[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] openvpn-2 tap and nat - understanding problem


  • Subject: [Openvpn-users] openvpn-2 tap and nat - understanding problem
  • From: "Konrad Karl" <kk_konrad@xxxxxx>
  • Date: Wed, 12 Jan 2005 17:05:47 +0100 (MET)

Hello all, 
pls excuse html mail, I cant change it. 
 
First, i have openvpn2 running successfully using tun. now I have 
started playing around using tap and seem to have a fundamental  
understanding problem.  
 
I want to do the following: 
 
Server machine (linux) has one ethernet card, permanently connected  
to the internet. At the moment all clients are linux as well but 
I will try also windows later on. 
 
On this machine at least one instance (and perhaps more) of 
openvpn should be running. (some clients may be able to use  
UDP but others are forced to use TCP, so I think I will have 
to run more than one instance). All clients should be able to 
connect to all other clients. They should get an IP address out of 
a private pool. (10.100.0.x in the example below)  
 
And (now the problematic area): they should be able to access 
the internet using iptables NAT (or masquerading). How to achieve 
this?  
 
I have been successful to establish client/client connectivity, 
and the clients can also access the server (using the private ip address) 
but I dont grok how to nat the tap adapters over the official 
ip address on eth0. Something like a virtual "router" sitting on  
the tap+bridge "cable" and routing ip into the networking stack.  
 
In order to access the server I had to 
add an "ifconfig 10.100.0.1 255.255.255.0" line  in addition to 
"server-bridge 10.100.0.1 255.255.255.0 10.100.0.10 10.100.0.49" 
 
when using tun nat works ok.  
 
I have not yet tested connectivity between two openvpn instances but I 
think a bridge setup will do it. 
 
The server's config:  
 
local xxx.yyy.zzz.aaa 
port 443 
proto tcp 
dev tap 
dh /etc/.openvpn-keys/dh1024.pem 
ca /etc/.openvpn-keys/ca.crt 
cert /etc/.openvpn-keys/xxx.crt 
key /etc/.openvpn-keys/xxx.key 
ifconfig 10.100.0.1 255.255.255.0 
ifconfig-pool-persist ipp.txt 
server-bridge 10.100.0.1 255.255.255.0 10.100.0.10 10.100.0.49 
client-to-client 
keepalive 10 120 
comp-lzo 
persist-key 
persist-tun 
status openvpn-status.log 
verb 4 
 
For the curious, this is being tried mainly for establishing 
a private VOIP network. 
 
Any insights are welcome. 
Thanks, 
Konrad 

-- 
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION für Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users