[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN and Proxy-ARP


  • Subject: Re: [Openvpn-users] OpenVPN and Proxy-ARP
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Tue, 11 Oct 2005 20:03:54 -0600 (MDT)

On Tue, 11 Oct 2005, Joern Krebs wrote:

> 
> Hello,
> 
> I found this E-Mail in the OpenVPN-Archive, but I never found an
> answer to this Mail, so I think there is still no
> Proxy-ARP-Feature (on Windows-Server-Side) included in the
> OpenVPN-Project. But I need this feature, because I am in need of a
> Simple OpenVPN-Server, for remote-management of several PC's. OpenVPN
> is very small and simple, but you still can't connect a client over a
> simple crypt-key tun-Device-Connection to a whole network
> (Windows-Client, Windows-XP-Server). My tests show, that this
> connection ist nearly possible I can ping all IP-Addresses in the
> Server-Network and they receive my ping and try to lookup my
> MAC-Adress (ARP), but without any Proxy-Arping from my Windows-Server
> they don't know my MAC-Address and so they can't ping back.
> 
> Lately I found this article in the OpenVPN-Users-Archive. This man
> solved the problem, but after I can't write any programs (except a
> little batch), I can't write this little tool the sender of the E-Mail
> has. So can anyone help me? Either in including the described
> Windows-Proxy-ARP in the next OpenVPN Version, or in writing this
> little tool for me, or in giving me the e-mail-address of "Martin"
> (James must have it...)
> 
> So, here comes the e-mail of martin:
> ------------------------------------8<-----------------------
> While this may not be a full bridge in the traditional sense, it
> appears to
> fit my need and maybe useful to others.
> 
> Noting the Ethernet bridging comment '... requires Windows XP or
> higher ...'
> on the page:
> 	http://openvpn.sourceforge.net/INSTALL-win32.html,
> yesterday I knocked up a utility to add/remove a proxy-arp address
> to/from a
> network interface under Win2k/XP.  It uses the IPHelper functions:
> CreateProxyArpEntry() & DeleteProxyArpEntry() documented here:
> 
> http://msdn.microsoft.com/library/en-us/iphlp/iphlp/ip_helper_functions.asp
> However, the WinCE version pages have better usage information here:
> 
> http://msdn.microsoft.com/library/en-us/wcetcpip/html/ceconIPHelperFunctions
> asp
> 
> It would be good if you could add this functionality to the core
> OpenVPN
> application, maybe using a config keyword such as 'proxy-arp' to
> activate
> proxying of a remote-end virtual address on the local-end LAN.
> 
> This operation is useful where modification of the remote network's
> routing
> setup is not possible coupled with the need for connectivity to other
> remote-end routable subnets that are not directly routable locally.
> 
> The steps are as follows:
> 1) an openvpn is set up between two different physical LANs, using two
> additional addresses from the remote LAN as the virtual vpn addresses;
> 2) the local-end virtual address is proxy-arp'ed on the remote-end
> physical
> LAN interface;
> 3) routing is enabled on the remote machine by setting the following
> registry value:
> 
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnab
> leRouter(REG_DWORD)=1
> this requires a reboot to take effect and can be seen through
> 'ipconfig/all'.
> 
> For reference, included below are the 'ovpn' files from both machines.
> 
> Any comments ?
> 
> BTW: I was looking for a Windows implementation of OpenVPN in Nov2002
> but it
> seemed not to exist at that point.  I didn't look again until last
> week and
> realised that I must have been just a little too early.  Anyway, many
> thanks
> to you and any others involved in pulling together such a cohesive
> Windows
> implementation.
> 
> Best regards - Martin

Am I correct to assume that you want this because it would allow a Windows
VPN client to act as a gateway for the VPN server's tun endpoint so that
it can be accessed by other machines on the client-side LAN (using a
tun-based model), without requiring that a route be added on the client
LAN gateway?

If so, then I'm not sure I understand how this would work.

Suppose the client's TCP/IP settings on its local lan is 192.168.1.4/24, 
and suppose the LAN router and default gateway is 192.168.1.1.

The client connects to the server, and the server's virtual IP address is 
10.8.0.1/24.

Now the client does a proxy-arp for 10.8.0.1/24 so that other machines on
the client LAN can see 10.8.0.1 (Normally you could easily do this by just
adding a route to the LAN gateway for this subnet, i.e. route 10.8.0.1/24
-> 192.168.1.4, but I assume that you would want proxy arp instead because
you might not have write access to the client-side LAN router's routing 
table).

The reason why I don't understand why this can work is that suppose 
another client on the LAN (say 192.168.1.66) tries to ping 10.8.0.1.  The 
client will look at 10.8.0.1, see that it's not a locally reachable 
address on any installed interface, and forward it on to the next hop 
gateway.  In order for the proxy arp to work, the client would need to 
actually broadcast an "arp who-has 10.8.0.1" message, so that the 
192.168.1.4 machine would be able to say "hey, that address belongs to 
me!".  But based on empirical observation, I don't see that 192.168.1.66 
would try to resolve 10.8.0.1 via ARP.  What it would do is broadcast an 
"arp who-has 192.168.1.1" to get the MAC address of the next-hop gateway, 
and then route the packet to it.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users