--iroute vs --route vs "static routing" vs "iptables forward"
Posted: Wed Apr 19, 2023 10:59 am
I have many separated openvpn v2.5.1 daemons running as "client groups" on a debian 11 server
(currently reduced to 2 only, for this example)
... +100 more ...
and one "master group"
But I can not reach any client from the master-group.
I think "iroute" is not good here, because each group is running under a separated openvpn service. Is it?
What should I do differently ?
Important:
- NO groups are allowed to go to the internet through the server itself !
- Client groups should NEVER be able to "see each other"
PS: debian's current IP table:
(currently reduced to 2 only, for this example)
Code: Select all
server 10.11.3.0 255.255.255.0
push "route 10.11.2.0 255.255.255.0 10.11.3.1 999"
dev tun
topology "subnet"
client-config-dir /etc/openvpn/ccd
client-to-clientCode: Select all
server 10.11.4.0 255.255.255.0
push "route 10.11.2.0 255.255.255.0 10.11.4.1 999"
# ... same ...and one "master group"
Code: Select all
server 10.11.2.0 255.255.255.0
push "route 10.11.0.0 255.255.0.0 10.11.2.1 1112"
route-metric 1111
route 10.11.2.0 255.255.255.0 10.11.2.1
route 10.11.3.0 255.255.255.0 10.11.3.1
route 10.11.4.0 255.255.255.0 10.11.4.1
route 10.11.5.0 255.255.255.0 10.11.5.1
# etc ...
client-to-clientI think "iroute" is not good here, because each group is running under a separated openvpn service. Is it?
What should I do differently ?
Important:
- NO groups are allowed to go to the internet through the server itself !
- Client groups should NEVER be able to "see each other"
PS: debian's current IP table:
Code: Select all
Destination Gateway Netmask Interface
default 193.201.***.*** eth0
10.11.2.0 255.255.255.0 tun1
10.11.2.0 10.11.2.1 255.255.255.0 tun1
10.11.3.0 255.255.255.0 tun2
10.11.3.0 10.11.3.1 255.255.255.0 tun2
10.11.4.0 255.255.255.0 tun3
10.11.4.0 10.11.4.1 255.255.255.0 tun3
10.11.250.0 255.255.255.0 tun0
193.201.***.0 255.255.255.0 eth0