[CentOS] IP forwarding and OpenVPN

Thu Nov 4 15:53:02 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 11/4/2010 10:09 AM, Bart Schaefer wrote:
>
>>> Maybe the simplest thing is to change the question:  How can I cause
>>> packets forwarded from my LAN to avoid the VPN and go out via the
>>> regular default route?
>>>
>> You can ad a line like:
>>
>> push "route 192.168.144.0 255.255.255.0"
>>
>> to the server's configuration file.
>
> Thanks for the suggestion, but (1) I don't have control of the server
> configuration and (2) I'm not sure that would work anyway, as what I
> want is for packets that come *from* network 192.168.144.0 to (not) be
> routed over the VPN, except for those that originate from
> 192.168.144.1.

Normally routes work on the destination addresses, and if you don't want 
something to go there based on the source address, you block it with 
iptables.  It is possible to route based on source addresses, but if you 
need to do that, you are probably doing something wrong.

Can you explain what you are trying to accomplish as an end result? 
That is, is the 192.168.144.1 host a different machine than the one 
acting as the vpn gateway?   And what you want to happen if some other 
machine tries to connect to the address(es) routed through the vpn? 
Normally the addresses routed through a vpn would be private so it 
doesn't make much sense to send them to your default internet gateway. 
If you are routing a public address through a vpn, then out some remote 
internet gateway, things get weird and will depend on appropriate NATing 
to work at all.

 > Do I misunderstand what that push command will
> accomplish?

push route is an openvpn config statement on your end that tells the 
remote side to add the specified route (typically your LAN range) back 
through the tunnel when it comes up.

> Regarding (1) I do have a local openvpn-startup script that runs when
> the VPN comes up, to which I could add my own route or iptables
> commands.  In fact it currently contains:
>    iptables -A FORWARD -i tun+ -j ACCEPT
> which I should have mentioned before.

Does this mean you have control of one side of the connection?  Or that 
you have root access but someone else manages the openvpn config?

-- 
   Les Mikesell
     lesmikesell at gmail.com