[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Public IP in a bridged config???

  • Subject: Re: [Openvpn-users] Public IP in a bridged config???
  • From: John Locke <mail@xxxxxxxxxxxx>
  • Date: Mon, 22 Mar 2004 07:33:42 -0800

On Mon, 2004-03-22 at 06:50, Sttf wrote:
> I have last 3 important questions, if you can answer it.
I'm not sure I can...

> 1. In fact, openvpn does the function of a router/proxy within its 5000
> port, isn't so? Theoretically, if you didn't want to use not-tunneled
> connections, you wouldn't need ip_forward or any kind of bridge, isn't so?,
> Openvpn would save the source mac/ip/port to forward in later?
I really don't understand the question. But with a bridged connection,
the effect is that the OpenVPN gateway answers all requests headed for
the MAC addresses of each of the tap devices (and other NICs), and
forwards data through the respective tunnel.

> 2. Oh, and, do you need to use more than one tap to serve tunnel to
> different stations? Couldn't you simply use different config files to
> specify different ports, but using the same TAP since your 'virtual' address
> will be the same?
No. At least not in current versions of OpenVPN. Each tap device has its
own MAC address (starting with 00:FF, very handy for identifying on your
DHCP server) and is associated with one tunnel, one remote host. Same
thing goes for tun devices.

> Under this:
> >     brctl addbr br0
> >     brctl addif br0 eth1
> >     brctl addif br0 tap0
> 3. If i want to use another interface as the WAN link (with public address)
> say eth0, should i include it in the bridge
> in order that lan and tunnel clients be able to connect to the internet
> through eth1? But then if eth1 will become bridged, it will lose its public
> ip address!! it will become! How would you do that??
You bridge the Ethernet device connected to your LAN. That makes your
tap device "visible" to the LAN, and allows any traffic coming from the
LAN to be answered by the appropriate tap device (through the bridge).
The bridge is the effective location of the other end of the tunnel.
OpenVPN connects using your public interface, no bridge necessary. If
you have only one NIC on your gateway (if it's behind a different
router/computer acting as a firewall, for example), you bridge that NIC.
The bridge itself essentially replaces your LAN NIC and acts as a
virtual switch, and each tap device acts like a virtual Ethernet cable,
plugged into that switch. You want all of that on your LAN side, not on
your public interface...

> Hey, i think that at last, after years, i'm understanding it! Thank you :P

Hope that helps!

John Locke
Open Source solutions for small business problems

Openvpn-users mailing list