[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Possible routing problem

  • Subject: Re: [Openvpn-users] Possible routing problem
  • From: "Daniel L. Miller" <dmiller@xxxxxxxxx>
  • Date: Sun, 09 Sep 2007 23:03:53 -0700

john@xxxxxxxxx wrote:
> The server directive should be a non-routable, shouldn't it?
Yes - what's indicating otherwise?
> i.e., I have
> server
> dev tun
> topology subnet
I had to research that part - you're running either a patched version or 
the 2.1 beta?  I'm running stock 2.0.9 - topology subnet not supported.  
Perhaps I need to explore the beta . . . .
> I don't worry about local setting, it's optional and will bind to all the
> internal ethernet cards on the network.
> by setting the topology to subnet and using the ifconfig-pool-persist
> directive, the other ends get a consistent address within the
> network. In ther words, the server end of the tunnel gets and the
> client consistently gets (in my case).
> I then push, from the server, the internal routes of the server, i.e.,
> push route "192.168.xx1.0"
> push route "192.168.xx2.0"
> etc (I'm pushing 4 routes)
This may be part of the answer.  I DON'T want the VPN clients to see a 
route to the server LAN - I only want select members of my server LAN to 
be able to reach the clients.  But I don't see why remote clients need 
to know my internal LAN routing - that's the whole idea of the router, 
to hide that!
> and added
> client-to-client
> and
> persist-key
> persist-tun
I don't want client-to-client behaviour.  I am using persist-key, but I 
was having problems when clients would re-connect after communication 
interruption.  A search of the archives pointed to persist-tun being a 
possible problem - haven't had that issue since I removed it.
> Hopefully that will get you closer, Daniel, and hopefully it's not too
> disjointed an explanation... it's getting late for a Sunday and I'm hitting
> the rack.
Hope when you read this you've gotten some sleep.
> The default client and server .conf files and their in-line comments helped
> me a lot, and I really appreciated the fact that they were part of the
> distribution. I had been struggling with openswan/ipsec and intermittent
> connectivity for weeks. OpenVPN is far easier to set up and it consistently
> works well.
No doubt.

Wait a minute - as I type this I just had a brainstorm - does this mean 
each VPN client isn't on the network?!  So I need to 
adjust my server routing tables for a separate /30 network for each 
client?!  Was that what I was missing?!


Openvpn-users mailing list