If there are just too many routes the YF client reduces the complexity of the task by making small gaps larger, assuming that if you need to reach one address directly, it's likely that the ones next to it should be reached directly as well even though no-one has told it (you'll see it in the message log). The reason is that OpenVPN only supports 100 routes, and that's very little if you need to cover all of the Internet and leave some gaps in awkward places. Also, generally speaking, the more you exclude the better are your chances that everything else works well. It is therefore a very good idea to add your campus' network as an exclude in the YF configuration. The Your Freedom client will be able to figure out your local subnet but it doesn't know about your campus. They often use class B networks and subnet it into little networks assigned to Ethernets. The Your Freedom client does a lot of guesswork and tries to exclude whatever is needed to maintain the Your Freedom connection, but sometimes it may need a little help from you. Your PC may still need to reach these addresses, and if we do not provide special routes for them the traffic will flow through the default route, as before. Why do we need to exclude them? Because it's either "private address space" that is unreachable on the Internet (but maybe reachable for you, containing stuff in your company like file servers or printers), or address space reserved for different things that don't work through Your Freedom, like multicast or loopback addresses. (If you don't know what this notation means, read it up in the Wikipedia.) Some ranges should be excluded, and they get excluded automatically. It is obvious that not all Internet addresses should be routed through the tunnel (you don't throw your company internal letters into an external service's postbox either, and that's what we do: we bypass your company's internal mail service, figuratively speaking, but only for external mail). Why don't we simply replace the default route? Because most likely this would disrupt your connection to Your Freedom! (And other local services as well.) In OpenVPN mode, the Your Freedom server acts as a router for you, but OpenVPN mode uses a slightly different approach: instead of using a default route (it would be no good to just add a second one), Your Freedom creates a large set of routes that cover most (but not all) of the Internet address space and routes it through the tunnel to the Your Freedom server. It points to a router who knows how to reach them and takes care of everything. Normally, all destinations on the Internet are reached by your PC through the "default route". What are "Excludes" for, and how do I use them?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |