[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Client Lan Addressing


  • Subject: Re: [Openvpn-users] Client Lan Addressing
  • From: JJB <onephatcat@xxxxxxxxxxxxx>
  • Date: Tue, 16 Oct 2007 12:54:56 -0700

Colin Ryan wrote:
> Not 100% sure to be honest.
>
> I know that bridging is nice and transparent but has it's own set of 
> issues:
>
> a) Slightly More difficult to secure and manage from a firewalling 
> perspective as it's operating at the Ethernet Level.
>
> b) It does not - to my knowledge - get you away from issues of IP 
> overlap, sure you can specify the range of bridged IP's that get 
> handed out to be outside "typical norms" but that's not 100%
>
> c) Some other potential issues such as send/receipt of DHCP packets etc.
>
> Technically I believe the OVPN guys recommend tunnel mode if you can.
>
> As for why Cisco client has no such problems I can only guess that
>
> a) It's doing bridging
b) The VPN Server is your PIX which is likely also your firewall and 
default router so there is no default route that the server side needs 
to be aware of regarding access to the server side networks, because it 
is the router itself.
>
> I use the host routing a lot, because if one really looks at the 
> requirements it generally isn't every system in the LAN that needs to 
> be gained access to.
>
> Another back of the napkin solution might be some sort of VLAN so that 
> you can virtually renumber the remote network...
>
> I'd be curious myself what someone else might have to say on this topic.
>

Hi Colin,

Actually the PIX (506e) at this point is only used for VPN. The OpenVPN 
server is also our firewall and network router. The PIX does not allow 
you to set a default gateway. It used to be our firewall, but was 
bottlenecking our T1.  The pix hangs off the firewall/gateway server and 
has a foot in the LAN. Problem is, it is in the same subnet as the DMZ 
zone and VPN clients are unable to access the DMZ servers, so: no email 
when connected VPN through the pix. That is why we wanted to go with 
OpenVPN, plus we seem to get better bandwidth (haven't scientifically 
tested this) when connected via OpenVPN.

 - Joel


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users