--iroute vs --route vs "static routing" vs "iptables forward"

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
hamzen
OpenVPN User
Posts: 20
Joined: Mon Sep 26, 2011 11:20 pm

--iroute vs --route vs "static routing" vs "iptables forward"

Post by hamzen » Wed Apr 19, 2023 10:59 am

I have many separated openvpn v2.5.1 daemons running as "client groups" on a debian 11 server
(currently reduced to 2 only, for this example)

Code: Select all

server 10.11.3.0 255.255.255.0
push "route 10.11.2.0 255.255.255.0 10.11.3.1 999"
dev tun
topology "subnet"
client-config-dir  /etc/openvpn/ccd  
client-to-client

Code: Select all

server 10.11.4.0 255.255.255.0
push "route 10.11.2.0 255.255.255.0 10.11.4.1 999"
# ... same ...
... +100 more ...

and one "master group"

Code: Select all

server 10.11.2.0 255.255.255.0

push "route 10.11.0.0 255.255.0.0 10.11.2.1 1112"

route-metric 1111
route 10.11.2.0 255.255.255.0 10.11.2.1
route 10.11.3.0 255.255.255.0 10.11.3.1
route 10.11.4.0 255.255.255.0 10.11.4.1
route 10.11.5.0 255.255.255.0 10.11.5.1
# etc ...
client-to-client
But I can not reach any client from the master-group.
I think "iroute" is not good here, because each group is running under a separated openvpn service. Is it?
What should I do differently ?

Important:
- NO groups are allowed to go to the internet through the server itself !
- Client groups should NEVER be able to "see each other"

PS: debian's current IP table:

Code: Select all

Destination		Gateway			Netmask		Interface
default 		193.201.***.*** 			eth0
10.11.2.0 					255.255.255.0 	tun1
10.11.2.0 		10.11.2.1 		255.255.255.0 	tun1
10.11.3.0 					255.255.255.0 	tun2
10.11.3.0 		10.11.3.1 		255.255.255.0 	tun2
10.11.4.0 					255.255.255.0 	tun3
10.11.4.0 		10.11.4.1 		255.255.255.0 	tun3
10.11.250.0 					255.255.255.0 	tun0
193.201.***.0 					255.255.255.0 	eth0

User avatar
hamzen
OpenVPN User
Posts: 20
Joined: Mon Sep 26, 2011 11:20 pm

Re: --iroute vs --route vs "static routing" vs "iptables forward"

Post by hamzen » Wed Apr 19, 2023 11:30 am

... pressed Submit accidentally too soon. Now edits are finished.

There is --pull included in client's configs, but it would be great, if I would not have to do it one by one for 200+ clients. :-(
... but I guess it's a must, otherwise 10.11.2.x route would not be able to pushed from server. Can it?

BONUS task would be:
- if only the "clients of the MASTER group" would be able to start connections to any "other clients", but not reversed. (If that's even possible? )

Thank you very much in forward for any help!

User avatar
hamzen
OpenVPN User
Posts: 20
Joined: Mon Sep 26, 2011 11:20 pm

Re: --iroute vs --route vs "static routing" vs "iptables forward"

Post by hamzen » Wed Apr 19, 2023 1:53 pm

OFF:
Where can I DONATE, so this problem get solved faster?

Post Reply