[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] question on routing

  • Subject: Re: [Openvpn-users] question on routing
  • From: "Aaron P. Martinez" <ml@xxxxxxxxxxxxxx>
  • Date: Mon, 31 Jan 2005 19:28:25 -0600

On Mon, 2005-01-31 at 18:53, Michael Perry wrote:
> I setup a pretty simple static key vpn server that has a linux laptop
> connecting to it.  I'm running a home network behind a linksys WRT54G
> with the required port open for tcp and udp traffic.  I can connect
> just fine and after doing a route add on the laptop, I can see the vpn
> server's real IP address at 192.1681.5.  The virtual IPs are:
> vpn endpoints IP addresses
> ------------------------------------
> server:
> client:
> real IP addresses
> --------------------------------
> server: (also vpn server)
> debian desktop
> router (wrt):
> printer:
> I took the example pretty much straight from the examples page for the
> setup.  Next I added an ip route which does this on the laptop:
> route add -net netmask gw
> My hope is to be able to see the rest of my home network which resides
> off the 192.168.1.x network but all I can ever see is the vpn server. 
> The laptop connects just fine and when I add the route, it sees the
> real IP address for the vpn server on the 192.168.1.x network.  I have
> echoed 1 to /proc/sys/net/ipv4/ip_forward on both systems as well.
> What's the step I am missing to get the other systems including a
> printer at able to be reached?  As I mentioned, the vpn
> connection works really well and I am very happy with the ease in
> setting things up.
> Thanks for any pointers.

If i'm reading this properly, you're trying to make your vpn connection
have the same address space as your home network and this isn't going to
work.  The  route before you do your route statement to all
192.168.1.x\24 addresses is i'm assuming something like this: U         0 0        0 eth0
and afterwards, well i'm not sure, i'm surprised it even takes the
statement that you're giving because there are no 192.168.2.x addresses
anywhere in your scenario that i can see.  lets assume however that you
meant in which case the route will probaly look something
like so: U         0 0        0 tunx
All of your requests are now heading out the tun interface even to local
resources because they are on the same network as your tun interface.  


For TUN devices, which facilitate virtual point-to-point IP con-
              nections,  the  proper usage of --ifconfig is to use two
              IP addresses which are not a member of any existing subnet
              is  in use.  The IP addresses may be consecutive and
should have
              their order reversed on the remote peer.  After the VPN 
is  es-
              tablished, by pinging rn, you will be pinging across the

Even if you're not using the ifconfig statement, you will need to make
the tun devices have a different ip class than your lan and your office
network unless you're doing bridging.  Additionally, if your office
network uses 192.168.1.x/24 addresses you will need to change your home
network (of vice versa, albeit changing the home will prob. be easier)
or else you won't be able to reach your office lan and also connect to
local lan resources.  

Since you didn't stipulate if you're doing a ptp or a multi-client setup
i'm not sure if this applies to you, but if you are using the
multi-client, you can skip the route add and simply push the route over
from the server saving you a step, but no matter what you'll need to
change some on the tunnel and either on your home or office lan.


Openvpn-users mailing list