[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn

Subject: Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
From: Jean Baptiste Favre <jean-baptiste.favre@xxxxxxxxxx>
Date: Thu, 08 Mar 2007 13:01:37 +0100

Hi,
If I understand what you want to do, you should have 2 instances of
OpenVPN on each gateway A, B, C and D.
One instance which run as client and the other one as server. And on
different ports.

I've never tried this, but I think this could be possible to do even if
the simplest way, from routing point of vue, stands a star configuration.

Regards
Jean Baptiste

Rémi Gauthier a écrit :
> Hi,
> it allready works in star configuration. My problem is to create a  
> vpn directly from B to C.
> So it's a circular vpn A<=>B<=>C<=>A i want.
> Not A<=>B, A<=>C, A<=>D + routing via A to exchange between B & C lan
> 
> my A (mode server) openvpn.conf
> ====================================
> port 1194
> proto udp
> dev tun0
> persist-key
> persist-tun
> ca cacert.crt
> cert openvpn.crt
> key openvpn.key
> dh dh1024.pem
> tls-auth ta.key 0
> client-config-dir ccd
> username-as-common-name
> plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
> up /etc/openvpn/up-shell.sh
> server 10.151.170.0 255.255.255.0
> push "route 192.168.10.0 255.255.255.0"
> local ovpn.myserver.x
> route 192.168.1.0 255.255.255.0
> push "route 192.168.1.0 255.255.255.0"
> route 192.168.2.0 255.255.255.0
> push "route 192.168.2.0 255.255.255.0"
> route 192.168.3.0 255.255.255.0
> push "route 192.168.3.0 255.255.255.0"
> client-to-client
> max-clients 15
> keepalive 10 120
> cipher BF-CBC
> comp-lzo
> user nobody
> group nobody
> status /var/log/openvpn/status.log
> log-append /var/log/openvpn/openvpn.log
> verb 4
> mute 10
> ====================================
> 
> my B & C & D (openvpn client) openvpn.conf
> ====================================
> client
> ns-cert-type server
> resolv-retry infinite
> nobind
> proto udp
> dev tun0
> persist-key
> persist-tun
> ca cacert.crt
> cert openvpn.crt
> key openvpn.key
> tls-auth ta.key 1
> auth-user-pass user-pass.secret
> up /etc/openvpn/up-shell.sh
> remote ovpn.myserver.x 1194
> keepalive 10 120
> cipher BF-CBC
> comp-lzo
> user nobody
> group nobody
> chroot /etc/openvpn/jail
> status /var/log/openvpn/status.log
> log-append /var/log/openvpn/openvpn.log
> verb 4
> mute 10
> ====================================
> 
> my ccd directory
> ====================================
> /etc/openvpn/ccd/B-login	with this directive => iroute 192.168.1.0  
> 255.255.255.0
> /etc/openvpn/ccd/C-login	with this directive => iroute 192.168.2.0  
> 255.255.255.0
> /etc/openvpn/ccd/D-login	with this directive => iroute 192.168.3.0  
> 255.255.255.0
> 
> so route i receive in B
> ====================================
> 10.151.170.13   0.0.0.0         255.255.255.255 UH    0      0         
> 0 tun0
> 192.168.3.0     10.151.170.13   255.255.255.0   UG    0      0         
> 0 tun0		(D site)
> 192.168.2.0     10.151.170.13   255.255.255.0   UG    0      0         
> 0 tun0		(C site)
> 10.151.170.0    10.151.170.13   255.255.255.0   UG    0      0         
> 0 tun0
> 192.168.10.0    10.151.170.13   255.255.255.0   UG    0      0         
> 0 tun0		(A site)
> ====================================
> 
> openvpn server is in A site
> B & C & D site are in client mode
> 
> should i understand : with client-to-client directive in A openvpn.conf
> each client receive information to create vpn directly between  
> clients, without any packet in transit via A (openvpn server mode)
> so no bandwith use in A site when B and C exchange packets ?
> 
> So i have nothing to change ?
> 
> it's possible ?
> 
> Le 8 mars 07 à 11:16, Jean Baptiste Favre a écrit :
> 
>> Hi
>> I suggest you to use the client-config-dir option. In this  
>> directory you
>> will put a file per client's CN.
>> According to openvpn's man:
>> "This  file can specify a fixed IP address for a given client using
>> --ifconfig-push, as well  as  fixed  subnets  owned  by  the client
>> using --iroute.
>> ...
>> The following options are legal in  a  client-specific  context: -- 
>> push,
>> --push-reset, --iroute, --ifconfig-push, and --config."
>>
>> Hope this help
>> Jean Baptiste Favre
>>
>> Rémi Gauthier a écrit :
>>> Hi
>>>
>>> in star configuration, B & C & D satellite sites are connected with A
>>> head-company  site (company email server) with openvpn client
>>>
>>> A is 192.168.10.0/24 bigger site
>>> B is 192.168.1.0/24 large site
>>> C is 192.168.2.0/24 large site
>>> D is 192.168.3.0/24 small site
>>>
>>> in A openvpn.conf
>>> --------------------------------------
>>> client-to-client
>>> #B & C & D  route for their C class
>>> route 192.168.1.0 255.255.255.0
>>> push "route 192.168.1.0 255.255.255.0"
>>> route 192.168.2.0 255.255.255.0
>>> push "route 192.168.2.0 255.255.255.0"
>>> route 192.168.3.0 255.255.255.0
>>> push "route 192.168.3.0 255.255.255.0"
>>>
>>> in ccd/B-login
>>> --------------------------------------
>>> iroute 192.168.1.0 255.255.255.0
>>>
>>> and idem for C & D ccd/login
>>>
>>> all vpn works fine but ...
>>> all traffic in/out from A site ! bandwith problems
>>> There is a backup between B & C
>>> B & C are in same FAI network, but different from A
>>>
>>> ==>> so i test to create 1 openvpn directly between B & C
>>>
>>> but before creating an other B to C direct openvpn, i should
>>> deactivate routing via A
>>>
>>> actually, i receive
>>>
>>> in B
>>> i receive C route via A
>>> in C
>>> i receive B route via A
>>>
>>> ==>> HOW-TO deactivate routing transmission for B & C but transmit
>>> route for D ???
>>>
>>> A route to B,C & D
>>> B route to A + B route to C directly
>>> C route to A + C route to A directly
>>> D route to A, B & C via A
>>>
>>> I have tested to deactivate routing between B to C via iroute in B &
>>> C ccd/login
>>> so B & C doesn't receive route to C & B
>>>
>>> but all traffic between A=B and C=A is dropped
>>> Fri Mar  2 12:30:05 2007 us=350349 B-site/B-IP-site MULTI: bad source
>>> address from client [192.168.1.1], packet dropped
>>>
>>> Thank's a lot for your help
>>>
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 
> 



______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
  - From: Jean Baptiste Favre

References:
- [Openvpn-users] how-to realise mixed circular vpn and star vpn
  - From: Rémi Gauthier
- Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
  - From: Jean Baptiste Favre
- Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
  - From: Rémi Gauthier

Prev by Date: Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
Next by Date: Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
Previous by thread: Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
Next by thread: Re: [Openvpn-users] how-to realise mixed circular vpn and star vpn
Index(es):
- Date
- Thread