[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Client IP be the same as LAN IP


  • Subject: Re: [Openvpn-users] Client IP be the same as LAN IP
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Fri, 03 Aug 2007 23:05:35 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID830LHDeFS0200X40

Joel CARNAT wrote:
> I've successfully setup OpenVPN 2.1 to remotely connect to my LAN.
> The thing is my LAN is 192.168.0.0/24 and OVPN is 10.8.0.0/24.
>
> I would like OVPN to give clients IP in my LAN range (192.168.0.0/24)
> rather than 10.8.0.0/24. As I understood, I could set "server 192.168.0.0
> 255.255.255.0", but the thing is 192.168.0.1 is already used by another
> server. And I would like to restrict users IP to the end of the range
> (lets say 192.168.0.200-192.168.0.254)

You are describing a bridged VPN setup where VPN clients act as if they
were connected to a switch on the network; essentially the VPN server
acts as a glorified switch (with authentication and routing support.) 
You'd bridge your physical Ethernet device with a tap adapter and assign
your LAN IP on the bridge interface.

As for the IP address that a client gets, the simplest way to set a
dedicated range for VPN users is to have OpenVPN manage the pool of
IP's; to do this, insure your local DHCP server won't hand those
addresses out, and then use the ifconfig-pool option to tell OpenVPN
what address it assigns to clients.  An alternative to this is to have
your existing DHCP server handle VPN clients, but then you need to
insure that the DHCP server can tell the difference between VPN clients
and local clients so that it won't hand out a default gateway for VPN
clients (see the FAQ for more details.)

Assuming you went with the first option and let OpenVPN "own" that
address range, a sample OpenVPN config might look like this:

# This is the tap adapter that is bridged
# with the local network card, so
# rename yours accordingly)
dev tap0

# Since the bridge should already have
# an IP set for LAN connectivity, we
# just need to set this up as a server:
# We do not need to specify an IP or
# use server-bridge because the bridge
# already should have IP settings
mode server
tls-server

# This is the IP range for clients
ifconfig-pool 192.168.0.200 192.168.0.254

# You may want to specify DHCP-options
# such as DNS servers, WINS servers,
# domain name search, etc. Use the
# push "dhcp-option <option>" syntax
# to do this.

# You need to add in security here, either
# using certificates or a preshared secret

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature