|
|
On Tue, 11 Oct 2005, Joern Krebs wrote: > > Hello, > > I found this E-Mail in the OpenVPN-Archive, but I never found an > answer to this Mail, so I think there is still no > Proxy-ARP-Feature (on Windows-Server-Side) included in the > OpenVPN-Project. But I need this feature, because I am in need of a > Simple OpenVPN-Server, for remote-management of several PC's. OpenVPN > is very small and simple, but you still can't connect a client over a > simple crypt-key tun-Device-Connection to a whole network > (Windows-Client, Windows-XP-Server). My tests show, that this > connection ist nearly possible I can ping all IP-Addresses in the > Server-Network and they receive my ping and try to lookup my > MAC-Adress (ARP), but without any Proxy-Arping from my Windows-Server > they don't know my MAC-Address and so they can't ping back. > > Lately I found this article in the OpenVPN-Users-Archive. This man > solved the problem, but after I can't write any programs (except a > little batch), I can't write this little tool the sender of the E-Mail > has. So can anyone help me? Either in including the described > Windows-Proxy-ARP in the next OpenVPN Version, or in writing this > little tool for me, or in giving me the e-mail-address of "Martin" > (James must have it...) > > So, here comes the e-mail of martin: > ------------------------------------8<----------------------- > While this may not be a full bridge in the traditional sense, it > appears to > fit my need and maybe useful to others. > > Noting the Ethernet bridging comment '... requires Windows XP or > higher ...' > on the page: > http://openvpn.sourceforge.net/INSTALL-win32.html, > yesterday I knocked up a utility to add/remove a proxy-arp address > to/from a > network interface under Win2k/XP. It uses the IPHelper functions: > CreateProxyArpEntry() & DeleteProxyArpEntry() documented here: > > http://msdn.microsoft.com/library/en-us/iphlp/iphlp/ip_helper_functions.asp > However, the WinCE version pages have better usage information here: > > http://msdn.microsoft.com/library/en-us/wcetcpip/html/ceconIPHelperFunctions > asp > > It would be good if you could add this functionality to the core > OpenVPN > application, maybe using a config keyword such as 'proxy-arp' to > activate > proxying of a remote-end virtual address on the local-end LAN. > > This operation is useful where modification of the remote network's > routing > setup is not possible coupled with the need for connectivity to other > remote-end routable subnets that are not directly routable locally. > > The steps are as follows: > 1) an openvpn is set up between two different physical LANs, using two > additional addresses from the remote LAN as the virtual vpn addresses; > 2) the local-end virtual address is proxy-arp'ed on the remote-end > physical > LAN interface; > 3) routing is enabled on the remote machine by setting the following > registry value: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnab > leRouter(REG_DWORD)=1 > this requires a reboot to take effect and can be seen through > 'ipconfig/all'. > > For reference, included below are the 'ovpn' files from both machines. > > Any comments ? > > BTW: I was looking for a Windows implementation of OpenVPN in Nov2002 > but it > seemed not to exist at that point. I didn't look again until last > week and > realised that I must have been just a little too early. Anyway, many > thanks > to you and any others involved in pulling together such a cohesive > Windows > implementation. > > Best regards - Martin Am I correct to assume that you want this because it would allow a Windows VPN client to act as a gateway for the VPN server's tun endpoint so that it can be accessed by other machines on the client-side LAN (using a tun-based model), without requiring that a route be added on the client LAN gateway? If so, then I'm not sure I understand how this would work. Suppose the client's TCP/IP settings on its local lan is 192.168.1.4/24, and suppose the LAN router and default gateway is 192.168.1.1. The client connects to the server, and the server's virtual IP address is 10.8.0.1/24. Now the client does a proxy-arp for 10.8.0.1/24 so that other machines on the client LAN can see 10.8.0.1 (Normally you could easily do this by just adding a route to the LAN gateway for this subnet, i.e. route 10.8.0.1/24 -> 192.168.1.4, but I assume that you would want proxy arp instead because you might not have write access to the client-side LAN router's routing table). The reason why I don't understand why this can work is that suppose another client on the LAN (say 192.168.1.66) tries to ping 10.8.0.1. The client will look at 10.8.0.1, see that it's not a locally reachable address on any installed interface, and forward it on to the next hop gateway. In order for the proxy arp to work, the client would need to actually broadcast an "arp who-has 10.8.0.1" message, so that the 192.168.1.4 machine would be able to say "hey, that address belongs to me!". But based on empirical observation, I don't see that 192.168.1.66 would try to resolve 10.8.0.1 via ARP. What it would do is broadcast an "arp who-has 192.168.1.1" to get the MAC address of the next-hop gateway, and then route the packet to it. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |