[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] site-to-site vpn question


  • Subject: Re: [Openvpn-users] site-to-site vpn question
  • From: "Iad Scoot" <iad.scoot@xxxxxxxxx>
  • Date: Tue, 14 Aug 2007 11:31:52 -0400

Markus,

<<< We had some lokal machines in the virtual net, who were no VPN Clients, but
were "natted" and had a properly configured routing and thus had access to
any other machine in the "VVPN". >>>

That's a good point that I did not consider - there may be systems on this subnet that will not require VPN access - thanks for the tip!!

On 8/14/07, Markus Feilner <lists@xxxxxxxxxxxxxx> wrote:
Am Dienstag 14 August 2007 08:40:23 schrieb Prasanna Krishnamoorthy:
> The client router may not be doing NAT.
>
> While in the case of the laptop, since the traffic is generated on the
> laptop, it'll take the address of the virtual interface.
>
> Prasanna.
>

Or: If you are doing NAT, exclude the VPN Clients by specifing suitable
iptables rules in your firewall scripts, or perhaps better: do the
DNAT/SNAT/MASQUERADING by hand.

I had a similar setup, and I had to do so, but it worked fine. We ran a
virtual virtual network, with a DNS zone over all VPN Clients, with SNAT and
DNAT run by the VPN Servers.

We had some lokal machines in the virtual net, who were no VPN Clients, but
were "natted" and had a properly configured routing and thus had access to
any other machine in the "VVPN".

I Hope that helped...



> On 8/14/07, Iad Scoot < iad.scoot@xxxxxxxxx> wrote:
> > Hi, having some problems posting to the forum - trying again...
> >
> >
> > Bumping this because I think I mucked up the previous thread. I have
> > successfully (I think) setup a site-to-site VPN in this config:
> >
> > client laptops --> OpenVPN "client" router (CentOS 4.5 / OVPN 2.0.9) -->
> > Internet --> corp office firewall --> OpenVPN "server" router (CentOS 4.5
> > / OVPN 2.0.9) --> servers.
> >
> > I can access resources in either direction so I believe that I have the
> > ccd / iroute / static routes, etc configured correctly. My question -
> > when sniffing on a resource (corp office server, remote site laptop,
> > etc), I am seeing the private IP addresses of these resources and not the
> > IP's of the VPN routers. In contrast, when I connect in in road warrior
> > mode (laptop w/ vpn client), I see the IP of my virtual adapter in the
> > sniffing session. I'm guessing that this is normal as the sniffer is
> > simply seeing the traffic after it has been decrypted by the vpn boxes
> > but wanted to be sure. A traceroute from a client laptop to a corp office
> > resource shows the traffic like this:
> >
> > IP of firewall (LAN interface) --> IP of vpn client box --> virtual IP of
> > vpn client box --> corp firewall DMZ interface --> IP of end resource
> >
> > Traceroutes from the corp office side follow a similar path back to the
> > remote site. I'm reasonably certain that I have this configured correctly
> > - anyone see any problems?
> >
> >
> > Thanks....
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>   http://get.splunk.com/
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users



--

Best Regards - Mit freundlichen Gruessen
Markus Feilner

-------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Koetztingerstr 6c                93057 Regensburg
fon regensburg                  +49 941 8107989
mobil                           +49 170 3027092=20
www: www.feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx
--------------------------------------
My new book - Out now: http://www.packtpub.com/openvpn/book
OPENVPN : Building and Integrating Virtual Private Networks

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>   http://get.splunk.com/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users