[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How to assign private IP from protected LAN

  • Subject: Re: [Openvpn-users] How to assign private IP from protected LAN
  • From: "Dick St.Peters" <stpeters@xxxxxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 13:32:16 -0500

Leonard Isham writes:
> On Fri, 3 Dec 2004 10:49:07 -0500, Dick St.Peters
> <stpeters@xxxxxxxxxxxxx> wrote:
> > > > Can't it be done in TUN(route) mode? I am using route mode.
> > >
> > > If you are routing you can't put the subnet in two locations any more
> > > than you can put the same street addresses on different streets in the
> > > same town.
> > 
> > You can use routing to put pieces of the subnet in different places
> > though - pieces as large as half the subnet or as small as a single
> > host.  This can be very handy when you want roadwarriors to have
> > addresses in your LAN subnet.
> Actually that is not 100% accurate.  You can split a  subnet into
> smaller subnets and route between them.

What I said is 100% accurate.  There is no need to split the subnet.

Say your LAN runs and your OpenVPN server is at, with a tunnel to a roadwarrior with the tunnel IPs being at the server end and at the roadwarrior
end.  If another system on the LAN arps for the roadwarrior's IP, the OpenVPN server will respond with its own MAC
address.  The other system will send packets for the roadwarrior to the
OpenVPN server, which will route them to the roadwarrior.

Obviously, you can't assign the roadwarrior any IP already in use, but
this is no different from having it directly attached to the LAN.

If a piece of the subnet, say, is routed by the
OPenVPN server to the roadwarrior, the server will respond to arps for
any address in that piece.

You do need to have proxy arp enabled on the OpenVPN server's LAN
interface, but this is trivial for Linux and probably other *NIX as
well.  (Probably a sysctl for *BSD)

Dick St.Peters, stpeters@xxxxxxxxxxxxx 

Openvpn-users mailing list