Routing features - redirect-private, allow-pull-fqdn

Over the years, the routing features of OpenVPN have expanded. Most notably, there are quite a few options for the redirect-gateway directive, as well as several other less well-known routing directives:

  • redirect-private: This option behaves very similar to the redirect-gateway directive, especially when the new parameters are used, but it does not alter the default gateway.
  • allow-pull-fqdn: This allows the client to pull DNS names from the OpenVPN server. Previously, only IP addresses could be pushed or pulled. This option cannot be pushed and needs to be added to the client configuration itself.
  • route-nopull: All the options are pulled by a client from the server, except for the routing options. This can be particularly handy when troubleshooting an OpenVPN setup.
  • max-routes n: This defines the maximum number of routes that may be defined or pulled from a remote server.

In this recipe, we will focus on the redirect-private directive and its parameters, as well as the allow-pull-fqdn parameter.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-Side routing recipe from Chapter 2Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe from Chapter 2Client-server IP-only Networks.

How to do it...

  1. Append the following lines to the basic-udp-server.conf file:
            push "redirect-private bypass-dhcp bypass-dns" 
            push "route server.example.com" 
    
  2. Save it as example10-10-server.conf.
  3. Start the server:
    [root@server]# openvpn --config example10-10-server.conf
    
  4. Append the following line to the client configuration file, basic-udp-client.ovpn, and save it as example10-10.ovpn:
            allow-pull-fqdn 
    
  5. Start the client:
    How to do it...
  6. Watch the routing table after the connection has been established.

    If the DHCP or DNS server was on a different subnet than the client itself, then a new route will have been added. This is to ensure that DHCP requests still go to the local DHCP server and are not sent over the VPN tunnel.

    A route for the host server.example.com will have been added.

How it works...

The bypass-dhcp and bypass-dns options for the directives, redirect-gateway and redirect-private, cause the OpenVPN client to add an extra route to the DHCP and DNS servers if they are on a different network. In large-scale networks, the DNS server is often not found on the local subnet that the client is connected to. If the route to this DNS server is altered to go through the VPN tunnel after the client has connected, this will cause at the very least a serious performance penalty. More likely, the entire DNS server will become unreachable.

The allow-pull-fqdn directive enables the use of a DNS name instead of an IP address when specifying a route. Especially, if a dedicated route to a host with a dynamic IP address needs to be made, this is very useful.

Note that the allow-pull-fqdn directive cannot be pushed from the server.

There's more...

Apart from the directives explained in this recipe, there are more routing directives available to control if and how routes are added to the client.

The route-nopull directive

The route-nopull directive causes the client to pull all the information from the server but not the routes. This can be very useful for debugging a faulty server setup. It does not mean that no routes are added at all by the OpenVPN client. Only the routes that are specified using push "route" will be ignored. Starting with OpenVPN 2.4, it is also possible to filter out options that are pushed from the server to the client. The next recipe will go into detail on this.

The max-routes directive

The max-routes directive is introduced in OpenVPN 2.1, as version 2.1 allows an administrator to push many more routes when compared to OpenVPN 2.0. To prevent a client from being overloaded with routes, the option max-routes n is added, where n is the maximum number of routes that can be defined in the client configuration file and/or can pulled from the server.

The default value for this parameter is 100.

See also

  • The next recipe in this chapter, where options that are pushed from the server to the client are filtered before they are applied
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.166.252