OpenVPN: Routed mode > advanced options. Why limit only to Routed?

amvmoody · February 24, 2017, 6:21am

As it stands right now the Advanced Fieldset with the Options “Route all client traffic through VPN” and
"Allow client-to-client network traffic" is only Available for Routed mode, and I’m curious as to why it’s just limited to the one. I can edit the config manually no problem, except if I change an option via the UI I’ll need to make sure push “redirect-gateway def1” is put back into the config.

Usage scenario nethserver 7:
I have nethserver sitting out there on a box with one NIC so in order to utilize openVPN I need to create a bridge on a vlan and use that vlan with OpenVPN. As part of this scenario I would like to force all traffic through the VPN.

Just curious why its limited; Thoughts, Comments, or am I just not utilizing this correctly ?

Thanks!

giacomo · February 24, 2017, 9:47am

Mainly because no one asked for it, since your scenario is a bit exotic

@davide_marini did you know any other scenarios like this one?

syntaxerrormmm · February 24, 2017, 10:04pm

Well, these options don’t make a lot of sense with “bridged” mode, at least to my understanding. I think if you need a bridged mode VPN this has to be a complex (and stable) network setup (VPN tunnel has to be up 100% of the time), so you should modify routing with the use of static routes.

I second that; I have issues where clients shouldn’t have “standard” behaviour (e.g. most of the clients will use the gateway inside the tunnel, but one or two shouldn’t). We may modify the client configuration by hand (and we usually do), for example to insert a route-up script to remove default gateway routes; but that would be much more useful if this information would be managed inside the “account” configuration for each client, for example (so we are sure not to loose these settings if we need to recreate the VPN connection profile or settings change on OpenVPN roadwarrior server). Also, if we need some networks to be available between clients, we need to check “allow client-to-client network”, but we may want to disable some networks for some of the clients (again, route-up script for each account will help).

Also, not necessarily all the green networks have to be routed via VPN (again, removing them in production with a route-up script, but an “Export network within VPN tunnel” option would be much welcome, for example in the advanced options of network interface configuration).

amvmoody · March 31, 2017, 2:55am

I cant say I’m an expert on OpenVPN implementation so if it doesn’t make since to have that for the bridged mode ill take your word for it.

Maybe an advanced options text box at the end that will put what is in side of it into the config file would work out even better in the long run?

syntaxerrormmm · March 31, 2017, 7:29am

Nor am I

Bridged mode is mainly different from routed mode because you have VPN on Layer 2 of the ISO/OSI stack. And if you really need stuff to be taken at L2 on two different geographical sites, well, you probably need it all the time and not “on demand”. Other stuff at L3 and up can be managed with routed-mode and some tweaks to the configuration.

For most cases, that may be sufficient, but this will open up a “hole” that can be abused there and still doesn’t cover the different configuration needed at client side.