[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients


  • Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
  • From: Timothy Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 11 Sep 2007 20:40:43 +0100

In message <BAY128-W24BDD0039AD96FA470FE87A6C00@xxxxxxx>, Pasada Khumprakob
<khumprp@xxxxxxxxxxx> wrote:

> 
> Hi Timothy 0

I'll assume there is a router (not a router appliance acting as a switch),
but no NAT, between the OpenVPN client and server. If not please tell us.

It would help if you told us what sort of router you had, note that router
appliances aimed at the domestic market are usually a 2 port NAT router +
switch.

> Thanks for the help. It makes sense what I am doing wrong now. One simple
> question before I go and implemnent this... If the OpenVPN server address
> is on a different subnet than the network I want to connect to, what am I
> bridging?

Bridging doesn't care about IP. There does need to be ethernet connectivity
between the OpenVPN server and the other machines like as if they are on
the same subnet.

>  
> To clarify... My OpenVPN server address will be something like 201.0.0.25
> 255.255.255.192 and the machines that I want access to will be on
> 201.0.0.193-254 on 255.255.255.192. The OpenVPN server will have one
> physical NIC with the 201.0.0.25 address, and will bridge with the TAP
> device which will not have an IP address either. The bridge will then take
> over the IP address of ETH0 and have it set as 201.0.0.25.


>  
> So I'm not sure if that is correct.... Do I change the IP of the bridge to
> something in the subnet of the machines I want to access, or do I setup a
> route to send the traffic from the OpenVPN server into the subnet I'm
> accessing?

As this a bridged VPN no routes should be set up to direct traffic over the
VPN, and bridging doesn't care about IP address. The Linux software bridge
is independent from the Linux IP stack.

I did not suggest changing the server's IP address, however that will work
if you give the router an IP address on both subnets, there are some
catches:
  1. You may not be able to configure your router to do this.
  2. All IP traffic to or from (not via) the server will have to go through
the router.
  3. It is unusual, and therefore potential confusing to have 2 subnets on
the same ethernet.

My suggestion was to give an additional IP address to the server, to do that
leave br0's IP address set to 201.0.0.195 and set dummy0's IP address to
201.0.0.25 (netmask 255.255.255.192). The dummy0 device will automatically
appear when it is given an address if the kernel was built with it enabled.
Then configure the router on the server's LAN to route traffic for the
subnet 201.0.0.0 (netmask 255.255.255.192) to 201.0.0.195.

All the routers concerned need to have a suitable route for the 201.0.0.0
subnet, they may already be configured appropriately. The port forwarding
technique avoids this problem.

Then see if you can ping 201.0.0.25 from the client.

Use 201.0.0.25 in the client's remote option, and add "local 201.0.0.25"
from the server's config file.


-- 
OpenPGP key fingerprint: D0A6 F403 9745 CED4 6B3B  94CC 8D74 8FC9 9F7F CFE4


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users