Menu
▾
▴
Re: [Openvpn-users] How to force default gateway in bridge mode?
|
From: David B. <Dav...@he...> - 2009-02-12 12:32:21
|
Replace in the client config: route-nopull route 80.244.x.x 255.255.255.255 net_gateway route 0.0.0.0 0.0.0.0 vpn_gateway with: redirect-gateway def1 (you can also put it is server config as : push "redirect-gateway def1") Regards, David > -----Original Message----- > From: Emrah [mailto:ek...@ek...] > Sent: Wednesday, February 11, 2009 11:30 PM > To: Jonathan Petersson > Cc: David Balazic; <ope...@li...> > Subject: Re: [Openvpn-users] How to force default gateway in > bridge mode? > > Hi Jonathan, hi David, > > Thanks a lot for your help. > Here are my config files: > I masked the IP on purpose but feel free to ask me if you > need them. Also, I'm running a dhcp server on the vpn network, > that's why I didn't want openvpn to assign an IP for me. > > Thanks again for everything. > > Server config: > # Tunnel options > local 80.244.x.x > > #server-bridge x.x.34.2 255.255.255.0 x.x.34.200 x.x.34.240 > > mode server # Set OpenVPN major mode > proto udp # Setup the protocol (server) > port 1194 # TCP/UDP port number > dev tap0 # TUN/TAP virtual > network device > keepalive 15 60 # Simplify the > expression of --ping > daemon # Become a daemon > after all initialization > verb 3 # Set output verbosity to n > comp-lzo # Use fast LZO compression > push "route-gateway x.x.34.2" > #push "redirect-gateway" > user openvpn > group openvpn > > # OpenVPN server mode options > client-to-client # tells OpenVPN to > internally route client-to-client traffic > duplicate-cn # Allow multiple > clients with the same common name > > # TLS Mode Options > tls-server # Enable TLS and > assume server role during TLS handshake > ca ca.crt # Certificate > authority (CA) file > dh dh1024.pem # File containing > Diffie Hellman parameters > cert vpn.cavoon.net.crt # Local peer's signed certificate > key vpn.cavoon.net.key # Local peer's private key > > #push "route x.x.34.0 255.255.255.0" > # push "redirect-gateway def1" > #push "dhcp-option DNS x.x.34.2" > #push "dhcp-option DOMAIN vpn.cavoon.net" > #push "dhcp-option ROUTERS x.x.34.2" > > persist-key > #persist-tap > Client config > client > dev tap > ;dev-node MyTap > proto udp > ;proto tcp > route-nopull > > route 80.244.x.x 255.255.255.255 net_gateway > > route 0.0.0.0 0.0.0.0 vpn_gateway > > > # The hostname/IP and port of the server. > # You can have multiple remote entries > # to load balance between the servers. > remote 80.244.x.x 1194 > ;remote my-server-2 1194 > > ;remote-random > > resolv-retry infinite > nobind > ;user nobody > ;group nobody > persist-key > persist-tun > ;http-proxy-retry # retry on connection failures > ;http-proxy [proxy server] [proxy port #] > ;mute-replay-warnings > > ca ca.crt > cert emrahkavun.crt > key emrahkavun.key > > ;ns-cert-type server > ;tls-auth ta.key 1 > ;cipher x > comp-lzo > verb 3 > ;mute 20 > > On Wed, Feb 11, 2009 at 06:45:57AM -0800, Jonathan Petersson > <jpe...@ga...> wrote: > > On Feb 11, 2009, at 6:19, "David Balazic" > <Dav...@he... > > > wrote: > > > > >Did you read it's description ? > > >It says, that in TAP mode you must specify the desired > > >gateway address with a route-gateway command. > > > > If enabling redirect gateway on the server in tap mode > there isn't a > > need to do this. > > > > Emrah, as David says, a copy of you config for server and > client would > > be useful. > > > > > > > > > > >Also you can post your config (and log) files, so we know > > >what is going on and can advise you better. > > > > > >Regards, > > >David > > > > > >>-----Original Message----- > > >>From: Emrah [mailto:ek...@ek...] > > >>Sent: Wednesday, February 11, 2009 11:31 AM > > >>To: Jonathan Petersson > > >>Cc: ope...@li... > > >>Subject: Re: [Openvpn-users] How to force default gateway in > > >>bridge mode? > > >> > > >>Adding push "redirect-gateway" in my server config file does > > >>not change the default gateway. > > >>Any other idea? > > >> > > >>Thanks again. > > >>On Tue, Feb 10, 2009 at 02:40:09PM -0800, Jonathan Petersson > > >><jpe...