Modify server route when client attempts to connect?

[allywilson]

Long story short, I have asynchronous routing on my server.

Connection attempts ingress is different from the egress.

This causes a problem for clients connecting, as replies are coming from a different source.

I can work around this by manually modifying my server routing table to direct traffic to a clients IP via the same interface, but it's manual.

Wondering if it's possible to add a "pre-route" command to my openvpn server configuration?

So, if a connection on UDP/1194 from 123.123.123.123 hits my server it will automatically add the route?

Like this:

Code: Select all

ip route add 123.123.123.123/32 via 192.168.1.254

192.168.1.254 being the route it needs to use to correctly communicate with the client.

[TinCanTech]

So, if a connection on UDP/1194 from 123.123.123.123 hits my server it will automatically add the route?

Unfortunately, this is not possible.

If the server does not have a route for 123.123.123.123 when the connection attempt is made it will fail because the only script which could do this is the --client-connect script which will only fire once the client is verified. The route must be in place before hand ..

You can add the specific route to your config file but I expect the problem is that you do not know the client IP until it tries to connect.

[allywilson]

Yeah, unfortunately I don't know the client IP until it attempts to connect. I was looking into --learn-address but I couldn't figure out how to use it, or if it's even applicable.

Most/all of my clients will retry, so I might look into parsing the log file and then adding/updating the routing table with the last entry or similar.

Thanks for your reply!

[TinCanTech]

On a Linux Server you can use policy based routing:
http://forums.openvpn.net/viewtopic.php?t=18394