OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.94k stars 3.01k forks source link

How subnet conflicts are resolved? #565

Open balck-paint opened 5 months ago

balck-paint commented 5 months ago

If two clients are configured with the same subnetwork segment, for example, client A and client B are configured with ccd iroute push 192.168.2.0 255.255.255.0, client C accesses 192.168.2.x, and the server cannot determine who to forward to. Can I implement specified forwarding? For example, what my c really wants to access is the subnet of client B

` clientA ccd

iroute 192.168.1.0 255.255.255.0 iroute 192.168.2.0 255.255.255.0 `

` clientB ccd

iroute 192.168.1.0 255.255.255.0 iroute 192.168.2.0 255.255.255.0 `

` clientC ccd

push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" `

ordex commented 5 months ago

Hi, your sample CCD files do not truly match what you are saying. push "route X Y" is telling the client to add a route of what should be sent to the VPN. With your CCD files above you are telling all three clients to send traffic for those networks to the VPN server.

Now, what will the VPN server do with this traffic? Either this traffic has to go somewhere else (look up the system routing table) or should be redirected to another client. In the latter case (which is what I think you are referring to), the server needs directives called iroutes and that should be added to the CCD file of the client responsible for that network.

If multiple clients are responsible for the same network, I believe simply keeps the directive of the last client that connected to the server (basically it overwrites any previous directive).

Therefore it's up to you to resolve the conflict somehow.

OTOH if you are using DCO on Linux, iroutes are implemented via system routing table too. Maybe there you can do some tricks and allow similar routes to coexists.

balck-paint commented 5 months ago

@ordex Sorry, the configuration I gave was wrong. Corrected. But you understand that right, all I want to do is instruct openvpnServer to redirect to the client I really want to access, how do I do that? Don't have a clue, do you have any good ideas?

cron2 commented 5 months ago

The clients will be assigned unique IP addresses on the VPN interface anyway. So if you want to "access the client", use these.

If you want to access something on the LAN side of the client, and multiple clients use the same subnet, this is not something OpenVPN can fix for you - iroutes must be unique, or it will pick one or the other (first client to connect, or last client to connect, not sure, but "not determined by config").

ordex commented 5 months ago

@balck-paint maybe you should start from scratch and think about the logic steps you'd need to determine what exact LAN you want to connect to. From there, you may be able to figure out how to implement that on your side.

You wrote "what my c really wants to access is the subnet of client B", but this is not something that can be converted to machine rules. What about other clients? Will the target LAN change over time? if yes, based on what? After answering all these questions you may be able to start thinking the "how".

This said, I hardly believe OpenVPN alone can help you here.

schwabe commented 5 months ago

Am 06.06.24 um 09:32 schrieb Gert Doering:

The clients will be assigned unique IP addresses on the VPN interface anyway. So if you want to "access the client", use these.

If you want to access something on the LAN side of the client, and multiple clients use the same subnet, this is not something OpenVPN can fix for you - iroutes must be unique, or it will pick one or the other (first client to connect, or last client to connect, not sure, but "not determined by config").

Or you can have different subnet between client and server and map them with client-nat on the OpenVPN client side to the non-unique ones but that is a setup that needs to be well planned and should be avoided in the first place.

Arne