Page 1 of 1
Difference "route" & "push route" commands
Posted: Thu Oct 20, 2011 2:08 am
by Holmes.Sherlock
Here is a sample server configuration file
Code: Select all
port 1194
proto TCP dev
DH / etc / openvpn / Easy - rsa / 2.0 / keys / dh1024 . PEM
server 10.0.0.0 255.255.255.0
client - config - dir CCD push
"route 10.0.1.0 255.255.255.0"
push "route 10.0 .2.0 255.255.255.0 "
push "route 10.0.3.0
nobody
Group nogroup
persist - Key
persist - tun
status openvpn - status . log
verb 3
Can anybody please tell me the difference between
&
Code: Select all
push "route 10.0 .2.0 255.255.255.0"
Re: Difference "route" & "push route" commands
Posted: Thu Oct 20, 2011 5:45 am
by Mimiko
is used to add to local OpenVPN server's routing table only. And it may be used as on OpenVPN server as on client too.
Code: Select all
push "route 10.0 .2.0 255.255.255.0"
is used only in OpenVPN server's config to push the routes to client's. Insteed of using "route" command on all client's config, you can use one "push route" on server config to do the same on all clients.
Re: Difference "route" & "push route" commands
Posted: Mon Oct 24, 2011 12:58 pm
by Holmes.Sherlock
Mimiko wrote:
is used to add to local OpenVPN server's routing table only. And it may be used as on OpenVPN server as on client too.
The first parameter is the network & the second one is the netmask. But, what will the GATEWAY & INTERFACE of the added route be ?
Re: Difference "route" & "push route" commands
Posted: Mon Oct 24, 2011 2:25 pm
by Mimiko
interface will be always the tun. the gateway is the 3rd parameter. You could see the manual for the --route option.
Re: Difference "route" & "push route" commands
Posted: Mon Oct 24, 2011 4:48 pm
by Holmes.Sherlock
Mimiko wrote:interface will be always the tun. the gateway is the 3rd parameter. You could see the manual for the --route option.
Regarding the default value of gateway, OpenVPN 2.0 manual says
Code: Select all
--route network/IP [netmask] [gateway] [metric]
Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.
This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.
netmask default -- 255.255.255.255
gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.
The default can be specified by leaving an option blank or setting it to "default".
The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:
vpn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).
remote_host -- The --remote address if OpenVPN is being run in client mode, and is undefined in server mode.
But I'm a bit confused as the following server.conf works without any error
Code: Select all
port 1197
proto udp
topology subnet
dev tun
ca server/keys/ca.crt
cert server/keys/TeamReboot.crt
key server/keys/TeamReboot.key # This file should be kept secret
dh server/keys/dh1024.pem
server 10.11.0.0 255.255.255.0
ifconfig-pool-persist server/logs/ipp.txt
client-config-dir server/ccd
client-to-client
route 10.11.1.0 255.255.255.0
route 10.11.2.0 255.255.255.0
push "route 10.11.1.0 255.255.255.0"
push "route 10.11.2.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status server/logs/openvpn-status.log
log server/logs/openvpn.log
log-append server/logs/openvpn.log
verb 3
mute 20
But as you can see, I've used neither "--route-gateway" nor "--ifconfig". In this case, how'll it be interpreted?
Re: Difference "route" & "push route" commands
Posted: Tue Oct 25, 2011 5:23 am
by Mimiko
The packets for the 10.11.1 and 10.11.2 will end up on the VPN link. So it will never rich any device. "Route" intructs server to send packets for this network to VPN link, while "push route" instructs clients to send the same packets to VPN interface too. Such a configuration is never used for any purpose but testing.
Re: Difference "route" & "push route" commands
Posted: Tue Oct 25, 2011 8:49 am
by Holmes.Sherlock
Mimiko wrote:The packets for the 10.11.1 and 10.11.2 will end up on the VPN link. So it will never rich any device. "
I've forgot to mention that I also used "iroute" statements in --clinet-config-dir directory to instruct OpenVPN where it should forward packets destined to any private subnet residing behind a connected client.