irouted subments on client

How to customize and extend your OpenVPN installation.
Post Reply
Xenon_Sk
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 03, 2011 3:18 pm

irouted subments on client

Post by Xenon_Sk » Fri Jan 14, 2011 3:38 pm

Is it possible somehow to fetch the list of "iroute"`d subnets on the client?
I found a solution - for each iroute direrective i push enviromental variable, which i parse on the client in the up script. But that is a little bit uncomfortable. Probably there is an internal variable for that?

Xenon_Sk
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 03, 2011 3:18 pm

Re: irouted subments on client

Post by Xenon_Sk » Fri Jan 14, 2011 3:55 pm

To be clear - i`ll show you example the script i wrote myself.
So, imagine we have ccd file:

Code: Select all

ifconfig-push 10.108.0.7 10.108.0.1
iroute 10.108.0.10 255.255.255.255
iroute 10.108.0.11 255.255.255.255
iroute 10.108.0.12 255.255.255.255
When the OpenVPN process starts on the client - tun0 brings up with the ip specified in "ifconfig-push" directive - 10.108.0.7
So to be able to use other IPs we need to do put aliases:
ifcofing tun0:0 10.108.0.10
ifconfig tun0:1 10.108.0.11
ifconfig tun0:2 10.108.0.12
And also (plus to "ip rule" on the 10.108.0.7 IP) execute some ip rules commands to force packets with "source ip" equal to one of the IPs in ccd to go not through the default gateway, but thorough the certain VPN gate:

Code: Select all

/sbin/ip rule add from 10.108.0.10 table vpn
/sbin/ip rule add from 10.108.0.11 table vpn
/sbin/ip rule add from 10.108.0.12 table vpn
In table "vpn" i `ve add the default gateway equal to VPN gate.

S i wanted to automate the process of this. So could change the ccd on the server and do not care about the scripts and config files the client has - so if any change (add/remove of the IP from the client) is done - i just need to force a connection restart and then the client would automatically get new ips working. So i came up with a little UP script.

Code: Select all

#!/bin/bash
#Policy routing for "ifconfig-push" IP
/sbin/ip rule add from $5 table $1
/sbin/ip ro ad default via $6 table $1

#Policy routing and ifconfig execs for each "iroute" IP 
i=0
buf="OPENVPN_alias$i"
while [ -n "${!buf}" ]; do
        ifconfig $2:$i ${!buf}
        /sbin/ip rule add from ${!buf} table $1
        ((i++))
        buf="OPENVPN_alias$i"

done
In order to make that work i need to modify ccd so:

Code: Select all

ifconfig-push 10.108.0.7 10.108.0.1
iroute 10.108.0.10 255.255.255.255
iroute 10.108.0.11 255.255.255.255
iroute 10.108.0.12 255.255.255.255
push "setenv-safe alias0 10.108.0.10"
push "setenv-safe alias1 10.108.0.11"
push "setenv-safe alias2 10.108.0.12"
I do not like 'setenv-safe' but i did not find any other way to tell the client which IPs have been irouted to him, so the script could put on aliases ip on tun device.

And the question is - are there any other ways to do that, to remove those setenv-safe push`es.

Post Reply