[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: advice

Leonard Isham wrote:
Assuming your WAN is mostly a star layout, then the centre of that star will
have the public IP and run the OpenVPN server, with all of the other sattelite
sites connecting to it. As it's UDP or TCP traffic, NAT isn't an issue where
it might be with other commercial products.

A Star my bottlenect the traffic at one site.  Knowing the normal
communication flows would allow you to design a network infrastrucrure
that would work more efficiently.  I'm guessing a distributed hub and
spoke would work best.

But would mean we would need a routable IP address at each site. Reducing costs - especially ongoing ones - is crucial, IMO.

I have to admit it was those two that sent me in the direction of OpenVPN in
the first place. I'd looked at FreeS/WAN for some time, but (probably due to
my lack of familiarity with IPSEC) decided against it. I've not looked back.

I ran into someone on the Fedora list that switched from FreeS/WAN to
OpenVPN and "hasn't looked back."

Nice to hear :)

By 'non-routable' I mean addresses in ranges such as 192.168.x.x and
10.x.x.x; our ISPs have given us addresses in the latter range, and
(some of) our lans use the former range.

It is common practice among all ISPs to provide private IPs unless the business is willing to pay a premium for the public IP addesses. In these cases there is actually 1 public IP address assigned per business customer on the outside interface of the router and the internat IP addresses are NATed behind them.

I could be wrong, but, when I lived in the US, I thought that we all were given routable (public, in your parlance) addresses; this way we could host our own servers etc.

You might want to try http://www.ipaddress.com/ from all the sites several times and see if they always get the same IP, and if it is different for each site.

It is certainly different for each site. We might be lucky and get two that share the same IP address, but some of the sites are in different countries...

If this is actually what is happening I would
see if they will route inbound traffic based on ports (then you would
be able to use any site as a hub.

Nope - they won't do this - though I would guess it is worth a try to make sure. A lot of things get lost in translation.

If they don't have public IPs, but yoy can do access the computers at another site by IP then they apparently us private IPs for the entire ISP and you wouldn't need to worry about the connections when you have a common ISP.

Nope :( They even have different subnets and don't route between them :(

Worst possible case, I fear :(

Thanks though :)


Openvpn-users mailing list