[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients


  • Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
  • From: Pasada Khumprakob <khumprp@xxxxxxxxxxx>
  • Date: Mon, 10 Sep 2007 10:32:48 -0400
  • Importance: Normal


Hi Timothy 0
 
Thanks for the help. It makes sense what I am doing wrong now. One simple question before I go and implemnent this... If the OpenVPN server address is on a different subnet than the network I want to connect to, what am I bridging?
 
To clarify... My OpenVPN server address will be something like 201.0.0.25 255.255.255.192 and the machines that I want access to will be on 201.0.0.193-254 on 255.255.255.192. The OpenVPN server will have one physical NIC with the 201.0.0.25 address, and will bridge with the TAP device which will not have an IP address either. The bridge will then take over the IP address of ETH0 and have it set as 201.0.0.25.
 
So I'm not sure if that is correct.... Do I change the IP of the bridge to something in the subnet of the machines I want to access, or do I setup a route to send the traffic from the OpenVPN server into the subnet I'm accessing?
 
Thanks!
PK
 

> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> From: T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx
> Date: Sat, 1 Sep 2007 14:12:30 +0100
> Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
>
> In message <BAY128-W396B698672589C9A540748A6CD0@xxxxxxx>, Pasada Khumprakob
> <khumprp@xxxxxxxxxxx> wrote:
>
> >
> > Hello all -
> >
> > I have been unsuccessful so far at my bridging attempts, with just plain
> > weird stuff going on. I was accually able to stay connected today for
> > about 10 min, then I manually disconnected, and then I could get a good
> > connection back.... So I want to start from scratch with the hopes that
> > someone can point out my mistake.
> >
> > On the server right now, I have disabled IPTABLES totally. The external IP
> > of the server is eg: 201.0.0.195 255.255.255.192. I create the virtual TAP
> > adapter on the linux server and bridge it together with the ETH0 (I have
> > only one physical NIC). I then assign the BR0 the IP of ETH0.
> >
> > In my server.conf file I start by assigning the virtual adapter an address
> > of 201.0.0.254 255.255.255.192, and set the local directive to that of the
> > bridge's IP 201.0.0.195.
>
> The TAP device on the server should not have an IP address if you bridging
> it. The general rule on Linux and Windows XP is that IP addresses should be
> assigned to devices which are part of a bridge, but instead to the bride
> itself.
>
> > I do my certificate stuff, and aside from that
> > the only other important thing I have is 'push "route 201.0.0.0
> > 255.255.255.192 201.0.0.193"' the default gateway on that network.
>
> Thar route command specifies a route to the subnet the client is on, which
> should not be done. Furthermore it specifies a gateway address on the
> subnet it is specifying a route to, which must never be done.
>
> > I also
> > have fragment 1500, mssfix 1500, and some other settings that I believe
> > are unrelated.
> >
> > On the client side I do NOT setup a bridge. I have an adapter created, and
> > in my client.conf file I assign it an IP with ifconfig 201.0.0.241 and the
> > appropriate netmask.
>
> That netmask should be the same as as the other machines in your network,
> which I understand to be 255.255.255.192.
>
> > I also have route-method exe, and route-delay 2 in
> > the file. The rest is standard.
>
> What address have you have you specified in the remote directive? It should
> not be in the subnet you are trying to connect to using the VPN, therefore
> it should not be 201.0.0.195. It MUST NOT be routed over the VPN.
>
> This is probally the cause of your problem, the VPN traffic is being
>
> If there is a router beetwen the client and server which supports NAT you
> could configure port-forwarding and use the client-side address of the
> router in the client's configuration file.
>
> Alternatively give the server another address which is outside the subnet(s)
> which are routed/bridged to over the VPN, and is reachable from the client.
> You would need to give the routers on the LAN a route to this address via
> the LAN address (201.0.0.195) of the server, but the client must not find
> out about this route, eg via RIP.
>
> > What I'm trying to accomplish is having my laptop from a wireless
> > connection be able to connect to my private network (201.0.0.xxx).
>
> If there is no router between the client and server you can setup a separate
> subnet for use by OpenVPN, this will result in the server having IP
> addresses for both subnets on it's software bridge (or ethernet) interface.
>
> > Whats weird is that it work only once out of a
> > hundred times without this UDP flood issue.
>
> Maybe Vista is caching routing information, then it forgets the cached data
> and sends the VPN traffic though itself. Then when OpenVPN disconnects the
> queued traffic is sent to the server.
>
>
> --
> OpenPGP key fingerprint: D0A6 F403 9745 CED4 6B3B 94CC 8D74 8FC9 9F7F CFE4
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users