[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Basic bridging concept questions

  • Subject: Re: [Openvpn-users] Basic bridging concept questions
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Mon, 24 Jan 2005 03:11:26 +0100 (CET)

On Sun, 23 Jan 2005, Whit Blauvelt wrote:


The project is to use OpenVPN 2 running on Linux (2.4 kernel at the moment)
to bridge connections from a half-dozen remote developers to the company
LAN. I've looked at http://openvpn.net/bridge.html and at the FAQ and HOWTO
at http://bridge.sourceforge.net/document.html, and while both are clear
documents they presume background knowledge of bridging on Linux that I
lack. Some of the complex stuff I understand, but the simple stuff that I
should presumably already know is foggy.

Can someone please give a clear picture of the relationship of IPs, network
cards, and bridge devices? As the network currently sits, there are two
Linux router/firewall boxes, each dual-homed (two different external Net
connections each with multiple IPs). The second box, which is a mirror and
backup of the other, is the one I'd like to use for the bridge (so as to
keep this load off the main router). But when the second box is in takeover
mode, it needs to handle both the OpenVPN bridge and normal routing to the
outside. It also needs to maintain an internal IP for its mirroring
function. I'd also like to have the first box set up to take over the
bridging function if the second box goes down.

My first question is: The docs at bridge.sourceforge.net assume that all
you're trying to run is a bridge, rather than combining the bridging with
other functions on the same box and interfaces. So I'm unclear whether I
need a separate internal-facing NIC for the bridge, or whether a single
internal NIC is enough. The internal NIC currently has one or more IPs in
the 192.168.1.x range (one of those being the gateway to the external net
for the internal machines). It needs to maintain those. Can it be the bridge
device at the same time?

Yes. The most usual setup, I'd say is like that. You have OpenVPN on your normal default gateway, so if you're using TAP, then it will be both bridging your OpenVPN connections and routing your normal traffic to/from internet.

Begin your start-up scripts by setting up a bridge (br0) and include both tap0 and eth0 (? your local interface) in it. Then assign your local interface to br0 instead of eth0.

Then treat br0 as your normal local interface, and it will route just as usual between br0 and your external interface.

My second question is: I want the remote users to be able to connect through
both external interfaces - two different external IPs. Can this work with a
single instance of OpenVPN?

I assume so. If you don't bind OpenVPN to a perticular interface with --local, it should be reachable via any interface.

My third question is: Is it correct to assume that the remote connections
can simply be assigned IPs by the internal dhcp server, and that existing IP
assignments on the remote machines and internal LANs don't matter? Access
from within the actual LAN to the remote systems isn't wanted or desired,
just virtual remote access inward to the LAN.

They, can but it's a little tricky. You have to setup the DHCP server so it doesn't assign any default gateway to VPN users, as they will then lose connectivity with the external IP address of your OpenVPN server.

I'd recommend using OpenVPN's build-in ifconfig-pool feature instead and hand out IP address of the same subnet, but from another range of IP address than your local DHCP server is using.

My fourth question: One remote user runs OS/X. Somewhere on the OpenVPN site
it says bridging is only for Lin & Win, but elsewhere there's a suggestion
that OS/X can do it. What's the current state of that? Also, whether through
the bridge or through a separate, no-bridging instance of OpenVPN set up for
the remote Mac, what's required for OS/X to mount Windows drives on the
internal net? (I confess to total OS/X ignorance, beyond knowing its UNIX

Sorry, don't know about that. I think I've read about a new tun/tap driver supporting TAP as well.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list