|
|
Thanks Peter. Your description is perfect! It's crystal clear. Unfortunately my D-Link router does not have advanced routing capabilities. It's a reliable old DI-614 (never needs a reboot!) that has great performance. It has served me well since '02. In its place I'm going to get a Buffalo WHR-G54S that I've had great success loaded with DD-WRT for clients. Best Buy has them for $50 (getting harder to find online). Thanks again. I appreciate your time. You made my day! I've spent close to 8 hours experimenting/surfing the web for tips regarding this issue. Your description is the FIRST that I've read that clearly explains the necessary configuration. Hopefully others will benefit as well. Have a great week! You deserve it! Jeff On 6/4/07, Peter Barwich <pbarwich@xxxxxxxxxxx> wrote: > Jeff, > > This one threw me for a while too. > > Your VPN client knows how to find machines on your LAN; your 'push > "route 192.168.1.0 255.255.255.0"' statement tells them to update their > routing tables so that they know the way. The problem is that machines > on your LAN don't know the way to the VPN, so they can't respond to a > ping. Your LAN has TWO gateways; one for the LAN which is 192.168.1.1; > your D-Link router, and one for the VPN which is on the VPN server; a > dual homed machine with IPs 192.168.1.99 AND 10.255.255.1. Your D-Link > router knows where all your LAN machines are but it has no clue where > your VPN gateway is, and hence cannot route packets to other machines on > your VPN. I'm not sure of the configuration windows for the D-Link > router; on my Linksys router you go to setup/advanced routing, and there > you add a route that tells the router how to send packets to the VPN. > Destination LAN IP 10.255.255.0, subnet mask 255.255.255.0 and gateway > 10.255.255.1. Once that is entered in your router knows to send any > packet intended for any machine on your VPN to your VPN server, which, > in turn, knows where the particular VPN machine is. > > When this is done your client knows where your LAN machines are, and > your LAN machines know how to reach your client so you have communication. > > Note that you can also make all your LAN machines have openvpn running > and they can get VPN addresses AS WELL as their LAN addresses. Then, if > you have 'client-to-client' directive in your VPN server config file, > the clients will see each other over the VPN WITHOUT a route being set > in your D-Link router. It's a bit more complex, but it means that if you > move one of your LAN machines (say a laptop) to a different internet > access point it will still be able to see all your VPN network > (providing the port you've used for VPN is not blocked by the local ISP) > > Good luck, > > Peter > > > > I want the remote client to be able to communicate with other > > computers/printers/etc on the VPN server's LAN (192.168.1.0). > > > > OpenVPN Server… > > LAN IP: 192.168.1.99 > > SM: 255.255.255.0 > > GW: 192.168.1.1 (D-Link router) > > DNS: 192.168.1.1 > > VPN IP: 10.255.255.1 > > > > Remote Client… > > LAN IP:192.168.0.10 > > SM: 255.255.255.0 > > GW: 192.168.0.1 (Linksys router) > > DNS: 192.168.0.1 > > VPN IP: 10.255.255.45 > > > > I have added "push "route 192.168.1.0 255.255.255.0"" to the OpenVPN > > server's config. I understand that I must add a route on the remote > > client in order to find other clients on the OpenVPN Server's LAN. > > This is where I'm confused… > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Jeff Crocker Computer Guy 503.484.5177 jeff@xxxxxxxxxxxxxxxxxxxxx -- ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |