Prevent pushing BLUE in BLUE

When a RoadWarrior connects I’ve set up to push routes for GREEN and BLUE to the client.

This works well if the client connects from extern via RED interface. But if he connects from BLUE network OpenVPN also pushes the route for BLUE.

Getting a BLUE route pushed in the BLUE network causes issues. When now trying to access the green network it uses a BLUE interface instead of the OpenVPN adapter and packets are dropped.

If I remove the BLUE network from the client settings in the web control panel, the client can work without problems within the BLUE network. But now of course if he connects from externally he has no route to the BLUE network anymore.

So is there a way to avoid pushing the BLUE route when the VPN connection comes from blue? I mean this doesn’t make sense anyway.

My workarounds so far:

  • Create a separate RoadWarrior for external and internal connection (Causes management overhead on the ipfire-side)
  • Always leave out the BLUE network when pushing routes from server, and manually add the route in the openvpn client config

When a client connects to the server (or before it disconnects), it is possible to configure OpenVPN to instruct the client to run a script on its side. Several languages are supported, including shell scripting, windows batch, or even python (if I remember correctly). Maybe you can use this feature to write a script on the client side that checks its Ip address, if it is in the blue range it deletes all the routes and adds back the green one. I would recommend this book for clear explanations (at least for me) on how to use these more advanced features.

3 Likes

Thanks for your input. I had a look at the documentation, but I think this would be an overkill. It would be great if Ipfire had an option for this out of the box.

Actually, I think they way to go is to elicit a servers side script and not a client side one. When a client connects that script is called by the server using “–learn-address” directive and it tests the IP address of the client and decides what route to push. In the book I suggested there is an example of a server side script that could test the IP of the client. When the client connects that information goes to an environmental variable that can be retrieved by a shell script and used in a if statement that echo back to the server a push instruction. This variable according to the author of the book should be $2, which is the second argument used by the client in the connection.

The man page shows in it’s documentation some script like syntax wich would be the best option in my opinion. If this doesn’t work I can try the shell script instead.

Reading the manual it says that a --server statement expands to a script like syntax with ifs statements. To me it sounds an internal thing, not an api you can use. However, I don’t know what I am talking about. If you figure it out, I will be very happy if you let our community know.

Thought.
VPN to green.
?
Can you add a firewall rule for VPN access to Blue?
This still could be a problem?
1 Mac address 2 ips. In Blue zone.
This maybe unrouteable.
Perhaps Split tunnel

And

VPN has already access to blue. I also don’t think that a firewall rule will help when there is a routing issue.

Although I haven’t tried it I think this would be the solution to the problem.

One question.
Did your problems occur after following the instructions below?

" Note!
If you want to have a OpenVPN connection to the blue interface, you will need to do some manual configuration"

From:

Yes. I always create a copy of the config file for the blue access and uncomment the line as described.

About commenting the remote directive. It is possible to have two lines not commented. OpenVPN will try both, one at the time until it finds a connection. This way you can use only one configuration file for both cases, inside or outside the Lan.