Hi all,

some things for the routing are important i think. The "route IP subnet" entry in the server.conf needs to be the same than the "iroute IP subnet" in ccd. The server.conf entry gives the kernel information to OpenVPN that this package should send through the tun interface, so "route IP subnet" activates the kernel based routing. The "iroute IP subnet" entry in ccd gives the information to the server which client is responsible for this subnet (internal routing of the server). The networks on both sides (behind server and client) needs to be appropriate configured. This should be no problem if the OpenVPN system on both sides are also the default-gateways of the netoworks. If they arenŽt it is important to make also the additional routing information for the respective other side, thereby both OpenVPN systems (client and server) can route the traffic to each other side. 

push "route IP subnet" provides the server networks for the other clients and their networks.

Also iŽam quiet unsure if iroute (with equal route settings) will route more than on network per ccd file. But in the worst case an SNAT from Client side can may also be a possibility.

i wasnŽt sure because of redirect-gateway if ccd take also the def1 flag or not, but as Michael find it out it seems like it doesnŽt. So there is the need to use redirect-gateway without an additional flag.

Next week i will also find some time to go for some testing rounds and i will report then the results here. 

Thanks both for information and work.

Greetings

Erik

      

Am 01.11.2012 um 16:17 schrieb Michael Tremer:

Okay, please re-use the old email thread. Everyone who replies to an
email about the CCD topic starts a new thread. Those get hard to follow.
Some even have subjects that just say "testing" which is pretty shit
when you are searching for something later.

On Thu, 2012-11-01 at 14:22 +0100, Alexander Marx wrote:

Dear List.

I put together a new package. Please be so kind and test it.

Especially  the routing functions should be tested.

Please try to enter INVALID ip-Addresses and try to test if my checks

work.

Typing multiple routes where one contains an error, the whole route
configuration gets reset.
Also the error message just says which route is invalid by numbering
them. The numbers didn't work for me.

I have spend a lot of time to implement the feature that there are

more than one route for each client.

The checks test every route if it already exists for the ovpn server

or for other clients. Even a check is

implemented if a route 10.10.10.0/24 exists and one tries to enter

10.10.10.0/23.

Here comes a function that checks if a route is within an already

given subnet. (very cool :-) )

The redirect gateway option does not work here. The client shows an
error message:

Options error: unknown --redirect-gateway flag: df1

When I change from a the dynamic lease pool to a statically assigned
address, I need to restart the OpenVPN server which is bollocks.
Can we just send a SIGHUP to it so changes in the CCD configuration
files are taken into account immediately?

When I don't enter an additional route, the route to the green network
is pushed and working fine.
In case I enter my green network, no route is set on the client at all.
I can enter the network that is configured on the CCD page which is kind
of superfluous.
None of the routes that have been set are visible on the client. They
just don't work.

As always please comment what your impressions are.

There is a major bug in FF. The table on the top of the OpenVPN main
page is stretched over the navigation. The navigation isn't usable
anymore. I would recommend to remove the restart button.

Michael

_______________________________________________
Development mailing list
Development@lists.ipfire.org
http://lists.ipfire.org/mailman/listinfo/development

Hi!

I am testing the last package i sent. I am not able to test all features in my network.
I tried the following:

created a roadwarrior and put him in the dynamic address pool. in the routes box i entered the network behind the roadwarrior

so the file in the ccd looks like this:

# OpenVPN Clientconfig from CCD extension by Copymaster#

#This client uses the dynamic network

#Client routes these Networks
iroute 172.1.1.0 255.255.255.0


I am able to connect the roadwarrior to the server and i get an ip from the dynamic pool. I can ping servers in the ipfire's network. now i expected to see a route  when doing a route print on the windows console.. But there is no entry :-(
from the ipfire server i can not ping the network. (The roadwarrior has 172.1.1.100 ) a ping is not working. I don't know why?! Maybe it does not work from the ipfirebox directly?

So i thought maybe theres something wrong with the ccd file (maybe it is not read)? 

Next test was:

i created a static network 20.20.20.0/24  and created another Roadwarrior with 172.1.1.0/24 in the routing box. Then i copied the clientpackage top the notebook and tried to connect.
Client gets connected successfully, and the assigned ip address is 20.20.20.5 ? it should be 6 or not?! But i can ping again servers in the ipfire's green network as expected. here's the config:


# OpenVPN Clientconfig from CCD extension by Copymaster#

#Ip address client and Server
ifconfig-push 20.20.20.5  20.20.20.6

#Client routes these Networks
iroute 172.1.1.0 255.255.255.0

But a route print does not show up the 172.1.1.0 route again... And i am not able to ping 172.1.1.100 from the ipfirebox.

What am i missing? The CCD files seem to work.


By the way: Please ignore the few designbugs (tables have borders, buttons are on the sidemenu)

Alexander Marx

Fachinformatiker Systemintegration

_______________________________________________
Development mailing list
Development@lists.ipfire.org
http://lists.ipfire.org/mailman/listinfo/development