Manually creating route and OpenVPN server IP

[sterfield]

Hi,

I'm currently using OpenVPN on a client station, which is a Debian 6 server.

I've managed to successfully connect on the server without a problem, but the server is pushing routes on my client, which "overrides" my default route and force all the packets to be routed by the VPN, which is not what I want.

I want to force specific packets / application to use the VPN, and the other one my "normal" internet line. I've read several tutorial, and I think I'll manage to setup this configuration, using iptables, and ip rule. So I've created another route table in my system, and I have refused the route pushed by the server, using the "route-noexec" option.

My plan is to create manually my routes using a script ("route-up" option) and "ip route" command, but there's a problem : my OpenVPN server "remote" option is a DNS name, which resolves to 6 different IPs addresses. When I connect to the OpenVPN server, OpenVPN resolves the DNS name, and pick randomly one of the six IPs.

How can I know which IP is being used to contact the server ?
the "remote_{n}" environmental variable is filled with the DNS name of the server, not the IP. And if I resolves myself the DNS in order to get the server IP, I have five chances out of six to get the wrong IP.

The only place I know where the IP is declared is in the log. I can parse it and retrieve the IP, but I'm looking for a more elegant solution.

Thanks for your help.

Sterfield

[janjust]

I don't remember exactly but the IP of the remote server is in one of the env vars; whenever i doubt about things like this I use an 'up' script which does little more than

Code: Select all

#!/bin/bash
env

and look for the remote endpoint IP address in the output.

[sterfield]

Hi,

Thanks for the tip, I should have think using 'env' way before.

There's indeed two variables which stores the OpenVPN server IP :

• untrusted_ip
• trusted_ip

trusted_ip (or trusted_ip6) :
Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of --ipchange, --client-connect, and --client-disconnect scripts. If using ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.

untrusted_ip (or untrusted_ip6)
Actual IP address of connecting client or peer which has not been authenticated yet. Sometimes used to nmap the connecting host in a --tls-verify script to ensure it is firewalled properly. Set prior to execution of --tls-verify and --auth-user-pass-verify scripts. If using ipv6 endpoints (udp6, tcp6), untrusted_ip6 will be set instead.

I'm ok to use those variables, but I don't understand the meaning of the man page for those variables. What I understand is that those variables are filled with the IP of the "client" not the server. It may be true if you are on the server side but apparently, it's exactly the opposite when you are on the client side : it's the public IP of the server.

Am I right ?

[janjust]

yep, but it's documented for the server side mostly, as not a lot of people run extensive 'up' / 'route-up' scripts on the client side.

[sterfield]

OK, many thanks for your help.

I'll see to push a patch for the openvpn man page, in order to add two small lines for the descriptions of those variables. Something like "On the client side, this variable stores the public IP of the VPN server".