[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] How to assign private IP from protected LAN


  • Subject: RE: [Openvpn-users] How to assign private IP from protected LAN
  • From: satinders@xxxxxxxxxxxxxxxxxx
  • Date: Mon, 6 Dec 2004 09:29:24 +0530

Title: RE: [Openvpn-users] How to assign private IP from protected LAN

Hi,
        What happens to routing table entries at openvpn server end? I am running openvpn in tls-server mode on linux machines and protected LAN has mixture of machines - Linux and Windows. I have seen that openvpn adds entry to routing table which makes the subnet 192.168.0.0./24 to go through tun interface and thus ping from client to protected lan does not work. What I can figure out is that either I need to add individual entries for each client in routing table at server side OR I need to divide the LAN into 2 subnets - one for clients and one for protected LAN.

Is there any better way of doing this?

-----Original Message-----
From: Dick St.Peters [mailto:stpeters@xxxxxxxxxxxxx]
Sent: Saturday, December 04, 2004 12:02 AM
To: Leonard Isham
Cc: Dick St.Peters; satinders@xxxxxxxxxxxxxxxxxx;
openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] How to assign private IP from protected LAN


Leonard Isham writes:
> On Fri, 3 Dec 2004 10:49:07 -0500, Dick St.Peters
> <stpeters@xxxxxxxxxxxxx> wrote:
> > > > Can't it be done in TUN(route) mode? I am using route mode.
> > >
> > > If you are routing you can't put the subnet in two locations any more
> > > than you can put the same street addresses on different streets in the
> > > same town.
> >
> > You can use routing to put pieces of the subnet in different places
> > though - pieces as large as half the subnet or as small as a single
> > host.  This can be very handy when you want roadwarriors to have
> > addresses in your LAN subnet.
>
> Actually that is not 100% accurate.  You can split a  subnet into
> smaller subnets and route between them.

What I said is 100% accurate.  There is no need to split the subnet.

Say your LAN runs 192.168.0.0/24 and your OpenVPN server is at
192.168.0.50, with a tunnel to a roadwarrior with the tunnel IPs being
192.168.0.51 at the server end and 192.168.0.52 at the roadwarrior
end.  If another system on the LAN arps for the roadwarrior's
192.168.0.52 IP, the OpenVPN server will respond with its own MAC
address.  The other system will send packets for the roadwarrior to the
OpenVPN server, which will route them to the roadwarrior.

Obviously, you can't assign the roadwarrior any IP already in use, but
this is no different from having it directly attached to the LAN.

If a piece of the subnet, say 192.168.0.128/27, is routed by the
OPenVPN server to the roadwarrior, the server will respond to arps for
any address in that piece.

You do need to have proxy arp enabled on the OpenVPN server's LAN
interface, but this is trivial for Linux and probably other *NIX as
well.  (Probably a sysctl for *BSD)

--
Dick St.Peters, stpeters@xxxxxxxxxxxxx