Home / server / Questions / 310002
Accepted
drumfire
Asked: 2011-09-11 02:53:47 +0800 CST

Openvpn: iroute for all theoretically reachable [public] IPs

  • 772

I am testing the creation of an enforced default route of only public IPv4 space via OpenVPN. OpenVPN does not support 

'iroute  0.0.0.0  0.0.0.0'
out of the box, because it contains code that rejects it. But if you remove that code and get iroute 0.0.0.0 to work, logically the connection times out after a while because OpenVPN gets confused.

I found out that the minimal range to iroute is a /4. So if you want to divide all IPv4 space into /4 blocks, you end up with 16 blocks ranging from 0.0.0.0 to 255.255.255.255. But this contains all routable and unroutable IPs... so the list needs to be further delimited.

Because of a non-generic setup I cannot use redirect-gateway stuff. That's why I I am looking for a list of subnets, that is as short as possible, of the public IP ranges that exist. The list has to exclude ranges that are reserved (and my own server's public IP/32). Basically, I'd like to have a list of the opposite of RFC 5735 (page 6)

Does such a list exist and/or how can one be generated?

routing networking openvpn subnet cidr

3 Answers

  1. Best Answer

    Why are you using iroute? I just have 'push "route 0.0.0.0 0.0.0.0"' in my OpenVPN server config and it works great (well, I need to knobble the default route that comes out of DHCP, but that's trivial).

    • 1

  2. Update, I decided to write a program to solve the problem of inverting a list of cidr blocks. You can get it from. https://github.com/plugwash/cidrinverse

    Running the program on the list of blocks from rfc 5735 gives a list of 111 cidr blocks. I won't paste the full list here but you can easilly re-run the program yourself if you wish.

    note: there have been some additional special registrations since that document was released, also some "special" ranges are used on the public internet, for example 192.88.99.0/24)

    but anyway lets say we want to find a list of cidr masks for all space that rfc 5735 does not consider special.

    The list in rfc 5735 is already sorted so we can easilly work through the list and write down the ranges of IPs in between.

    • 1.0.0.0 to 9.255.255.255
    • 11.0.0.0 to 126.255.255.255
    • 128.0.0.0 to 169.253.255.255
    • 169.255.0.0 to 172.15.255.255
    • 172.32.0.0 to 191.255.255.255
    • 192.0.1.0 to 192.0.1.255
    • 192.0.3.0 to 192.88.98.255
    • 192.88.100.0 to 192.167.255.255
    • 192.169.0.0 to 198.17.255.255
    • 198.20.0.0 to 198.51.99.255
    • 198.51.101.0 to 203.0.112.255
    • 203.0.113.0 to 223.255.255.255

    We can translate each of these ranges to a list of CIDR masks by using the "netmask" command line tool as suggested at CIDR Ranges for Everything except RFC1918

    netmask -c 1.0.0.0:9.255.255.255

    I haven't proccessed the full list but from trying a couple of the ranges I guess it will have somewhere around 60 entries.

    • 1
    • 0