Configuring DHCP Server (dnsmasq/IPCop) to Distribute Custom IP Routes for VPN Access


2 views

When dealing with network configurations that involve VPN access across subnets, DHCP's ability to distribute routing information becomes crucial. The RFC3442 (DHCP Option for Classless Static Routes) provides the standard mechanism for this functionality. In your setup with IPCop (192.168.0.1) and VPN endpoint (192.168.0.4), we need to configure the DHCP server to advertise routes to 192.168.1.* via the VPN gateway.

For dnsmasq (the DHCP server in IPCop), we'll use the dhcp-option parameter to implement RFC3442. Add these lines to your dnsmasq configuration (typically in /etc/dnsmasq.conf or through IPCop's web interface):

# Send classless static route for VPN network
dhcp-option=121,192.168.1.0/24,192.168.0.4
# Optionally send the VPN endpoint as DNS server if needed
dhcp-option=6,192.168.0.4

On Windows clients, check received routes with:

ipconfig /all
route print

On Linux clients, use:

dhclient -v eth0
ip route show

For more complex routing scenarios, you can specify multiple routes:

# Multiple routes format: destination1/mask,gateway1,destination2/mask,gateway2
dhcp-option=121,192.168.1.0/24,192.168.0.4,10.8.0.0/24,192.168.0.4

If routes aren't being applied:

  1. Verify dnsmasq is running with ps aux | grep dnsmasq
  2. Check logs: tail -f /var/log/messages
  3. Test DHCP offers with dhcping -s 192.168.0.1

For compatibility with older clients, you can use the traditional static routes option (though classless is preferred):

dhcp-option=33,192.168.1.0,255.255.255.0,192.168.0.4

Remember to restart dnsmasq after configuration changes: service dnsmasq restart or through IPCop's web interface.

When setting up a network with VPN access, you often need clients to automatically receive routing information for VPN subnets (like 192.168.1.*) alongside their default gateway configuration. This eliminates manual route entries on each client while maintaining proper network segmentation.

RFC 3442 defines DHCP option 121 (Classless Static Routes) which allows DHCP servers to push arbitrary routes to clients. Both Windows (Vista+) and modern Linux distros support this option. The key components we'll work with:

  • DHCP server: dnsmasq (v2.62+) on IPCop
  • VPN endpoint: 192.168.0.4
  • VPN subnet: 192.168.1.0/24

For IPCop's custom dnsmasq configuration, edit /var/ipcop/dnsmasq/local.conf:

# Static route for VPN subnet
dhcp-option=121,192.168.1.0/24,192.168.0.4

# Alternative format with multiple routes
# dhcp-option=121,192.168.1.0/24,192.168.0.4,10.8.0.0/24,192.168.0.5

# If you need to preserve existing default route behavior
dhcp-option=3,192.168.0.1

On Linux clients:

# Check received routes
dhclient -1 && ip route show

# Alternative for systemd-networkd:
networkctl status

On Windows clients:

# PowerShell command
Get-DhcpServerv4OptionValue -OptionId 121

For networks requiring metric adjustments:

# Using dhcp-option-force with metric
dhcp-option-force=121,192.168.1.0/24,192.168.0.4,5.5.5.0/24,192.168.0.6,metric,10
  • Confirm dnsmasq version supports RFC3442 (dnsmasq -v)
  • Check syslog for DHCP transactions (tail -f /var/log/messages)
  • Use tcpdump to verify option 121 is sent: tcpdump -i eth0 -vv -n port 67 or port 68
  • Windows specific: Ensure "Obtain routes automatically" is enabled in NIC properties

When dealing with multiple VPN endpoints or dynamic routing, consider pushing a route to your VPN server only, then implement policy routing on the VPN server itself:

# Minimal route to VPN gateway
dhcp-option=121,192.168.0.4/32,192.168.0.1