[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and Proxy-ARP

On Tue, 11 Oct 2005, James Yonan wrote:


> Am I correct to assume that you want this because it would allow a Windows
> VPN client to act as a gateway for the VPN server's tun endpoint so that
> it can be accessed by other machines on the client-side LAN (using a
> tun-based model), without requiring that a route be added on the client
> LAN gateway?
> If so, then I'm not sure I understand how this would work.
> Suppose the client's TCP/IP settings on its local lan is,
> and suppose the LAN router and default gateway is
> The client connects to the server, and the server's virtual IP address is
> Now the client does a proxy-arp for so that other machines on
> the client LAN can see (Normally you could easily do this by just
> adding a route to the LAN gateway for this subnet, i.e. route
> ->, but I assume that you would want proxy arp instead because
> you might not have write access to the client-side LAN router's routing
> table).
> The reason why I don't understand why this can work is that suppose
> another client on the LAN (say tries to ping  The
> client will look at, see that it's not a locally reachable
> address on any installed interface, and forward it on to the next hop
> gateway.  In order for the proxy arp to work, the client would need to
> actually broadcast an "arp who-has" message, so that the
> machine would be able to say "hey, that address belongs to
> me!".  But based on empirical observation, I don't see that
> would try to resolve via ARP.  What it would do is broadcast an
> "arp who-has" to get the MAC address of the next-hop gateway,
> and then route the packet to it.
That's all right, Proxy-ARP wouldn't work if you choose this
IP-Addresses, but what if your local subnet is and your
OpenVPN-Server and Client IP's are and
Then proxy-ARP works, as I am actualy useing it. :-)
(RAS and Routing must be enabled on the Windows side and you have to
add the registry Entry IPEnableRouter=1 for this to work.)

(Reasonably I have the problem, that broadcasts don't seem to work,
but this would be the next step, and is not so important.)

Ciao, Joern.

Openvpn-users mailing list