How to configure private subnets from command line?

[rajkwrites]

Hi,

I have a openvpn server setup and working on a linux box (RHEL 5.3). Now I want to add "private subnets" to the configuration. I could currently do this by going to the openvpn web admin user interface (by going to https://<ip address of the openvpn server> and doing the following:

- Click on "VPN settings" from the menu on the left hand side.
- Under "routing" - under "Specify the private subnets to which all clients should be given access (as 'network/netmask_bits', one per line):" enter all the private subnets (one per line) to which I want to give access.
- Click on "Save settings"
- Click on "Update Running Server"

Now the changes take effect and all is well and done. This is when I do things through the web interface.

But now what I am trying to figure out is how to perform the same configuration I did above, directly by logging on to the openvpn server and then doing things from the command line. I need to be able to do this in order to automate the process of adding the private subnets to the configuration. I assume I can't automate by using the web interface, but only from command line directly on the server. I know we have this ovpn-init script that we could run in a batch mode and also that it has the following options. But there doesn't seem to be an option to configure the "private subnets" as I have described above.

Does anyone know a way of doing this? I tried hacking into the _ovpn-init script (which is python based), but it isn't working as expected, nor is it a good solution. I would appreciate any help/suggestions/ideas/guidance in this regard.

#ovpn-init --help
Usage: ovpn-init [options]

Options:
-h, --help show this help message and exit
--verbose If this argument is used, verbose output will be
generated.
--force If this argument is used, openvpn-as will be re-
initialized and all DBs will be wiped!
--batch If this argument is used, openvpn-as will run in batch
mode, and will not solicit input from the tty. You
should not use this option unless you have viewed the
EULA and agree to it (use the --view-eula option to view
the EULA). Using this option indicates your agreement
with the EULA.
--host=HOST Set the FQDN of this server for access from the internet.
--ec2 Configure using Amazon EC2 user-defined metadata
--secondary If this argument is used, the node will be configured as
a secondary node, to be used for backup or standby
purposes.
--no_reroute_gw If this argument is used, client traffic will NOT be
routed by default through the VPN.
--no_reroute_dns If this argument is used, client DNS traffic will NOT be
routed by default through the VPN.
--no_private If this argument is used, private subnets will NOT be
accessible to clients by default.
--local_auth Use local authentication via internal DB
--license=LICENSE Optionally, specify an OpenVPN-AS license key
--no_start Don't automatically start the the Access Server daemon at
the conclusion of the script.
--view-eula View the EULA (End User License Agreement).

[npt]

Hi,
Did you find any solution for this?
Thanks!

[manekey]

Hey there,

I figured out how to do it, so I'm responding hoping that it will help someone else in the future.

Based on this list of configuration files, I managed to find the configuration key for private subnets, which is "vpn.server.routing.private_network.N", where N is a number starting from 0 and increments for multiple definitions.

So to add a private subnet to the list of configurations, do something along the lines of

Code: Select all

./sacli --key "vpn.server.routing.private_network.N" --value "<cidr block>" ConfigPut

replacing N and <cidr block> with the appropriate values.

Make sure to restart the server afterwards with

Code: Select all

./sacli start

P.S. In case you don't know, sacli is the command line utility provided by OpenVPN and is usually located in /usr/local/openvpn_as/scripts/sacli, though this might differ slightly based on the version or OS you're using.