@ga...> wrote: > > >>>By pushing redirect-gateway OpenVPN will remove the > current default > > >>>route and replace it with whatever your push. > > >>> > > >>>With OpenVPN you can't really remove routes (in the exception of > > >>>default gateway) only add unless you have a up/down-script on the > > >>>client-side. > > >>> > > >>>/Jonathan > > >>> > > >>>On Tue, Feb 10, 2009 at 2:06 PM, Emrah <ek...@ek...> wrote: > > >>>>Hi Jonathan, > > >>>> > > >>>>Thanks for your answer. Do you know how I can remove a > > >>route via OpenVPN then? > > >>>>Your options are good because they do add the right > > >>routes but how do I remove the existing default gateway > before adding > > >>>>a new one? > > >>>> > > >>>>Regards, > > >>>>Emrah > > >>>>On Tue, Feb 10, 2009 at 01:39:52PM -0800, Jonathan > > >>Petersson <jpe...@ga...> wrote: > > >>>>>I'm not sure how you would do this with a ISC DHCP > server in the > > >>>>>background but if you use the builtin DHCP server in > > >>OpenVPN you can > > >>>>>add the following to the server-side config: > > >>>>> > > >>>>>push "dhcp-option redirect-gateway" > > >>>>> > > >>>>>This is however very easy to circumvent on the > > >>client-side by adding: > > >>>>> > > >>>>>route-nopull > > >>>>>route remote_host 255.255.255.255 net_gateway > > >>>>>route <corpnet> <netmask> vpn_gateway > > >>>>> > > >>>>>/Jonathan > > >>>>> > > >>>>>On Tue, Feb 10, 2009 at 11:59 AM, Emrah <ek...@ek...> wrote: > > >>>>>>Hi OpenVPN guys, > > >>>>>> > > >>>>>> I have clients connecting to my OpenVPN server > > >>configured in bridge mode and everything works perfectly fine. > > >>>>>>However I'd like to add a new option to route all > > >>their traffic via the gateway provided by the > DHCP3-server from the > > >>>>>>OpenVPN server side. > > >>>>>>How can I achieve that without having an Up script > > >>being executed from the client side? > > >>>>>> > > >>>>>>Basically the process would be to do: > > >>>>>>1 route add -host vpn_srv_ip our_current_gateway > > >>>>>>2 route delete -net 0.0.0.0 > > >>>>>>3 route add -net 0.0.0.0 netmask 0.0.0.0 vpn_srv_ip > > >>>>>> > > >>>>>>Hope you understood what I'm trying to explain... > > >>>>>> > > >>>>>>Cheers, thanks in advance for your help. > > >>>>>>-- > > >>>>>>Emrah KAVUN > > >>>>>><ek...@ek...> > > >>>>>> > > >>>>>> > > >>-------------------------------------------------------------- > > >>---------------- > > >>>>>>Create and Deploy Rich Internet Apps outside the > > >>browser with Adobe(R)AIR(TM) > > >>>>>>software. With Adobe AIR, Ajax developers can use > > >>existing skills and code to > > >>>>>>build responsive, highly engaging applications that > > >>combine the power of local > > >>>>>>resources and data with the reach of the web. Download > > >>the Adobe AIR SDK and > > >>>>>>Ajax docs to start building applications > > >>today-http://p.sf.net/sfu/adobe-com > > >>>>>>_______________________________________________ > > >>>>>>Openvpn-users mailing list > > >>>>>>Ope...@li... > > >>>>>>https://lists.sourceforge.net/lists/listinfo/openvpn-users > > >>>>>> > > >>>> > > >>>>-- > > >>>>Emrah KAVUN > > >>>><ek...@ek...> > > >>>> > > >> > > >>-- > > >>Emrah KAVUN > > >><ek...@ek...> > > >> > > >>-------------------------------------------------------------- > > >>---------------- > > >>Create and Deploy Rich Internet Apps outside the browser with > > >>Adobe(R)AIR(TM) > > >>software. With Adobe AIR, Ajax developers can use existing > > >>skills and code to > > >>build responsive, highly engaging applications that combine > > >>the power of local > > >>resources and data with the reach of the web. Download the > > >>Adobe AIR SDK and > > >>Ajax docs to start building applications > > >>today-http://p.sf.net/sfu/adobe-com > > >>_______________________________________________ > > >>Openvpn-users mailing list > > >>Ope...@li... > > >>https://lists.sourceforge.net/lists/listinfo/openvpn-users > > >> > > -- > Emrah KAVUN > <ek...@ek...> > |
