[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn and WEP again, sorry.

  • Subject: Re: [Openvpn-users] openvpn and WEP again, sorry.
  • From: /dev/rob0 <rob0@xxxxxxxxx>
  • Date: Thu, 1 Sep 2005 16:06:34 -0500

On Thursday 2005-September-01 06:38, Daniel Banyasz wrote:
>  This is all new to me, but it sounds like I can simply assign a
> second IP (on a different subnet) to my internal NIC.

Yes, using iproute2 (/sbin/ip) or just plain ifconfig(8). It's quite 
simple. Have your OS bring up the main address as, then 
this will add the second IP:

ip addr add label eth1:wifi dev eth1

>  Could I then not just use this second subnet for the wireless AP and
> all its clients?

Yes, anything DHCP'ing through the AP should be given addresses in, not given a default gateway, and not allowed routing 
through the firewall.

>  Then I would bridge this second IP address on eth1 to the TAP device

I don't do bridging so I am not sure about this, but IIUC you probably 
cannot do this. I think bridging is done on the basis of interface, and 
I wouldn't think it could work per virtual interface. But using 
ebtables(8) you can probably enforce the separation between the two 
virtual interface subnets.

Consider this attack model: someone connects via wireless and assigns 
themself an unused IP in the "secure" subnet, You need 
to recognise that somehow, and refuse to do routing for the intruder.

> IP as I previously described, and those clients that didn't have
> openvpn installed and were just using my wireless after cracking WEP

(You might as well disable WEP anyway.)

> wouldn't be on the bridged network, but on the separate wireless
> subnet, and the firewall would drop all packets???


>  But how do I set up a DHCP server on the eth1 interface to hand out
> IP's from 2 different  ranges on two different subnets?

ISC dhcpd(8) has a lot of tricks in its bag. See dhcpd.conf(5) and 

>  And how do I know which range and subnet a particular client IP will

I think the simplest approach is to enumerate all your known hosts in 
dhcpd.conf host declarations. Known Ethernet and OpenVPN hosts are in 
the "secure" subnet,, and all others get addresses from 
a pool in

> be. Or should I just forget about this 2 IP's per physical interface
> idea and implement virtual interfaces as originally suggested.

"Virtual interface" was the term I used to describe the idea of two IP 
addresses in distinct and separate logical subnets. I am thinking that 
it can be made to act like a "virtual interface" but I am not sure.

>  ps. I am having trouble replying to the list and having the message
> appear, so apologies if there is a double post.

Sometimes the sourceforge list servers are slow. Also, please keep the 
HTML turned off.
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Openvpn-users mailing list