|
|
Hello, It seems I can't bridge tun0 to eth0 so I need to use tap? Can this be changed on the server config and not break current client configurations until I have a chance to edit their config files? Is there a way to route all requests to 10.8.0.5 on openvpn's network to go directly to machine 192.168.1.5, which is accessible over eth0? The vpn server was planned to be the only machine on the vpn, so maybe that is why they set it up with tun0. Thanks for any insights, Harry -----Original Message----- From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Christoph Haas Sent: Wednesday, October 04, 2006 2:31 AM To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: [Openvpn-users] accessing another machine on the vpn server'sphysical lan On Wednesday 04 October 2006 10:24, Harry Doyle wrote: > Our organization uses openvpn to remotely connect users to samba shares, > using tun devices. Our openvpn server sits next to a Microsoft windows > 2k box both behind a firewall. I would like users to connect to the vpn > and be able to use exchange as well as their existing samba services. > > Both servers sit under a firewall on 192.168.1.x addresses. My vpn > server gives 10.8.0.x addresses. I don't wish to broadcast the 192 > address range to anybody, so I was going to give the windows server a > second ip in the 10.8.0.x range in the hopes that it can ping the vpn > address range by being on the same physical subnet as the openvpn > server. My question is how do I make the vpn address range available on > eth0 so that my windows box can ping the openvpn server on the vpn > range? Your Windoze server will likely use the shortest path to your OpenVPN server for routing. And that's not the 10.8.0.x interface but rather the 192.168.1.x interface. So it needs to be routed properly. Either you move the OpenVPN server to an own subnet. That's what we do. The OpenVPN server has it's own DMZ here. That way it won't conflict with any other network and all other hosts are reachable through layer-3 routing. Or you broadcast the 192.168.1.0/24 range and use iptables or some other measures to limit which hosts are reachable there. Or you use --iroute with just the one IP address of your Windoze server. Haven't tried that but it seems possible. Christoph ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-10/msg00073.html on line 234 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-10/msg00073.html on line 234 |