openvpn lan2lan





# By default clients will not see each other.

client to client

# 建立 route 去兩個 client 那裡去
# The server needs to route this IP range through the tunnel
# --route network [netmask] [gateway] [metric]
# Add route to routing table after connection is established.
# Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.



per client configure 的 iroute


# 自己那邊 IP

# 另一邊 IP


-- iroute only works with tun-style tunnels


--iroute options rejected for tim/ 

--iroute essentially defines a subnet which is owned by a particular client

Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. The iroute entry tells the openvpn server which client is responsible for the network. Without the iroute entry you will find the following in your logfiles:

    MULTI: bad source address from client [IP ADDRESS], packet dropped

IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes. Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells the openvpn server which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE. You will need it any time a clients source IP address is different from the IP given to it by the vpn server.

--iroute directive also has an important interaction with --push "route ..."

In order for all clients to see A's subnet, OpenVPN must push route(--route) to all clients EXCEPT for A, since the subnet is already owned by A(--iroute).


"comp-lzo" 的 per-user 設定

Server per client setting (--client-config-dir file)

comp-lzo yes
push "comp-lzo yes"

client side configure file:

# 即使是 "no" client 亦要有這設定
comp-lzo no


iptables -I INPUT -i tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT

Addressing Basics for Server/Client

  • subnet
  • net30
  • p2p


Static Address Assignment (ccd)


--ifconfig-push local remote-netmask [alias]

* Push  virtual  IP  endpoints  for  client tunnel
* overriding the --ifconfig-pool dynamic allocation.

It is possible to have the server allocate a static IP to a client based on its commonName. This is done by way of an


# ccd-dir/client1