Thanks for reading this. I'm trying to figure out how I could push routing from an OpenVPN host to an OpenVPN client using policy routing using ip rules and such.

Typically we just use ip protocol 4 (ipencap) but it appears the ISP now is filtering this. The encryption part of the VPN isn't really required and the IPs are public for the amateur packet radio network (ampr.org) which faces the global internet at UCSD.EDU. In short this would be used to bypass Source Address filtering where ipencap is being filtered.

I can get the IPs and routing passed *only* for 44/8 connectivity but global routing fails. I believe if I can push the following rules this may work:
n1uro@n1uro:~$ ip ru
0: from all lookup local
1: from 44.0.0.0/8 lookup 1
1: from all to 44.0.0.0/8 lookup 1
32766: from all lookup main
32767: from all lookup default
but so far I've been unsuccessful with the push.
Also with this policy I'd need to set a default route back to the server
if the client sources it's outbound with a 44-net IP. This works perfect using ipencap (pending no ISP blocks).

Suggestions are welcome.

I don't really know what you mean by this. The server uses "push," and the client uses "pull?" Show us your config files.

I need the server to push a specific statements to the client including
"ip rule add from x.x.x.x"
and "ip route add x.x.x.x via y.y.y.y dev tun0 table 44"
for example. It seems the only thing I can do is push a route to the main table.

ifconfig-push 44.88.0.203 44.88.0.1
push "route 44.88.0.0 255.255.255.0"
works but only for within 44/8. I need something that can define a policy
to the client so that when the tun0 interface comes up, even 0.0.0.0/0 will route IF
the client sources itself as 44.88.0.203. I can't pre-define this if the tun0 interface
is not up and active.

I suspect that you have passed beyond the design-intent of push in this case.

You are, after all, communicating a request to the OpenVPN client, to cause it to recognize the route and to issue the corresponding operating-system route commands in order to cause traffic to be sent to the tunnel. This isn't a generalized case on the order of, say, an ifup clause in /etc/network/interfaces. You aren't asking the client to "send an arbitrary command to the host," and I don't know of any way to do such a thing. I think that it's "out-of-scope for OpenVPN's purposes."

Actually, I was sort of hoping the `push "statement"` could act as a way to execute a script of sorts. That would engage the policy
routing I'd need it to do once the tun device is configured... and you have it backwards. The server would tell the client "I see you now, so you are to engage policy routing". The client wouldn't send a command to the server at all.

Have you tried the 'redirect-gateway' directive in the config file of your clients???

This directive will instruct the clients to use your VPN connection as the default gateway, therefore they will use any policy routing that you configure in your server.

1 members found this post helpful.

Thanks for the reply, this isn't what I wish to do either... I really don't think there's a solution to what I'm looking for.