[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] site-to-site vpn question


  • Subject: Re: [Openvpn-users] site-to-site vpn question
  • From: Markus Feilner <lists@xxxxxxxxxxxxxx>
  • Date: Tue, 14 Aug 2007 11:53:03 +0200

Am Dienstag 14 August 2007 08:40:23 schrieb Prasanna Krishnamoorthy:
> The client router may not be doing NAT.
>
> While in the case of the laptop, since the traffic is generated on the
> laptop, it'll take the address of the virtual interface.
>
> Prasanna.
>

Or: If you are doing NAT, exclude the VPN Clients by specifing suitable 
iptables rules in your firewall scripts, or perhaps better: do the 
DNAT/SNAT/MASQUERADING by hand.

I had a similar setup, and I had to do so, but it worked fine. We ran a 
virtual virtual network, with a DNS zone over all VPN Clients, with SNAT and 
DNAT run by the VPN Servers. 

We had some lokal machines in the virtual net, who were no VPN Clients, but 
were "natted" and had a properly configured routing and thus had access to 
any other machine in the "VVPN".

I Hope that helped...



> On 8/14/07, Iad Scoot <iad.scoot@xxxxxxxxx> wrote:
> > Hi, having some problems posting to the forum - trying again...
> >
> >
> > Bumping this because I think I mucked up the previous thread. I have
> > successfully (I think) setup a site-to-site VPN in this config:
> >
> > client laptops --> OpenVPN "client" router (CentOS 4.5 / OVPN 2.0.9) -->
> > Internet --> corp office firewall --> OpenVPN "server" router (CentOS 4.5
> > / OVPN 2.0.9) --> servers.
> >
> > I can access resources in either direction so I believe that I have the
> > ccd / iroute / static routes, etc configured correctly. My question -
> > when sniffing on a resource (corp office server, remote site laptop,
> > etc), I am seeing the private IP addresses of these resources and not the
> > IP's of the VPN routers. In contrast, when I connect in in road warrior
> > mode (laptop w/ vpn client), I see the IP of my virtual adapter in the
> > sniffing session. I'm guessing that this is normal as the sniffer is
> > simply seeing the traffic after it has been decrypted by the vpn boxes
> > but wanted to be sure. A traceroute from a client laptop to a corp office
> > resource shows the traffic like this:
> >
> > IP of firewall (LAN interface) --> IP of vpn client box --> virtual IP of
> > vpn client box --> corp firewall DMZ interface --> IP of end resource
> >
> > Traceroutes from the corp office side follow a similar path back to the
> > remote site. I'm reasonably certain that I have this configured correctly
> > - anyone see any problems?
> >
> >
> > Thanks....
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users



-- 

Best Regards - Mit freundlichen Gruessen
Markus Feilner
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users