Add iroute from ccd as system route

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
pkirsche
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 22, 2020 1:42 pm

Add iroute from ccd as system route

Post by pkirsche » Sat Aug 22, 2020 2:11 pm

Hello Folks,

I'd like to see an option, that in case a client connects to the server and has a corresponding ccd file including an iroute, that openvpn automatically adds a route to the kernel routing (of a linux server host).
Just the same procedure as we have it already with the "route" parameter in the main configuration.
Maybe it is thinkable that we can use this "route" parameter also in ccd file?

Thanks for your feedback :)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Add iroute from ccd as system route

Post by TinCanTech » Sat Aug 22, 2020 3:25 pm

What advantages would this have over the current method ?

pkirsche
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 22, 2020 1:42 pm

Re: Add iroute from ccd as system route

Post by pkirsche » Thu Aug 27, 2020 12:59 pm

Hello,

first of all, thanks for your answer!
Thinking of a setup of multiple site-2-site networks connected to my server, with the "route" command used inside the ccds, I have only routings to client subnets which are really connected and reachable.
Using the route parameter inside the main configuration file, there is no flexibility regarding the connection state of the client. The kernel will always route the packet to the tun device even if the client is not connected.
This makes it complicated to realize some fallback mechanism or load balancing without using up/down scripts.

So primary this would make the configuration more easy, flexible and comfortable by not needing any up/down scripts for this scenario.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Add iroute from ccd as system route

Post by TinCanTech » Thu Aug 27, 2020 1:51 pm

I believe this has been discussed before and the outcome was that it is not important enough for the developers to invest time into. These are the reasons:
  • Time to write the code. Developer time is hard to come by as it is.
  • Maintaining the code. Time again ..
  • Not widely needed and can be done by simple scripts.
However, if you feel confident to submit code for review then I have no doubt it would be welcome.

Post Reply