HowTo: my attempt to explain CCDs and "iroute"

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
MikeRobinson
OpenVpn Newbie
Posts: 16
Joined: Fri Aug 03, 2018 1:46 am

HowTo: my attempt to explain CCDs and "iroute"

Post by MikeRobinson » Fri Aug 03, 2018 2:56 pm

One of the most-confusing aspects of OpenVPN configuration for me to "grok" was the subject of CCD-files and "i"route. Now that I've finally wrapped my cranium around it, let me try to explain it better than the docs do. (Comments and corrections requested.)

The particular case that we're dealing with is when a client exposes a local-to-it subnet that we want to be able to connect to from elsewhere in the OpenVPN network. (Let's say that we're on 10.1.0.x and that the network exposed by the client is 10.22.0.x.) Well, exactly how must the traffic get from here to there? There are two considerations:
  1. As is always the case with TCP/IP, the local operating system must know to route that IP-address range (10.22.0.x) to the local OpenVPN server "as a gateway." That's what the "route (no 'i')" directive does. So far, this is "basic TCP/IP routing."
  2. But now OpenVPN needs an additional piece of information that does not exactly correspond to "routing," and yet is very similar. It must know: "which currently-connected client must I send this traffic to, for final delivery to its destination?" This is a piece of information that is peculiar to OpenVPN – the operating system knows nothing of it.
OpenVPN's designers shrewdly thought of having client-name-specific configuration files in a designated directory (CCD), where details specific to a particular client could be kept. And, they invented the iroute command – which only makes sense in, and therefore is only allowed in – a CCD file. This is the directive that tells OpenVPN that the client exposes a local-to-it subnet, and OpenVPN knows "which client it is" by virtue of "which CCD-file contained the directive!" Simple, and flexible. Even elegant. You don't have to muck-around with the main config file when you add a new client that has a subnet associated with it! (Which happens a lot.)

As you see, both the route and the iroute directives are needed, because they serve different purposes. route causes an operating system TCP/IP route to be created, sending the traffic into OpenVPN in the first place, without which (of course) OpenVPN would never see it at all. Then, iroute, occurring in a particular CCD-file corresponding to a presently-connected client, tells OpenVPN where to send the traffic for its next "hop." The two notions are complementary – they work together – but they are different. It's directly analogous to "routing within the 10.8.0.x internal OpenVPN virtual-network," but it doesn't involve the operating system.

Hope this helps!™

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: HowTo: my attempt to explain CCDs and "iroute"

Post by TinCanTech » Fri Aug 03, 2018 3:35 pm

Reads well and is correct, thanks.

* promoting to Tutorials *

maxburn
OpenVPN Power User
Posts: 65
Joined: Mon Dec 12, 2016 6:07 pm

Re: HowTo: my attempt to explain CCDs and "iroute"

Post by maxburn » Tue Jan 04, 2022 2:58 pm

Found this in a search, refreshing my memory on how this works. Thanks.

One additional detail building on above; IF your VPN clients are routers themselves AND you want to allow LAN devices under them to communicate to LAN devices under other VPN clients you need two additional things in the server config;
  1. Allow OpenVPN to permit this traffic with the statement; client-to-client
  2. Have OpenVPN push routes to connecting clients routing tables so those network routers know how to route traffic to those other LANs. Using the client LAN subnet from the above example you would need to add; push "route 10.22.0.0 255.255.255.0" which assumes that network was a /24 subnet.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: HowTo: my attempt to explain CCDs and "iroute"

Post by TinCanTech » Tue Jan 04, 2022 3:30 pm

You do not need --client-to-client.

--client-to-client allows inter-client traffic to pass through the server without having to loop through the kernel.

This is a useful performance enhancement but it means inter-client traffic is not filtered at all by the server.

Sometimes, it is preferable to only allow specific traffic to flow between clients, eg. HTTP, and not others, eg. FTP.
To filter, the server must not use --client-to-client and must apply rules to its firewall.

Post Reply