[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] routing to networks behind a client for other clients?

  • Subject: Re: [Openvpn-users] routing to networks behind a client for other clients?
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Fri, 03 Aug 2007 21:46:19 +0200

James Barros schrieb:
> A humble request for help.
> Situation:
> I have 3 offices and 20+ roaming users, all connected over openvpn to
> my downtown office.
> All users need access to downtown AND hollywood offices.
> The hollywood office has a /ccd file and I can access all of the
> computers behind it easily from my downtown office (the server) 
> I CAN NOT access the computers in the hollywood office (behind the
> openvpn client) from the other clients. 
> client-to-client is enabled. 

This only enables traffic to the entry point at hollywood, you need to
push the route to the network behind hollywood to your clients.

> I would like to avoid bridging because
>    1.) our network is instable, and a bridge over a broken network
> does not fail gracefully.
>    2.) even working right, I don't want to pass ALL traffic through my
> office.
> I BELIEVE This means I need to push routes out for both of these subnets.


> The problem is that the hollywood office is a client as well. Does
> this mean I should be pushing a route for it's local subnet to it as
> well, (since routes are pushed from the server config and not client
> configs) and just trust that proper subnet masking will stop it from
> passing its own traffic upstream and creating a network shitstorm?

Use ccd files :-(

> Looking over the opienvpn howto, and the ccd fles, I don't see a means
> of only pushing routes dependent on clients.

This is what ccd is for

> can I take the route pushes out of the server.conf and put them into ccd
> files?

Yes you can

> can I somehow do this in the client.conf file I give out with keys?

Possibly, but less secure, use ccd files.

OpenVPN mailing lists