My plan is to perform a DNS lookup in a route-up script and then add routes on-the-fly. If the Load Balancer's IPs change, the worst that can happen is that a user has to reconnect the VPN to regain access. I have written a PowerShell script that successfully does that, everything works as expected when i run OpenVPN GUI as Administrator.
Code: Select all
function getARecords([string]$hostname) {
# the "where-object" filter may seem redundant, but on a cache miss, Resolve-DnsName returns the authoritative nameservers
# and their IPs aswell, for whatever reason. so in that edge case the additional filter is needed.
return Resolve-DnsName -Name $hostname -Type A | Where-Object { $_.Name -eq $hostname -and $_.Type -eq "A" }
}
function setRoutes($ARecords) {
foreach ($ARecord in $ARecords) {
# route traffic to the IPs acquired from the DNS lookup through the VPN tunnel
# DEV_IDX is the interface index
# ROUTE_VPN_GATEWAY is the gateway address inside the tunnel (can vary depending on which VPN daemon we're connecting to)
New-NetRoute -DestinationPrefix "$($ARecord.IPAddress)/32" -InterfaceIndex $Env:DEV_IDX -NextHop $Env:ROUTE_VPN_GATEWAY -PolicyStore ActiveStore
}
}
# redirecting powershell warnings/errors to a file and also dumping security info to confirm that there's a privilege issue
&{
$myARecords = getARecords("some.hostname.org")
setRoutes($myARecords)
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$currentPrincipal | Out-File C:\Temp\principal.txt
if ( $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ) {
echo "yep" | Out-File C:\Temp\isAdmin.txt
}
else {
echo "nope" | Out-File C:\Temp\isAdmin.txt
}
} 3>&1 2>&1 > C:\Temp\debug_output.txtAny help is appreciated!