Client Specific Override and route push

CapitanBlack

• I have an OpenVPN server with the tunnel network set to 192.168.100.0/24... All good here - clients can connect without any problem. Nothing is set in server's advanced options

• I have an CSC entry for one CN which overrides IPv4 tunnel network to the address ```

and has in Advanced options:

After I connect to VPN server with that name - I get the proper IP assigned

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.169.1.2  netmask 255.255.255.0  destination 192.169.1.2

and see the below in my routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
<skipped>
172.16.200.0    192.168.100.1   255.255.255.0   UG    50     0        0 tun0
<skipped>

but not the

172.16.200.0    192.169.1.1   255.255.255.0   UG    50     0        0 tun0

as I expected... What I'm doing wrong?

Rico

Completely borked what you are doing there.
"With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server."

-Rico

CapitanBlack

@CapitanBlack said in Client Specific Override and route push:

192.168.100.0/24

I'll try to explain what I'm trying to achieve (not what's wrong!):

As said above I have a Remote Access (SSL+Auth) OpenVPN server with IPv4 tunnel network 192.168.100.0/24 it's config is pretty basic - all clients connects to it without any issues. The "IPv4 Local network(s)" parameter is set to an empty string. Nothing is set in Advanced field.

I have two VPN users who must get IP's from two different tunnel /24 networks when connected to this VPN server, e.g:

• user1 - gets .2 IP from tunnel network: 192.169.1.0/24
• user2 - gets .2 IP from tunnel network: 192.169.2.0/24

(this part works well - see the CSO exception below)

Then I use OpenVPN PBR firewall rules to route these subnets to two virtual interfaces, eg.

For all packets from 192.169.1.0/24 gateway is GW1 (192.168.130.1/24)
For all packets from 192.169.2.0/24 gateway is GW2 (192.168.140.1/24)

(this part works well too)

These above gateways are actually two separate Ubiquiti routers. Each of them has a physical interface with the subnet 172.16.200.0/24 and few bare metal hosts in it. The router1 has a "return" static route for 192.169.1.0/24 and router2 has a "return" static route for 192.169.2.0/24.

The ultimate goal I have is to allow these two VPN users accessing hosts in their respective 172.16.200.0/24 networks

E.g. both users must be able to reach the IP 172.16.200.5 but each user communicates with its own respective bare metal host.

Makes sense?

Rico

Still does not make any sense to me to use IPs outside the tunnel net. Those 192.169... addresses are not even RFC1918.
Whats the problem with using fixed addresses INSIDE the server tunnel net and policy route traffic out a different gateway with Firewall Rules?

-Rico

CapitanBlack

@Rico said in Client Specific Override and route push:

Still does not make any sense to me to use IPs outside the tunnel net. Those 192.169... addresses are not even RFC1918.
Whats the problem with using fixed addresses INSIDE the server tunnel net and policy route traffic out a different gateway with Firewall Rules?

-Rico

I will try. Thanks!

CapitanBlack

@CapitanBlack said in Client Specific Override and route push:

RFC1918.

Thanks bro. it's working now. I misunderstood the:

With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server.

I read it as - "network can be any but netmask must match"

Rico

Glad you have it working now.

-Rico