[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] OpenVPN and Proxy-ARP

Subject: Re: [Openvpn-users] OpenVPN and Proxy-ARP
From: Joern Krebs <sourceforge@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Oct 2005 10:38:45 +0200 (CEST)

On Tue, 11 Oct 2005, James Yonan wrote:

Hello,

> Am I correct to assume that you want this because it would allow a Windows
> VPN client to act as a gateway for the VPN server's tun endpoint so that
> it can be accessed by other machines on the client-side LAN (using a
> tun-based model), without requiring that a route be added on the client
> LAN gateway?
>
> If so, then I'm not sure I understand how this would work.
>
> Suppose the client's TCP/IP settings on its local lan is 192.168.1.4/24,
> and suppose the LAN router and default gateway is 192.168.1.1.
>
> The client connects to the server, and the server's virtual IP address is
> 10.8.0.1/24.
>
> Now the client does a proxy-arp for 10.8.0.1/24 so that other machines on
> the client LAN can see 10.8.0.1 (Normally you could easily do this by just
> adding a route to the LAN gateway for this subnet, i.e. route 10.8.0.1/24
> -> 192.168.1.4, but I assume that you would want proxy arp instead because
> you might not have write access to the client-side LAN router's routing
> table).
>
> The reason why I don't understand why this can work is that suppose
> another client on the LAN (say 192.168.1.66) tries to ping 10.8.0.1.  The
> client will look at 10.8.0.1, see that it's not a locally reachable
> address on any installed interface, and forward it on to the next hop
> gateway.  In order for the proxy arp to work, the client would need to
> actually broadcast an "arp who-has 10.8.0.1" message, so that the
> 192.168.1.4 machine would be able to say "hey, that address belongs to
> me!".  But based on empirical observation, I don't see that 192.168.1.66
> would try to resolve 10.8.0.1 via ARP.  What it would do is broadcast an
> "arp who-has 192.168.1.1" to get the MAC address of the next-hop gateway,
> and then route the packet to it.
That's all right, Proxy-ARP wouldn't work if you choose this
IP-Addresses, but what if your local subnet is 192.168.1.0/24 and your
OpenVPN-Server and Client IP's are 192.168.1.229 and 192.168.1.230?
Then proxy-ARP works, as I am actualy useing it. :-)
(RAS and Routing must be enabled on the Windows side and you have to
add the registry Entry IPEnableRouter=1 for this to work.)

(Reasonably I have the problem, that broadcasts don't seem to work,
but this would be the next step, and is not so important.)

Ciao, Joern.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] OpenVPN and Proxy-ARP
  - From: Joern Krebs
- Re: [Openvpn-users] OpenVPN and Proxy-ARP
  - From: James Yonan

Prev by Date: [Openvpn-users] apache over VPN not behaving
Next by Date: [Openvpn-users] OpenVPN ignores lport in some situations
Previous by thread: Re: [Openvpn-users] OpenVPN and Proxy-ARP
Next by thread: [Openvpn-users] apache over VPN not behaving
Index(es):
- Date
- Thread