[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Is it possible? -- client delete/remove pushed route from server

  • Subject: Re: [Openvpn-users] Is it possible? -- client delete/remove pushed route from server
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Sun, 30 Sep 2007 10:54:48 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID890LidP350170X39

Andrew Guenther wrote:
On Sep 29, 2007, at 6:16 PM, Matthew Haas <wedge@xxxxxxxxxxxxx> wrote:

Good afternoon,

 I have a functioning OpenVPN setup that I've been utilizing to  
a few remote locations together. I am using routing, NOT bridging.
OpenVPN 2.0.9 on Debian Etch systems.

 My question arises from the connection of one of these locations-- I
can get on the VPN ok, but the problem is that I am experiencing a
problem with a duplicate subnet (ie a location on the VPN uses this
subnet, but the real network at one of the locations also uses it).

 Due to the circumstances surrounding this, I can actually get by
without that duplicated route, so I am interested in seeing if there  
a way I might be able to delete a pushed route from the server.

 In the logs I see the route pushed.. it is pushed to all connecting
clients.. and 99% of the time this is exactly the behavior I want.  
is there a way that, upon connecting to the VPN, a specific route can
then be dropped?

 I don't mind if I have to put it in an "up" script.. but I've  
google, the OpenVPN FAQ, and nowhere have I found any clues that would
lead me in the general direction of what I am seeking.

 Any pointers/advice would be helpful.

Couple options to try:

A: On your special client, remove the 'pull' directive from the conf,  
then manually add every 'push' server entry you want. In the future,  
every server conf change involving push lines would need to be  
manually added to your special client conf.

B: Research and learn the client-config-dir option in the server conf.  
Create a new dir that this points to, and create a strait text file  
which is named exactly like their certificate name. Any command in  
this file is effectivly appended to the server conf ONLY when this  
client connects.

There are a few ways to use this. One is to make client-config-dir  
entries for every user except your special case. Give all your normal  
users the route.

I'm sure there must be a way to push "route delete" for just your  
special case. If so, you could just make a special config for your  
special case.

There's a better way to use the client-config-dir files than creating one for each of the other users with the routes.  For your unique case, create a ccd file which contains the option "push-reset", which will cause that client to not inherit from the global push options specified in the main configuration file on the server.  You will then have to re-specify any options to be pushed, including both generic options and routes, so be sure to include things like "ping 10" or "ping-timeout 60" in addition to the routes you want for this connecting client.  This is a nice solution because it still lets the server have control over the routes pushed to the client in the event you add more in later; the only thing to remember is that if you want to change a route pushed to all clients you will need to enact the change in both the global and the ccd file.

Another option available in the 2.1 version (currently not yet officially a stable release) is the "route-nopull" option, which if used with either "client" or "pull" will tell the client to accept all options except routes, and then you could add the routes on the client side.  I don't know if this option could be placed in a ccd file, so if you try do do this server-side make sure it has the effect you want.


Attachment: signature.asc
Description: OpenPGP digital signature