[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Sharing private subnets over a decentralised VPN


  • Subject: [Openvpn-users] Sharing private subnets over a decentralised VPN
  • From: David <wizzardx@xxxxxxxxx>
  • Date: Wed, 27 Jun 2007 08:45:27 +0200

Hi.

Previously we had a simple point-to-point openvpn setup like this:

192.168.0.* <-> Internet <-> 192.168.10.*

Recently we decided to add more offices to the VPN.

I went through the howtos on the openvpn site, and I came up with a
config like this:

Site 1 runs openvpn server
Site 2 runs a server, and connects (as a client) to site 1
Site 3 runs a server, and connects (as a client) to site 1 & 2
Site 4 connects (as a client) to site 1,2, and 3

The main idea is that all sites can connect to each other, rather than
all of them connecting to a centralised location. We don't want to
waste bandwidth at a central site, or have the whole VPN go down when
the central location's internet connection has problems.

This setup seems to work fine. My main problem is that servers need to
be pre-configured with their clients private subnets in advance. What
I would prefer would be a "server-to-server" mode where servers push
their private subnet routes to each other, instead of the current
setup where servers can push routes to clients, but servers can't
automatically get additional routes from the clients.

I could run a setup like this:

Site 1 connects as a client to site 2,3 and 4
Site 2 connects as a client to site 1,3 and 4
Site 3 connects as a client to site  1,2 and 4
Site 4 connects as a client to site 1,2 and 3

This way the sites automatically get routing info from each other. My
issue is that you get redundant routes between sites. This may be safe
(packets should go to the first route that matches), but it seems like
a very hackish/bad way to do it.

I don't think switching back to point-to-point config will help,
because the docs for the "push" and "pull" options state they are
meant for server & client setups, respectively.

I tried Googling for more info but didn't find anything useful.

Any suggestions?
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users