首頁 » vpn » openvpn

openvpn per client configure

由 datahunter 在 五, 15/05/2015 - 18:07 發表

最後更新: 2021-06-08

目錄

  • Per Client config file
  • push
  • Client Side Configure(--pull)
  • Example
  • Window client add route
  • Android Client

 

Per Client config file

 

設定 per client 的 config file 放在那裡

client-config-dir /etc/openvpn/clients

假設 Client 的 config file 是 "XXX", XXX 相當卡 client 的 X509 common name

/etc/openvpn/clients/XXX

 

push

 

--push option

Push a config file option back to the client for remote execution.

* option must be enclosed in double quotes ("")

* The client must specify --pull in its config file

常用設定

push-reset

Don't inherit(global config) the global push list for a specific client instance(--client-config-dir).

--ifconfig-push local remote-netmask

Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation.

(相當於在 Client Side 行 "--ifconfig")

 

Client Side Configure(--pull)

 

--pull

This option must be used on a client which is connecting to a multi-client server.

It indicates to OpenVPN  that it should accept options pushed by the server,

(note that the --pull option is implied by --client)

--pull allows the server to push routes to the client, so you should not use --pull or --client in situations

where you don't trust the server to have control over the client's routing table.

--route-nopull

When used with --client or --pull, accept options pushed by server EXCEPT for routes.

 

Example

 

Set IP

push "topology subnet"
ifconfig-push 192.168.123.201 255.255.255.0

Route

push "route 192.168.0.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"

DNS

Repeat this option to set secondary DNS server addresses.

push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"

Gateway

push "route-gateway 192.168.1.1"

–route-gateway GW-IP|dhcp

Specify a default gateway GW-IP (Route) for use with "–route" (–route network/IP [netmask] [gateway] [metric])

If "dhcp" is specified as the parameter, the gateway address will be extracted from a DHCP negotiation with the OpenVPN server-side LAN.

push "redirect-gateway def1"

# If enabled, this directive will configure all clients to redirect their default network gateway through the VPN,

# causing all IP traffic such as web browsing and and DNS lookups to go through the VPN

This option performs three steps:

(1) Create a static route for the –remote address which forwards to the pre-existing default gateway.

(2) Delete the default gateway route.

(3) Set the new default gateway to be the VPN endpoint address
      (derived either from –route-gateway or the second parameter to –ifconfig when –dev tun is specified).

* When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
 
Option flags:

local

   Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless.

   The local flag will cause step 1 above to be omitted.

def1

    Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.

    This has the benefit of overriding but not wiping out the original default gateway.

block-local

    Block access to local LAN when the tunnel is active, except for the LAN gateway itself.

    This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.

 

Window client add route

 

If you have a problem adding routes in windows, make sure you have it starting as administrator.

You may also need to use one of these options:

Client configure

# changes how windows adds a route
route-method exe
# waits to add the route
route-delay

route-method 及 route-delay

 * route-method 及 route-delay 不能用在 per user configure

# Which method m to use for adding routes on Windows

route-method m

adaptive (default) -- Try IP helper API first.  If that fails, fall back to the route.exe shell command.
ipapi -- Use IP helper API.
exe -- Call the route.exe shell command.

route-delay n

Delay n seconds (default=0)

The delay will give the DHCP handshake time to complete before routes are added. (在行 DHCP 的情況下很有用)

Server

push "route 10.8.0.0 255.255.255.0"

Error

Log:

Tue May 05 10:06:04 2015 NOTE: FlushIpNetTable failed on interface [16] {?-?-?-?-?} (status=5) : 存取被拒。

解決:

openvpn-gui 要用 administrator 權行

This is due to UAC (User Access/Account Control) On Windows Vista / 7, and trying to write to a protected folder.

(Right click -> Run as Administrator)

properties>security tab>advanced>ownership tab

Properties, then go to the Security tab, highlight "Users" and then click "Edit..."

Give it full control and apply, back out the windows and you should be able to save.

--route-gateway gw|'dhcp'

Specify a default gateway gw for use with --route.

If dhcp is specified as  the parameter, the gateway address will be extracted from a DHCP negotiation with the OpenVPN server-side LAN.

... tim/x.x.x.x:1194 SENT CONTROL [tim]: 
  'PUSH_REPLY,route-gateway 192.168.234.1,
    ping 3,ping-restart 60,
    route 192.168.123.0 255.255.255.0,
    ifconfig 192.168.234.2 255.255.255.0' (status=1)

 

Android Client

 

 * TAP mode is not supported in either Android or iOS.

 

 

 

»
  • 瀏覽次數: 73819