Re: [Openvpn-users] accessing another machine on the vpn server's physical lan

[Christoph Haas <email@xxxxxxxxxxxxxxxxx>]

On Wednesday 04 October 2006 10:24, Harry Doyle wrote:
> Our organization uses openvpn to remotely connect users to samba shares,
> using tun devices. Our openvpn server sits next to a Microsoft windows
> 2k box both behind a firewall. I would like users to connect to the vpn
> and be able to use exchange as well as their existing samba services.
>
> Both servers sit under a firewall on 192.168.1.x addresses. My vpn
> server gives 10.8.0.x addresses. I don't wish to broadcast the 192
> address range to anybody, so I was going to give the windows server a
> second ip in the 10.8.0.x range in the hopes that it can ping the vpn
> address range by being on the same physical subnet as the openvpn
> server. My question is how do I make the vpn address range available on
> eth0 so that my windows box can ping the openvpn server on the vpn
> range?

Your Windoze server will likely use the shortest path to your OpenVPN 
server for routing. And that's not the 10.8.0.x interface but rather the 
192.168.1.x interface. So it needs to be routed properly.

Either you move the OpenVPN server to an own subnet. That's what we do. The 
OpenVPN server has it's own DMZ here. That way it won't conflict with any 
other network and all other hosts are reachable through layer-3 routing.

Or you broadcast the 192.168.1.0/24 range and use iptables or some other 
measures to limit which hosts are reachable there.

Or you use --iroute with just the one IP address of your Windoze server.
Haven't tried that but it seems possible.

 Christoph
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users