I've recently started using OpenVPN's subnet topology. This requires OpenVPN 2.1 on both ends of the tunnel, but allows for one IP per client instead of a /30 block and works on all platforms, unlike the old (and now depricated) p2p topology.

EDIT: I should note that while topology subnet works with all platforms and I have tested with Linux, Mac and Windows clients; I have only tested topology subnet and the routing solution below on OpenVPN servers running on Linux.

I quickly ran into a snag with the subnet topology, however. The routes in my server-side OpenVPN config file no longer got created when OpenVPN was started, so networks behind connecting clients were unrouteable. I checked the logs and found the following messages from when OpenVPN started:

OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network ...

If I changed back to topology net30, everything worked fine with the config as is, so the problem was definitely specific to the subnet topology. Googling led me to several unanswered queries and finally one solution:
http://openvpn.net/archive/openvpn-users/2007-08/msg00152.html

As the errors above indicate, you need to specify a gateway in the route command in the OpenVPN config file when using the subnet topology. But what should the gateway be? The person in the linked post chooses the obvious solution, the VPN IP of the client behind which the remote network resides. That works, but what if I don't have a specific IP set for that client? From the system routing table you really only have to get traffic destined for the remote network routed to the VPN adapter, because OpenVPN has it's own routing table and will take care of the rest. Therefore, simply using the VPN IP of the OpenVPN server as the gateway accomplishes this, and seems to me to be the best solution.

OpenVPN server config snippet:

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
server 10.0.8.0 255.255.255.0

# ...if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files and the route command to
# specify the specific IP(s) or connected networks.

# route used with net30 topology
route 10.0.55.0 255.255.255.0

# route used with subnet topology
route 10.0.55.0 255.255.255.0 10.0.8.1

More configuration detail after the break...

Continue reading "openvpn routing"

Posted by ra at 12:21 | Comments (2) | Trackbacks (0)