Client-server IP-only Networks
With OpenVPN, there are several flags for the redirect-gateway directive:
local: It doesn't set a direct route from the client to the server. It is useful only if the client and server are in the same LAN, such as when securing wireless networks.
bypass-dhcp: It adds a direct route to the local DHCP server. It is picked up automatically by Windows client. On other operating systems, a plugin or script is required.
bypass-dns: It adds a direct route to the local DNS server. It is also picked up by Windows client automatically and require a plugin or script on other other operating systems.
Split tunneling
In some cases, the redirect-gateway parameter is a bit too restrictive. You might want to add a few routes to local networks and route all other traffic over the VPN tunnel. The
OpenVPN route directive has a few special parameters for this:
net_gateway: This is a special gateway representing the LAN gateway address that OpenVPN determined when starting. For example, to add a direct route to the LAN
192.168.4.0/24, you would add the following to the client configuration file:
route 192.168.4.0 255.255.255.0 net_gateway
vpn_gateway: This is a special gateway representing the VPN gateway address. If you want to add a route that explicitly sends traffic for a particular subnet over the
VPN tunnel, overruling any local routes, you would add:
route 10.198.0.0 255.255.0.0 vpn_gateway: This option is used primarily in TAP-style networks where the VPN gateway address is not known in advance
See also
The recipe Server-side routing, where the basic setup of setting up server-side routing is explained.
Using an 'ifconfig-pool' block
In this recipe, we will use an ifconfig-pool block to separate regular VPN clients from administrative VPN clients. This makes it easier to set up different firewall rules for administrative users.
54
Chapter 2
Getting ready
We use the following network layout:
This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, we used the server computer that was running the CentOS 5 Linux and OpenVPN 2.1.1. The VPN client Client was running the Windows XP and OpenVPN 2.1.1 and was on the 192.168.200.0 network. The VPN client Admin Client was running Fedora 12 Linux and OpenVPN 2.1.1 and was on the 192.168.202.0 network. For the Linux clients, keep the client configuration file basic-udp-client.conf from the recipe Server-side routing at hand.
How to do it...
1.Create the server configuration file:
proto udp port 1194 dev tun
mode server
ifconfig 192.168.200.1 192.168.200.2 ifconfig-pool 192.168.200.100 192.168.200.120 route 192.168.200.0 255.255.248.0
push "route 192.168.200.1"
push "route 192.168.200.0 255.255.248.0"
ca |
/etc/openvpn/cookbook/ca.crt |
cert |
/etc/openvpn/cookbook/server.crt |
55 
Client-server IP-only Networks
key |
/etc/openvpn/cookbook/server.key |
dh |
/etc/openvpn/cookbook/dh1024.pem |
tls-auth /etc/openvpn/cookbook/ta.key 0
persist-key persist-tun keepalive 10 60
user nobody group nobody
daemon
log-append /var/log/openvpn.log
client-config-dir /etc/openvpn/cookbook/clients
Then save it as example2-7-server.conf. Note that topology subnet is not used here.
2. Start the server:
[root@server]# openvpn --config example2-7-server.conf
3.The administrative VPN client will be assigned a special IP address:
[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients
[root@server]# echo "ifconfig-push 192.168.202.6 192.168.202.5" \
>openvpnclient1
4.Note that the directory clients needs to be world-readable, as the OpenVPN server process will run as user nobody after starting up.
5.Next, start the Linux client using the configuration file from the earlier recipe:
[root@AdminClient]# openvpn --config basic-udp-client.conf
[…]
[openvpnserver] Peer Connection Initiated with openvpnserver:1194
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 192.168.202.6 peer 192.168.202.5
Initialization Sequence Completed
The IP address that is assigned to the administrative client is highlighted for clarity.
56
Chapter 2
6.Create a configuration file for the Windows client:
client proto udp
remote openvpnserver.example.com port 1194
dev tun nobind
ca |
"c:/program files/openvpn/config/ca.crt" |
cert |
"c:/program files/openvpn/config/client2.crt" |
key |
"c:/program files/openvpn/config/client2.key" |
tls-auth "c:/program files/openvpn/config/ta.key" 1
ns-cert-type server
Then save it as basic-udp-client.ovpn. Note the use of the forward slash ('/'), which is easier to use than the backslash ('\'), as the backslash needs to be repeated twice each time.
7.Transfer the ca.crt, client2.crt, client2.key files, and the tls-auth secret key file, ta.key, to the Windows machine using a secure channel, such as winscp or the PuTTY pscp command-line tool.
8.Start the Windows client using the OpenVPN GUI:
Remember that this client's private key file is protected using a password or passphrase. After both the clients are connected, we verify that they can ping each other and the server (assuming that no firewalls are blocking access).
9. On the Admin Client:
[AdminClient]$ ping 192.168.200.1 [AdminClient]$ ping 192.168.200.102
10. And on the "regular" client:
[WinClient]C:> ping 192.168.200.1 [WinClient]C:> ping 192.168.202.6
57 
Client-server IP-only Networks
How it works...
A server configuration file normally uses the following directive to configure the range of
IP addresses for the clients:
server 192.168.200.0 255.255.255.0
This directive is internally expanded to the following:
mode server tls-server
ifconfig 192.168.200.1 192.168.200.2 ifconfig-pool 192.168.200.4 192.168.200.251 route 192.168.200.0 255.255.255.0
push "route 192.168.200.1"
So, by not using the server directive, but by specifying our own ifconfig-pool, we can override this behavior. We then use a CCD file to assign an IP address to the administrative client, which falls outside of the ifconfig-pool range. By using the appropriate route and push route statements, we ensure that all clients can "ping" each other.
There's more...
Configuration files on Windows
The OpenVPN GUI application on Windows always starts in the directory:
C:\Program Files\OpenVPN\config
Or, C:\Program Files(x86)\... on 64-bit versions of Windows. Thus, the directory paths in the basic-udp-client.ovpn configuration file can be omitted:
ca ca.crt cert client2.crt key client2.key tls-auth ta.key 1
Topology subnet
Note that in this recipe we did not make use of the following directive:
topology subnet
The subnet topology is still a new feature in OpenVPN 2.1 and it does not interact very well when using separate ifconfig-pool options.
58