[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] VPN tunnels through NAT firewall (client/server?)


  • Subject: Re: [Openvpn-users] VPN tunnels through NAT firewall (client/server?)
  • From: Sean Kennedy <skennedy@xxxxxxxx>
  • Date: Tue, 04 Jan 2005 12:51:18 -0800

Darren Spruell wrote:

We would like to set up a branch office VPN connection between two
sites. One endpoint is a Linux firewall with an Internet-routable IP,
the other endpoint is a Linux server behind a NAT firewall and has an
RFC1918 IP address.  We would hope that this would work correctly if the
connection is initiated from the Linux server behind the NAT box to the
other firewall with the public address; return traffic would simply be
routed back to the NAT box and translated to the server again.

But, from what I can tell from the openvpn startup examples, each
endpoint must be able to connect to the other directly (specified with
the "--remote" argument). Since one endpoint is hidden behind the NAT
firewall on a private network, this doesn't fit and we would need to
move this endpoint into a DMZ or similar publicly-routable location.

Can someone please confirm this one way or the other?



Not in the client/server model from 1.6 ( haven't worked with the 2.0 series yet ). Only the client needs to know the IP of the server. The server couldn't care less about where the client's calling from.

At least, that's how i have it setup. I have 3 clients on dynamic IPs, which change quite frequently. I've never had an issue. Further, I have a client coming from behind a linksys home gateway router thingy ( win2k client ), and she hasn't had any issues either ( thank god ).

One thing possibly worth noting, and something you probably already know: Because openvpn uses udp, your firewall may have issues with it. That all depends on the firewall of course, some are more intelligent than others. Just set openvpn to ping every x seconds, and you should be ok. ( again, sorry if you already knew this, but I'm adding in here for future searchability )

Sean


------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users