[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OPENVPN question

  • Subject: Re: [Openvpn-users] OPENVPN question
  • From: Jean-Pierre Schwickerath <lists@xxxxxxxxxxxx>
  • Date: Fri, 17 Sep 2004 18:27:08 +0200

> Now, I can get the OpenVPN tunnel established no problem, and I have
> it setup using the TAP device on each side. I can ping either side of
> the tunnel and that seems to work fine. My question is this: is it
> even *possible* for me to route the communications of these two other
> machines on either side of the gateway through the tunnel? I have
> never worked with OpenVPN before, so I was uncertain if perhaps it was
> only capable of routing traffic from the IP of the host it was running
> on; it seems very sophisticated so I figured that was not the case,
> but I wasn't sure.

Sure it is. You need to tell your OpenVPN machines to route the traffic.
On linux it's basically 
echo 1 > /proc/sys/net/ipv4/ip_forward
on windows you need to be running the server version and the Routing and
RAS service. 
What you need to take care of is that any machine on the lan needs to
know how to reach the other lan. So if your OpenVPN machines are not the
default gateways, you need to tell your default gateways to redirect the
traffic to the other lan to the IP of the OpenVPN-machine or you need to
masquerade the other subnet. 

> Secondly, if it is possible, what would be the best way to setup the
> routing and the subnets, etc? As it stands, the #1 gateway machine
> gets the OpenVPN address and the #2 machine gets
> Should I setup the second adaptor on each side to have an address in
> the same subnet, or a different subnet? I figured that it should
> likely be a different subnet, or else the machines on either side
> would not know to use the gateway in order for their traffic to 'get
> out'. I guess my question is simply, should all the machines/adaptors
> in this setup be in, or, should I have 1 subnet for the
> OpenVPN connections, and then 1 unique subnet for the adaptor on
> either side of the tunnel?

The network will be private to the two openVPN machines
(their TAP device's IP). The other machines will not even know that this
subnet exists. If I were you I would set up 2 different subnets on each
side of the tunnels. Like	LAN #1
    | |
    | |
[ /] gateway #1
              .  the internet or whatever
[ /] gateway #2
    | |
    | |	LAN #2

And the gateway #1 and #2 machines will be the default gateway machines
for the respective clients on the lan. 

Powered by Linux From Scratch - http://schwicky.net/
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141

Nothing is impossible... Everything is relative!

Openvpn-users mailing list