Andrew Guenther wrote:|
On Sep 29, 2007, at 6:16 PM, Matthew Haas <wedge@xxxxxxxxxxxxx> wrote:
I have a functioning OpenVPN setup that I've been utilizing to
a few remote locations together. I am using routing, NOT bridging.
OpenVPN 2.0.9 on Debian Etch systems.
My question arises from the connection of one of these locations-- I
can get on the VPN ok, but the problem is that I am experiencing a
problem with a duplicate subnet (ie a location on the VPN uses this
subnet, but the real network at one of the locations also uses it).
Due to the circumstances surrounding this, I can actually get by
without that duplicated route, so I am interested in seeing if there
a way I might be able to delete a pushed route from the server.
In the logs I see the route pushed.. it is pushed to all connecting
clients.. and 99% of the time this is exactly the behavior I want.
is there a way that, upon connecting to the VPN, a specific route can
then be dropped?
I don't mind if I have to put it in an "up" script.. but I've
google, the OpenVPN FAQ, and nowhere have I found any clues that would
lead me in the general direction of what I am seeking.
Any pointers/advice would be helpful.
Couple options to try:
A: On your special client, remove the 'pull' directive from the conf,
then manually add every 'push' server entry you want. In the future,
every server conf change involving push lines would need to be
manually added to your special client conf.
B: Research and learn the client-config-dir option in the server conf.
Create a new dir that this points to, and create a strait text file
which is named exactly like their certificate name. Any command in
this file is effectivly appended to the server conf ONLY when this
There are a few ways to use this. One is to make client-config-dir
entries for every user except your special case. Give all your normal
users the route.
I'm sure there must be a way to push "route delete" for just your
special case. If so, you could just make a special config for your
There's a better way to use the client-config-dir files than creating
one for each of the other users with the routes. For your unique case,
create a ccd file which contains the option "push-reset", which will
cause that client to not inherit from the global push options specified
in the main configuration file on the server. You will then have to
re-specify any options to be pushed, including both generic options and
routes, so be sure to include things like "ping 10" or "ping-timeout
60" in addition to the routes you want for this connecting client.
This is a nice solution because it still lets the server have control
over the routes pushed to the client in the event you add more in
later; the only thing to remember is that if you want to change a route
pushed to all clients you will need to enact the change in both the
global and the ccd file.
Another option available in the 2.1 version (currently not yet
officially a stable release) is the "route-nopull" option, which if
used with either "client" or "pull" will tell the client to accept all
options except routes, and then you could add the routes on the client
side. I don't know if this option could be placed in a ccd file, so if
you try do do this server-side make sure it has the effect you want.
Description: OpenPGP digital signature