[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] Re: Problem: Two tunnels, one firewall


  • Subject: RE: [Openvpn-users] Re: Problem: Two tunnels, one firewall
  • From: "Tibbs, Richard" <rwtibbs@xxxxxxxxxxx>
  • Date: Mon, 13 Dec 2004 15:15:50 -0500

Well, you may be quite right, I don't know what the route directive is
for.
What I want to do is allow openvpn to connect the two subnets, but for
each subnet to bring up web pages etc, viz:

home subnet                             office subnet
192.168.1.0/24                         192.168.10.0/24
winxp -- WLAN -- homefw -- Internet -- officefw
  <--- tun 1 -----> <---- tun0 ---------->
 route 216.x.y.z       route 216.x.y.z = external iface of homefw.

The above route directives are on the homefw. the second tunnel that
comes up attempts to add a route to an identical address, via a
different tunnel, and the route command fails. 

On the office fw, here is the route table
firewall: -root-
# ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
137.p.q.r via 10.1.10.2 dev tun0 
192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254 
137.45.192.0/24 dev eth0  proto kernel  scope link  src 137.45.192.190 
137.45.192.0/24 dev ipsec0  proto kernel  scope link  src 137.45.192.190

default via 137.p.q.r dev eth0

The route directive in officefw's openvpn.conf is
route 137.p.q.r 
and that may be a mistake.  
How should I use the route directive in this situation?
TIA
Rick.
(P.S. Apologies to Charles -- you are definitely working to hard this
close to the holidays.. ;-) 



-----Original Message-----
From: openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles
Duffy
Sent: Monday, December 13, 2004 2:48 PM
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [Openvpn-users] Re: Problem: Two tunnels, one firewall

For clarity's sake, you might want to hardcode one tunnel to tun0 and
another to tun1, by using "dev tun0" and "dev tun1" rather than simply
"dev tun" on both ends.

I'm not sure you're using the route directive correctly. Remember, the
primary argument is not a gateway but a network address; secondary
arguments, per the man page are netmask, gateway and metric. You want to
use the route directive to tell the system what network ranges to access
via the tunnel -- so if winxp is on 172.16.0.1 and homefw is on
192.168.0.1, you'd have something like "route 192.168.0.0 255.255.255.0"
in winxp's openvpn.conf to tell it to look for homevpn on the other side
of the tunnel. If officefw were using 10.0.0.0/16, and homefw's internal
IP is 192.168.0.2, you could additionally add (to winxp's openvpn.conf)
"route 10.0.0.0 255.255.0.0 192.168.0.2" to tell it to try to contact
10.0.0.0/16 via 192.168.0.2. Similar rules apply to other hosts.

Clear? (If not, please forgive me -- I've been at the office for 20
hours
now).

You'll also want to have an internal address for winxp to use on its tun
interface that homefw knows how to get to (specified with an ifconfig
directive); and you'll need similar routing rules for the other hosts
involved (such that homefw knows to talk to winxp's and officefw via
their
appropriate tunnels, likewise for officefw knowing how to contact homefw
and winxp).


Perhaps googling up an introductory text on IP routing would be helpful?


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users