[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and Proxy-ARP

  • Subject: Re: [Openvpn-users] OpenVPN and Proxy-ARP
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Tue, 11 Oct 2005 20:03:54 -0600 (MDT)

On Tue, 11 Oct 2005, Joern Krebs wrote:

> Hello,
> I found this E-Mail in the OpenVPN-Archive, but I never found an
> answer to this Mail, so I think there is still no
> Proxy-ARP-Feature (on Windows-Server-Side) included in the
> OpenVPN-Project. But I need this feature, because I am in need of a
> Simple OpenVPN-Server, for remote-management of several PC's. OpenVPN
> is very small and simple, but you still can't connect a client over a
> simple crypt-key tun-Device-Connection to a whole network
> (Windows-Client, Windows-XP-Server). My tests show, that this
> connection ist nearly possible I can ping all IP-Addresses in the
> Server-Network and they receive my ping and try to lookup my
> MAC-Adress (ARP), but without any Proxy-Arping from my Windows-Server
> they don't know my MAC-Address and so they can't ping back.
> Lately I found this article in the OpenVPN-Users-Archive. This man
> solved the problem, but after I can't write any programs (except a
> little batch), I can't write this little tool the sender of the E-Mail
> has. So can anyone help me? Either in including the described
> Windows-Proxy-ARP in the next OpenVPN Version, or in writing this
> little tool for me, or in giving me the e-mail-address of "Martin"
> (James must have it...)
> So, here comes the e-mail of martin:
> ------------------------------------8<-----------------------
> While this may not be a full bridge in the traditional sense, it
> appears to
> fit my need and maybe useful to others.
> Noting the Ethernet bridging comment '... requires Windows XP or
> higher ...'
> on the page:
> 	http://openvpn.sourceforge.net/INSTALL-win32.html,
> yesterday I knocked up a utility to add/remove a proxy-arp address
> to/from a
> network interface under Win2k/XP.  It uses the IPHelper functions:
> CreateProxyArpEntry() & DeleteProxyArpEntry() documented here:
> http://msdn.microsoft.com/library/en-us/iphlp/iphlp/ip_helper_functions.asp
> However, the WinCE version pages have better usage information here:
> http://msdn.microsoft.com/library/en-us/wcetcpip/html/ceconIPHelperFunctions
> asp
> It would be good if you could add this functionality to the core
> OpenVPN
> application, maybe using a config keyword such as 'proxy-arp' to
> activate
> proxying of a remote-end virtual address on the local-end LAN.
> This operation is useful where modification of the remote network's
> routing
> setup is not possible coupled with the need for connectivity to other
> remote-end routable subnets that are not directly routable locally.
> The steps are as follows:
> 1) an openvpn is set up between two different physical LANs, using two
> additional addresses from the remote LAN as the virtual vpn addresses;
> 2) the local-end virtual address is proxy-arp'ed on the remote-end
> physical
> LAN interface;
> 3) routing is enabled on the remote machine by setting the following
> registry value:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnab
> leRouter(REG_DWORD)=1
> this requires a reboot to take effect and can be seen through
> 'ipconfig/all'.
> For reference, included below are the 'ovpn' files from both machines.
> Any comments ?
> BTW: I was looking for a Windows implementation of OpenVPN in Nov2002
> but it
> seemed not to exist at that point.  I didn't look again until last
> week and
> realised that I must have been just a little too early.  Anyway, many
> thanks
> to you and any others involved in pulling together such a cohesive
> Windows
> implementation.
> Best regards - Martin

Am I correct to assume that you want this because it would allow a Windows
VPN client to act as a gateway for the VPN server's tun endpoint so that
it can be accessed by other machines on the client-side LAN (using a
tun-based model), without requiring that a route be added on the client
LAN gateway?

If so, then I'm not sure I understand how this would work.

Suppose the client's TCP/IP settings on its local lan is, 
and suppose the LAN router and default gateway is

The client connects to the server, and the server's virtual IP address is

Now the client does a proxy-arp for so that other machines on
the client LAN can see (Normally you could easily do this by just
adding a route to the LAN gateway for this subnet, i.e. route
->, but I assume that you would want proxy arp instead because
you might not have write access to the client-side LAN router's routing 

The reason why I don't understand why this can work is that suppose 
another client on the LAN (say tries to ping  The 
client will look at, see that it's not a locally reachable 
address on any installed interface, and forward it on to the next hop 
gateway.  In order for the proxy arp to work, the client would need to 
actually broadcast an "arp who-has" message, so that the machine would be able to say "hey, that address belongs to 
me!".  But based on empirical observation, I don't see that 
would try to resolve via ARP.  What it would do is broadcast an 
"arp who-has" to get the MAC address of the next-hop gateway, 
and then route the packet to it.


Openvpn-users mailing list