Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks for reading this. I'm trying to figure out how I could push routing from an OpenVPN host to an OpenVPN client using policy routing using ip rules and such.
Typically we just use ip protocol 4 (ipencap) but it appears the ISP now is filtering this. The encryption part of the VPN isn't really required and the IPs are public for the amateur packet radio network (ampr.org) which faces the global internet at UCSD.EDU. In short this would be used to bypass Source Address filtering where ipencap is being filtered.
I can get the IPs and routing passed *only* for 44/8 connectivity but global routing fails. I believe if I can push the following rules this may work:
n1uro@n1uro:~$ ip ru
0: from all lookup local
1: from 44.0.0.0/8 lookup 1
1: from all to 44.0.0.0/8 lookup 1
32766: from all lookup main
32767: from all lookup default
but so far I've been unsuccessful with the push.
Also with this policy I'd need to set a default route back to the server
if the client sources it's outbound with a 44-net IP. This works perfect using ipencap (pending no ISP blocks).
I need the server to push a specific statements to the client including
"ip rule add from x.x.x.x"
and "ip route add x.x.x.x via y.y.y.y dev tun0 table 44"
for example. It seems the only thing I can do is push a route to the main table.
ifconfig-push 44.88.0.203 44.88.0.1
push "route 44.88.0.0 255.255.255.0"
works but only for within 44/8. I need something that can define a policy
to the client so that when the tun0 interface comes up, even 0.0.0.0/0 will route IF
the client sources itself as 44.88.0.203. I can't pre-define this if the tun0 interface
is not up and active.
I suspect that you have passed beyond the design-intent of push in this case.
You are, after all, communicating a request to the OpenVPN client, to cause it to recognize the route and to issue the corresponding operating-system route commands in order to cause traffic to be sent to the tunnel. This isn't a generalized case on the order of, say, an ifup clause in /etc/network/interfaces. You aren't asking the client to "send an arbitrary command to the host," and I don't know of any way to do such a thing. I think that it's "out-of-scope for OpenVPN's purposes."
Last edited by sundialsvcs; 04-24-2017 at 10:38 AM.
Actually, I was sort of hoping the `push "statement"` could act as a way to execute a script of sorts. That would engage the policy
routing I'd need it to do once the tun device is configured... and you have it backwards. The server would tell the client "I see you now, so you are to engage policy routing". The client wouldn't send a command to the server at all.
Have you tried the 'redirect-gateway' directive in the config file of your clients???
This directive will instruct the clients to use your VPN connection as the default gateway, therefore they will use any policy routing that you configure in your server.
Have you tried the 'redirect-gateway' directive in the config file of your clients???
This directive will instruct the clients to use your VPN connection as the default gateway, therefore they will use any policy routing that you configure in your server.
Thanks for the reply, this isn't what I wish to do either... I really don't think there's a solution to what I'm looking for.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.