OpenVPN
CCD
client-config-dir <path>
- Client-specific configuration
- When client connected, OpenVPN will look in this directory for a file having the same name as the client's X509 common name, and add to server config
Site to Site
- Server:
10.10.0.0/24 - Client 1:
10.10.1.0/24 - Client 2:
10.10.2.0/24
Server side
# server.ovpn
# ...
# Add route to server kernel
# Route this network from kernel to OpenVPN
route 10.10.1.0 255.255.255.0
route 10.10.2.0 255.255.255.0
# Tell client to route this network over the VPN
push "route 10.10.0.0 255.255.255.0"
push "route 10.10.1.0 255.255.255.0"
push "route 10.10.2.0 255.255.255.0"
# Allow Client to Client
client-to-client
client-config-dir ccd
- Use CCD to add
iroute - Without
iroute, OpenVPN doesn't know where to forward the client network, and OpenVPN will drop the packet iroutemust be in CDC context, OpenVPN need to know which client own the network- If
iroute x.x.x.xmatchpush "route x.x.x.x", OpenVPN will not push the route
# ./ccd/<Client 1 X509 common name>
iroute 10.10.2.0 255.255.255.0
# ./ccd/<Client 2 X509 common name>
iroute 10.10.3.0 255.255.255.0
- WireGuard VPN is simpler