[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: network/openvpn design suggestions?

  • Subject: Re: [Openvpn-users] Re: network/openvpn design suggestions?
  • From: "Aaron P. Martinez" <ml@xxxxxxxxxxxxxx>
  • Date: Mon, 20 Dec 2004 22:23:09 -0600

Charles Duffy wrote:

You can certainly do that. You'll want your firewall/gateway systems to
route requests going to the other side of the VPN over to the OpenVPN
server; from there, you just need to make sure OpenVPN's UDP packets make
it across to the other side.

What exactly do you mean make sure? It seems fairly simple to just route all requests to the vpn machine on the dmz for any request that is headed for the network.

(I'm presuming you're using tun mode w/ udp
as the underlying transport, because those make sense in this case).

I was wondering if i should be using tcp because the company is worried about losing packets (also latency which tcp will probably hurt). It's just a terminal based application that will be running across the link. Currently it works fine with a 256k FT1, i'm wondering if i use queuing on my linux firewall, and allocate 256k from the T1 to the openvpn connection, would they gain a lot of latency? would i need to dedicate more bandwidth and would this really even help since bandwidth isn't directily proportional to latency.

Alternately, if it's not too much trouble, you can have the systems'
routing tables include a route to the remote side w/ the local VPN server
as gateway -- you'll just need to be sure that they all get it -- or you
can go belt-and-suspenders and implement both.

Personally, I run OpenVPN on my gateway, and don't feel too bad about it
-- after initialization it's running as an unprivileged user and group,
and if that weren't enough I could throw it into a chroot jail. Certainly
makes routing setup easier, and if configured correctly is a very minimal
security risk.

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
Openvpn-users mailing list

I do have one other question about this. Road warriers will also be hitting one side of vpn, and they will want to browse smb shares on the lan. Will i have to set up a wins server on the dmz side because unless i'm not remembering correctly, routers don't pass browser broadcasts.

Thanks again in advance.

Openvpn-users mailing list