|
|
Sigmatador wrote:
Here is my problem, I have 3 distinct sites:
site1 192.167.0.0
netmask
255.255.0.0 gateway 192.167.0.1
site2
192.168.0.0 netmask 255.255.0.0
gateway
192.168.0.1
site3 192.169.0.0
netmask
255.255.0.0
gateway 192.169.0.1
One thing I'll point out about your network ranges is that 192.167.0.0
and 192.169.0.0 (and 192.170.0.0 for that matter) are not IANA-reserved
ranges for private networks; if these are not networks assigned to you
by a public ISP, you shouldn't be using them as it will cause problems
if you ever try to access a real public host with an address in those
ranges. If you need more than the standard /16 provided in the
192.168.0.0/16 address range, use the 172.16.0.0/12 or 10.0.0.0/8
IANA-reserved ranges for private networks.
I need to interconnect them through internet, so I setup a VPN tap
server on
192.167.0.1 and a VPN tap client on
192.168.0.1 and 192.169.0.1.
The VPN is set on
192.170.0.0 netmask 255.255.255.0
and every gateway has been configured to route traffic from and to the
VPN.
Why are you using tap? If you want the sites to route to each other,
you want routing, which uses tun adapters. When using tap adapters,
subnet broadcasts are passed between hosts and there is extra overhead
for Layer2 (Ethernet) frames that otherwise don't need to be sent
across the VPN.
On the server side I push "route 192.167.0.0
255.255.0.0" so site2 ans site3 can access site1, but I also need
site1 to access site2 and site3.
I would need something like a push "route 192.16x.0.0 255.255.0.0"
on the client side, but a push can only be performed from the server to
the client, not the other way around.
You have 2 basic options. First, you can use one of the sites as a
"central" site where all other traffic is routed though; if you set up
site1 as the VPN server, communication between site2 and site3 would
need to be routed through the VPN server hosted at site1. Second, you
can set up point-to-point tunnels between all 3 sites, so that each
site can directly communicate to the other. While this is more
efficient in terms of bandwidth (since traffic from site2 to site3 no
longer needs to send through site1) it is more complicated because you
need a link between each site, which means 2 VPN connections on each
site for a 3-site setup.
If you go with a central VPN server (such as one at site1) and have all
other sites connect to this VPN server in order to route traffic
through site1, you will want to push each route separately; you can't
push a supernet, because then routing entries conflict with the local
network. Plus you don't want to push a supernet with your current
network ranges because they're outside the scope of valid private
networks. Also, each site should have an iroute defined that tells the
OpenVPN server to do a couple things: first it will not push the route
for that network to that client (this allows you to push "route
192.168.0.0 255.255.0.0" to all clients but not have it pushed to the
client that owns that network), and second it will allow the OpenVPN
server to correctly route traffic bound for that network. So, in
brief, in a setup where a VPN sever is the central hub for all other
site communication, you want to push each route separately, and define
iroutes for each client, usually using a ccd file for each client.
Hope this clears things up a bit.
--
Josh
|
Attachment:
signature.asc
Description: OpenPGP digital signature
|