

situation is like the following:


                  +-------------+
192.168.201.40/24 |  server1    +-----+-----+ client1  192.168.201.1
                  +-------------+     +-----+ client2  192.168.201.2


this is the relevant part of the openvpn server configuration:
tls-server
dev tap1
server-bridge 192.168.201.40 255.255.255.0 192.168.201.1 192.168.201.50
push "route-gateway 192.168.201.40"
client-config-dir clients
client-to-client

this is only the part of the configuration with which i have problems.
in reality it is more complex, therefore i need to use tap and
server-bridge.

the openvpn server should filter connections between the vpn endpoints.
i have the problem, that connections will not pass the tap device on
server1 if they go from client1 to client2. this is obvious, since they
are in the same net and client-to-client is on.

if i manually set the routing configuration on both client1 and client2
in order to force connections going through server1 and toggle off
client-to-client, it works well.

i did this by changing the openvpn server configuration in order to
assign to the clients tap devices only an ip address instead of the
whole network, which would create routing table entries:

ifconfig-pool 192.168.201.1 192.168.201.50 255.255.255.255

and manually created routing entries on both client1 and client2 like
the following:

ip route add 192.168.201.40/32 dev tap0
ip route add 192.168.201.0/24 via 192.168.201.40

this will force traffic between 192.168.201.1 to 192.168.201.2 going
through the tap device on 192.168.201.40, so i can filter it there.


so far so good..
now the problem:
how to push such rules?

i can push all, but this rule:

ip route add 192.168.201.40/32 dev tap0

since i can't specify any device with push route

i could use redirect-gateway, but this redirects the whole traffic to
the tap device of the openvpn server and i need only the vpn traffic to
be redirected.

did i miss something? maybe more rtfm?
is this configuration possible with openvpn 2.0.x?

any help or pointer in the right direction would be greatly appreciated
thank you in advance

peter

-- 
:: e n d i a n
:: open source - open minds
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users