[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: openvpn-2 tap and nat - understanding problem [partially solved]


  • Subject: Re: [Openvpn-users] Re: openvpn-2 tap and nat - understanding problem [partially solved]
  • From: Konrad Karl <kk_konrad@xxxxxx>
  • Date: Thu, 13 Jan 2005 01:29:29 +0100

Hi,

it is working now using tap (single server instance) using the following
server config: (no client/client tested yet but I am confident that
it will work)

local aaa.bbb.ccc.ddd
port 443
proto tcp
dev tap
dh /etc/.openvpn-keys/dh1024.pem
ca /etc/.openvpn-keys/ca.crt
cert /etc/.openvpn-keys/srv1.crt
key /etc/.openvpn-keys/srv1.key
server 10.100.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

ifconfig on the servers tap0 shows now:
tap0      Link encap:Ethernet  HWaddr 00:FF:FF:1E:4E:33
          inet addr:10.100.0.1  Bcast:10.100.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	  ......

and the iptables NAT entry is simply:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.100.0.0/24        anywhere

I have been thinking too complicated and must have introduced some
thinko/error while using server-bridge etc.
 
----

One question still remains: how to combine more than one server 
instance in such a way that all clients get the impression being on the same
virtual "ethernet cable"? (the servers would have to use tap of course)

Konrad


On Wed, Jan 12, 2005 at 01:36:08PM -0600, Charles Duffy wrote:
> Pretend your tap device is an actual ethernet card. If you were
> configuring an ethernet network on a different IP range, you'd need to run
> a DHCP daemon, configure iptables, and so forth. The same things apply to
> your tap interface, and the conventional reference docs (such as the
> Linux IP Masquerade HOWTO) apply. (Also, since you're giving it its own
> IP range and masquerading, you can ignore all the instructions about
> setting up a bridge).
> 
> That said, why would you want to use tap if they only access to the rest
> of the network is masqueraded? You're losing the core advantages
> (broadcast traffic and non-IP protocols) and paying a penalty in
> performance and bandwidth costs as opposed to sticking with tun.
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users