[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] 3 questions

I have worked with OSPF before and I will look into this.  Is this my only
option to enable client-to-client and then rely on iptables?  I guess I will
have to dust off my iptables rules....

-----Original Message-----
From: Andrew Good [mailto:agood@xxxxxxxxxxxx] 
Sent: Thursday, May 24, 2007 10:06 AM
To: Ed Russell
Subject: Re: [Openvpn-users] 3 questions

Mr. Russel,

With the current complexity of your network, 3 servers and 100+ clients,
I think it'd be best to start implementing OSPF to take care of your
routing. As for one client being able to talk to the rest, enable
client-to-client on OpenVPN and control who can talk to who with
iptables. This assuming you are using a linux server. I like to test
network configurations with VNUML.


> My 3 questions are:
> 1.                  We monitor our systems using Nagios and I would
> like to be able to have the monitoring server connect to the main
> OpenVPN server as a client and be able to "see" each of the clients
> via the VPN.  Right now any client can only see the server.  Is it
> possible to be able to have one client only be able to reach all the
> other clients?  Or will I have to make a global change to allow each
> client to get to any other.  Each client has a fixed VPN IP based upon
> their ccd file.  
> 2.                  We are moving to a point where I would like to use
> a second subnet to separate new clients in a new country.  Up until
> now all my clients get a fixed IP in the 10.8.81.x subnet based upon
> their ccd file.  How can I now add for instance 10.8.82.x and give
> specific clients addresses in this subnet?  Will adding another route
> statement in the server configuration like "route
>" work?  If I do this will it have any effect on the
> existing 10.8.81.x subnet?
> 3.                  This sort of leads out of question number 1.  I
> have 3 servers running at various places on the Internet, right now I
> run all clients on one server but at some point soon I would like to
> have clients randomly move between servers.  Should the main server go
> down I simply run up the daemon on my backup server and the clients
> then move over.  I know how to accomplish this by changing the options
> in the client configuration files.  What I would like to know,
> assuming #1 is possible (and I'm sure it is) how then could this
> "special" client find any other client no matter what server it is
> connected to?  I can assume that it could simultaneously connect to
> both servers and then "find" the client it wants to monitor from
> there.
> I hope these questions make sense and I have given enough information
> to be pointed in the right direction.  If not, let me know what I have
> missed and I will be sure to comply.  Thanks in advance.
> Ed Russell
> Manager, Information Technology
> Teriyaki Experience
> 700 Kerr Street Suite 100
> Oakville, Ontario L6K 3W5
> 905-337-7777 x500
> 905-337-5686 direct
> 905-580-4566 mobile
> 905-337-0331 fax
> erussell@xxxxxxxxxxxxxxxxxxxxxx

Openvpn-users mailing list