HowTo: my attempt to explain CCDs and "iroute"

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
Post Reply
OpenVpn Newbie
Posts: 16
Joined: Fri Aug 03, 2018 1:46 am

HowTo: my attempt to explain CCDs and "iroute"

Post by MikeRobinson » Fri Aug 03, 2018 2:56 pm

One of the most-confusing aspects of OpenVPN configuration for me to "grok" was the subject of CCD-files and "i"route. Now that I've finally wrapped my cranium around it, let me try to explain it better than the docs do. (Comments and corrections requested.)

The particular case that we're dealing with is when a client exposes a local-to-it subnet that we want to be able to connect to from elsewhere in the OpenVPN network. (Let's say that we're on 10.1.0.x and that the network exposed by the client is 10.22.0.x.) Well, exactly how must the traffic get from here to there? There are two considerations:
  1. As is always the case with TCP/IP, the local operating system must know to route that IP-address range (10.22.0.x) to the local OpenVPN server "as a gateway." That's what the "route (no 'i')" directive does. So far, this is "basic TCP/IP routing."
  2. But now OpenVPN needs an additional piece of information that does not exactly correspond to "routing," and yet is very similar. It must know: "which currently-connected client must I send this traffic to, for final delivery to its destination?" This is a piece of information that is peculiar to OpenVPN – the operating system knows nothing of it.
OpenVPN's designers shrewdly thought of having client-name-specific configuration files in a designated directory (CCD), where details specific to a particular client could be kept. And, they invented the iroute command – which only makes sense in, and therefore is only allowed in – a CCD file. This is the directive that tells OpenVPN that the client exposes a local-to-it subnet, and OpenVPN knows "which client it is" by virtue of "which CCD-file contained the directive!" Simple, and flexible. Even elegant. You don't have to muck-around with the main config file when you add a new client that has a subnet associated with it! (Which happens a lot.)

As you see, both the route and the iroute directives are needed, because they serve different purposes. route causes an operating system TCP/IP route to be created, sending the traffic into OpenVPN in the first place, without which (of course) OpenVPN would never see it at all. Then, iroute, occurring in a particular CCD-file corresponding to a presently-connected client, tells OpenVPN where to send the traffic for its next "hop." The two notions are complementary – they work together – but they are different. It's directly analogous to "routing within the 10.8.0.x internal OpenVPN virtual-network," but it doesn't involve the operating system.

Hope this helps!™

User avatar
Forum Team
Posts: 9209
Joined: Fri Jun 03, 2016 1:17 pm

Re: HowTo: my attempt to explain CCDs and "iroute"

Post by TinCanTech » Fri Aug 03, 2018 3:35 pm

Reads well and is correct, thanks.

* promoting to Tutorials *

Post Reply