openvpn routing

Monday, February 16. 2009

openvpn routing

I've recently started using OpenVPN's subnet topology. This requires OpenVPN 2.1 on both ends of the tunnel, but allows for one IP per client instead of a /30 block and works on all platforms, unlike the old (and now depricated) p2p topology.

EDIT: I should note that while topology subnet works with all platforms and I have tested with Linux, Mac and Windows clients; I have only tested topology subnet and the routing solution below on OpenVPN servers running on Linux.

I quickly ran into a snag with the subnet topology, however. The routes in my server-side OpenVPN config file no longer got created when OpenVPN was started, so networks behind connecting clients were unrouteable. I checked the logs and found the following messages from when OpenVPN started:

OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network ...


If I changed back to topology net30, everything worked fine with the config as is, so the problem was definitely specific to the subnet topology. Googling led me to several unanswered queries and finally one solution:
http://openvpn.net/archive/openvpn-users/2007-08/msg00152.html

As the errors above indicate, you need to specify a gateway in the route command in the OpenVPN config file when using the subnet topology. But what should the gateway be? The person in the linked post chooses the obvious solution, the VPN IP of the client behind which the remote network resides. That works, but what if I don't have a specific IP set for that client? From the system routing table you really only have to get traffic destined for the remote network routed to the VPN adapter, because OpenVPN has it's own routing table and will take care of the rest. Therefore, simply using the VPN IP of the OpenVPN server as the gateway accomplishes this, and seems to me to be the best solution.

OpenVPN server config snippet:

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
server 10.0.8.0 255.255.255.0

# ...if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files and the route command to
# specify the specific IP(s) or connected networks.

# route used with net30 topology
route 10.0.55.0 255.255.255.0

# route used with subnet topology
route 10.0.55.0 255.255.255.0 10.0.8.1


More configuration detail after the break...
This is my full OpenVPN server configuration:
############################
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh2048.pem
tls-auth /etc/openvpn/server/ta.key 0 # This file is secret
crl-verify /etc/openvpn/server/crl.pem

server 10.0.8.0 255.255.255.0
topology subnet

ifconfig-pool-persist ipp.txt

client-config-dir /etc/openvpn/server/ccd

route 10.0.55.0 255.255.255.0 10.0.8.1

keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
############################


The client which is connected to 10.0.55.0/24 has the following set for it in the client-config-dir:
############################
iroute 10.0.55.0 255.255.255.0
############################

This entry was posted by ra on Monday, February 16. 2009 at 12:21. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Paul says:
    #1 2009-07-20 18:20 (Reply)

    I'd be most grateful for some more info about your configuration. I've tried using the vpn gateway in the route command but I can only get access to the client subnet from the server if I use the client ip.
    I'm using Vista 64 with dev tun and topology subnet and I've just tried the latest openvpn - 2.1 rc19 with same results.
    Thanks in advance,
    Paul.

  2. ra says:
    #1.1 2009-07-20 22:41 (Reply)

    Your OpenVPN server runs on Vista 64? I use/test Linux, Mac and Windows on the client side but all my OpenVPN servers run on Linux. I believe the routes should work the same on Windows but my experience with Windows OpenVPN servers is limited so I can't say for sure.

    I will test this out when I can but in the meantime I would check the routing table (route print) to make sure your routes get created properly in both cases, check your iroutes in the client config(s), and if everything else looks OK, perhaps use a traffic sniffer on the tunnel interface to see if the traffic leaves the server via the tunnel.

    I've updated my original post to make it clear I've tested this only with the OpenVPN server on Linux and I've included my full config.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5