[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: advice

  • Subject: Re: [Openvpn-users] Re: advice
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Wed, 8 Dec 2004 08:23:53 -0500

> Assuming your WAN is mostly a star layout, then the centre of that star will
> have the public IP and run the OpenVPN server, with all of the other sattelite
> sites connecting to it. As it's UDP or TCP traffic, NAT isn't an issue where
> it might be with other commercial products.

A Star my bottlenect the traffic at one site.  Knowing the normal
communication flows would allow you to design a network infrastrucrure
that would work more efficiently.  I'm guessing a distributed hub and
spoke would work best.

> I have to admit it was those two that sent me in the direction of OpenVPN in
> the first place. I'd looked at FreeS/WAN for some time, but (probably due to
> my lack of familiarity with IPSEC) decided against it. I've not looked back.

I ran into someone on the Fedora list that switched from FreeS/WAN to
OpenVPN and "hasn't looked back."

> > By 'non-routable' I mean addresses in ranges such as 192.168.x.x and
> > 10.x.x.x; our ISPs have given us addresses in the latter range, and
> > (some of) our lans use the former range.

It is common practice among all ISPs to provide private IPs unless the
business is willing to pay a premium for the public IP addesses.  In
these cases there is actually 1 public IP address assigned per
business customer on the outside interface of the router and the
internat IP addresses are NATed behind them.

You might want to try http://www.ipaddress.com/  from all the sites
several times and see if  they always get the same IP, and if it is
different for each site. If this is actually what is happening I would
see if they will route inbound traffic based on ports (then you would
be able to use any site as a hub.

If they don't have public IPs, but yoy can do access the computers at
another site by IP then they apparently us private IPs for the entire
ISP and you wouldn't need to worry about the connections when you have
a common ISP.

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list