[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] General question

  • Subject: Re: [Openvpn-users] General question
  • From: Steve Willis <openvpn@xxxxxxxxxxxxxxx>
  • Date: Tue, 07 Feb 2006 13:42:36 -0700

Jon Bendtsen wrote:
Always include the list unless it really has to be elsewhere.

Whoops! Sorry about that!

Den mandag 6.feb kl. 22:14 skrev Steve Willis:

Jon Bendtsen wrote:
(2) Many of my users share a common physical location that already has a real LAN setup. I want to make several Samba servers available to the VPN that are currently available on these LANs. I'd like to avoid the overhead of routing traffic through our offsite OpenVPN server for accessing Samba shares that are already on a user's LAN. Is there a way to ensure that when a Samba share name is available via the VPN and LAN, the LAN is chosen as a route? Note that I don't want to do any permanent routing on the client side, because many users will want to connect their laptops both in and out of the office, and I'd like the network to always "just work". (I realize this is really a Samba question, since OpenVPN IP addresses are unambiguous, whereas share names are not...)
How data are routed depends on your routing table. So you just need to
ensure that the client has the right routing table. Like using a connection
script that pushes the right routes to the client depending on the ip address
of the client.

Hi Jon,

Thanks for the quick reply! I'm not sure I understand your answer to #2. Let's say that there is a LAN setup with 5 users and one Samba server in an office ( Each of those 5 users also installs OpenVPN client software, as does the Samba server, and all connect to a remote OpenVPN server via tun ( Now, the Samba host is available to each of the 5 users on two different interfaces by the same name. When they browse their Network Neighborhood, I want them to connect via the LAN rather than round trip all that traffic over the tun. But when any of these users leaves the office with a laptop, I want them to still be able to reach the same Samba server by the same name across the tun.

Ahh i see. First of all network neighbourhood is not so fond of tun/routing.
For that you need to use bridging/tap

Actually, I've almost got this working over tun now. I switched from tap a few days ago (poor performance), and am pushing the "NBT 2" option to the client. Now, each client can see the WINS server's shares in their Network Neighborhood, but can't yet see each other.

In any case, my question still applies, even if I switch back to tap.

Why do the clients even need to connect to the openvpn server if they are
onsite? Rather than messing arround trying to create at solution, simply
just make the hole office network talk to the other remote site by a different
tunnel, and block openvpn road warrior access from the 2. office.

Not all clients are in the same location. There are "clusters" of employees in different buildings. The physical setup is more like this:

Building A:
server 1
server 2
employee 1
employee 2
employee 3

Building B:
server 3
server 4
employee 4
employee 5
employee 6

Building C:
OpenVPN server (co-located)

I want all employees to be able to see servers 1-4, which OpenVPN has done for me nicely. Now, image that you are employee 1, in building A. You are always connected to the VPN so that you can access servers 1-4. However, servers 1 and 2 are local to you. When the name "server 1" shows up in your Network Neighborhood, which route does it use? I'm looking for a way to ensure that it always uses the fast local LAN.

Now, you (employee 1) take you laptop on a road trip. You are still connecting to the VPN, but now you must use the VPN to connect to any of servers 1-4. You shouldn't have to do anything different on you laptop now from when you had it in the office (so no permanent modifications to Windows that will always force routing to the LAN.) For example, you shouldn't have to specify the VPN IP address of the server instead of the LAN IP address just because you are out of the office...the same WINS name should work in both places.

Just to clarify, I have all of the above set up and working. I'm just looking for a way to guarantee that when employee 1 is sitting in his office, his connection to the server in the next room is not taking a 100 mile round-trip because Windows chose the wrong route, without employee 1 having to specify whether he is in or out of the office. Prior to this, we were using SFTP servers, and experience has shown that if any changes have to be made to make a connection work out of the office (like remembering to specify a different IP address to conenct to), the less technical employees have problems.

Thanks for the advice!


Openvpn-users mailing list