[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN and Proxy-ARP



On Tue, 11 Oct 2005, James Yonan wrote:

Hello,

> Am I correct to assume that you want this because it would allow a Windows
> VPN client to act as a gateway for the VPN server's tun endpoint so that
> it can be accessed by other machines on the client-side LAN (using a
> tun-based model), without requiring that a route be added on the client
> LAN gateway?
>
> If so, then I'm not sure I understand how this would work.
>
> Suppose the client's TCP/IP settings on its local lan is 192.168.1.4/24,
> and suppose the LAN router and default gateway is 192.168.1.1.
>
> The client connects to the server, and the server's virtual IP address is
> 10.8.0.1/24.
>
> Now the client does a proxy-arp for 10.8.0.1/24 so that other machines on
> the client LAN can see 10.8.0.1 (Normally you could easily do this by just
> adding a route to the LAN gateway for this subnet, i.e. route 10.8.0.1/24
> -> 192.168.1.4, but I assume that you would want proxy arp instead because
> you might not have write access to the client-side LAN router's routing
> table).
>
> The reason why I don't understand why this can work is that suppose
> another client on the LAN (say 192.168.1.66) tries to ping 10.8.0.1.  The
> client will look at 10.8.0.1, see that it's not a locally reachable
> address on any installed interface, and forward it on to the next hop
> gateway.  In order for the proxy arp to work, the client would need to
> actually broadcast an "arp who-has 10.8.0.1" message, so that the
> 192.168.1.4 machine would be able to say "hey, that address belongs to
> me!".  But based on empirical observation, I don't see that 192.168.1.66
> would try to resolve 10.8.0.1 via ARP.  What it would do is broadcast an
> "arp who-has 192.168.1.1" to get the MAC address of the next-hop gateway,
> and then route the packet to it.
That's all right, Proxy-ARP wouldn't work if you choose this
IP-Addresses, but what if your local subnet is 192.168.1.0/24 and your
OpenVPN-Server and Client IP's are 192.168.1.229 and 192.168.1.230?
Then proxy-ARP works, as I am actualy useing it. :-)
(RAS and Routing must be enabled on the Windows side and you have to
add the registry Entry IPEnableRouter=1 for this to work.)

(Reasonably I have the problem, that broadcasts don't seem to work,
but this would be the next step, and is not so important.)

Ciao, Joern.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users