Tonight I asked a question in the OpenVPN IRC channel on FreeNode.
me: I’m getting ready to set up a new server, running an OpenVPN client. It will be running several virtual machines (FreeBSD Jails). Each VM will have both a public IP address and a non-routable IP address. I’m hoping to access all those VMs from within the VPN. Am I making sense with my objective here?
reply: “clientlan” is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png <== both flowcharts are the same
This will make administration and backups much easier.
Yes, this is all about: FreeBSD, ZFS, Jails, Bacula, Ansible, OpenVPN, ezjail, pkg, and poudriere.
I’m very excited about all this. It’s such a great combination which lends itself to much easier upgrades and maintenance.
NOTE: I’ve implemented this, and blogged about it.