[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Multiple VPN clients as a router with propagating routes


  • Subject: Re: [Openvpn-users] Multiple VPN clients as a router with propagating routes
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Fri, 22 Jun 2007 09:31:26 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID571LFVof10161X28

Sigmatador wrote:
Here is my problem, I have 3 distinct sites:

site1 192.167.0.0 netmask 255.255.0.0 gateway 192.167.0.1
site2 192.168.0.0 netmask 255.255.0.0 gateway 192.168.0.1
site3 192.169.0.0 netmask 255.255.0.0 gateway 192.169.0.1
One thing I'll point out about your network ranges is that 192.167.0.0 and 192.169.0.0 (and 192.170.0.0 for that matter) are not IANA-reserved ranges for private networks; if these are not networks assigned to you by a public ISP, you shouldn't be using them as it will cause problems if you ever try to access a real public host with an address in those ranges.  If you need more than the standard /16 provided in the 192.168.0.0/16 address range, use the 172.16.0.0/12 or 10.0.0.0/8 IANA-reserved ranges for private networks.

I need to interconnect them through internet, so I setup a VPN tap server on 192.167.0.1 and a VPN tap client on 192.168.0.1 and 192.169.0.1.
The VPN is set on 192.170.0.0 netmask 255.255.255.0 and every gateway has been configured to route traffic from and to the VPN.
Why are you using tap?  If you want the sites to route to each other, you want routing, which uses tun adapters.  When using tap adapters, subnet broadcasts are passed between hosts and there is extra overhead for Layer2 (Ethernet) frames that otherwise don't need to be sent across the VPN.

On the server side I push "route 192.167.0.0 255.255.0.0" so site2 ans site3 can access site1, but I also need site1 to access site2 and site3.
I would need something like a push "route 192.16x.0.0 255.255.0.0" on the client side, but a push can only be performed from the server to the client, not the other way around.
You have 2 basic options.  First, you can use one of the sites as a "central" site where all other traffic is routed though; if you set up site1 as the VPN server, communication between site2 and site3 would need to be routed through the VPN server hosted at site1.  Second, you can set up point-to-point tunnels between all 3 sites, so that each site can directly communicate to the other.  While this is more efficient in terms of bandwidth (since traffic from site2 to site3 no longer needs to send through site1) it is more complicated because you need a link between each site, which means 2 VPN connections on each site for a 3-site setup.

If you go with a central VPN server (such as one at site1) and have all other sites connect to this VPN server in order to route traffic through site1, you will want to push each route separately; you can't push a supernet, because then routing entries conflict with the local network.  Plus you don't want to push a supernet with your current network ranges because they're outside the scope of valid private networks.  Also, each site should have an iroute defined that tells the OpenVPN server to do a couple things: first it will not push the route for that network to that client (this allows you to push "route 192.168.0.0 255.255.0.0" to all clients but not have it pushed to the client that owns that network), and second it will allow the OpenVPN server to correctly route traffic bound for that network.  So, in brief, in a setup where a VPN sever is the central hub for all other site communication, you want to push each route separately, and define iroutes for each client, usually using a ccd file for each client.

Hope this clears things up a bit.
-- 
Josh

Attachment: signature.asc
Description: OpenPGP digital signature